To determine whether to proceed with a full risk assessment, an overview of the new or changed dynamic is required. Areas to consider include:
The cause for the change
The potential effect
The rationale for the change
Who is triggering the change
Based on an understanding of the change in dynamics, identify the potential risks to the company. These risks may be ongoing risks that have already been addressed or may be new risks. Outline both IT and business risks.
When the risks have been defined, a cursory review should be completed to determine which risks currently have been addressed and have had controls implemented through prior efforts, and which risks are new and have not been formally reviewed in the past.
For each risk identified, consider both the risk description and potential cost of the risk. If the risk has been previously analyzed , summarize previous review results .