Connect with Us

Risk Assessment

Our clients operating today have an increasing reliance on information, its assets and IT systems to achieving their business goals and objectives. Information security risk management has become a key enterprise risk. An effective risk management process is an important component of a successful information security management system. The principal goal of an organization’s risk management process is to identify, assess, and mitigate key risks in order to protect their assets, brand, and reputation.

Risk management is the process of identifying, controling, and mitigating information system-related risks. It involves the process of identifying vulnerabilities and threats to the information assets used by our clients in achieving business objectives, and deciding what countermeasures, if any, to be taken in reducing risks to an acceptable level.


Numerous risk management models exist. This is a short primer on ISO 33000 and risk management as defined by the ISO 33000 standard.


Understanding Risk Treatment and a decomposition of the Risk Treatment Plan


An effective IT risk management program, on the other hand, identifies and quantifies all risks-not just compliance-related risks-and establishes formal, end-to-end risk management processes. Because IT risk management covers a wider spectrum of risk, a robust risk management program allows you not only to mitigate or avoid losses but also to facilitate critical decision-making by evaluating uncertain events that could positively affect your business. IT risk management will also help you identify emerging risks more quickly and improve the capabilities of the risk management system to handle them.

Our Risk, Audit, and Compliance practice will assist you in adopting an enterprise-wide approach to analyzing and prioritizing IT risks and aligning them with your strategic goals.

IT security risks include the possibility of business damage due to loss of confidentiality, integrity, or availability of information. Brier & Thorn will provide the basis to build or refine the most appropriate information security program for your organization. This service scopes your project individually and uses the best approach for your business — customized and scaled appropriately.

The foundation of the service is Brier & Thorn’s proven methodology, which combines elements from best practices such as ISO, NIST and OCTAVE. As experts in complex risk assessment, we will wade through your risk challenges and help you assess the critical elements.

The assessment includes key activities such as:

  • Discovery
  • Control Assessment
  • Threat Assessment
  • Risk Formulation
  • Asset Classification
  • Vulnerability Discovery
  • Impact and Likelihood Assessment

Each assessment concludes with a full risk assessment report, including priorities, recommendations and a full narrative of our findings. We will present the findings to your team to help guide decision-making that is in-line with your risk posture.

Understand your risk posture: A baseline risk assessment is a requirement for multiple compliance requirements across industries. You’ll gain an understanding of your risk posture through an identification of your key assets and systems, policies, procedures and controls across business units.

Identify costs and inefficiencies: The risk assessment will also estimate potential damages and the possibility of threats, in order to help your organization decide how to take action to reduce the identified risks. The assessment will help guide your decisions for return on investment, budget allocation, controls and efficient utilization of resources.

Address Emerging Threats: Your business needs to move with the fast pace of technology to serve your customers best. A Brier & Thorn risk assessment will help you identify these emerging threats and help your organization plan for secure scalability and cost reduction when reviewing new vendors and technologies.

Regulatory Compliance Baseline: Your organization likely has to comply with at least one, if not many, regulatory compliance standards. A required piece of known standards, such as HIPAA, ISO, PCI-DSS, and FISMA, is a baseline risk assessment. A Brier & Thorn risk assessment can help achieve this need across industry standards.

We follow our own unique assessment methodology – a combined approach that puts the right seasoned expert on the project, with the right level of analysis. Our consultants will work with your teams to ensure that the assessment includes the right stakeholders, assets and controls for the need at hand. This close working relationship yields the most productive results. We’ll provide you with a full report of the engagement, including:

  • Priority ranked risks to your business
  • Risk mitigation recommendations
  • Decision support consulting
  • Business discovery
  • Threat environment discovery
  • Observed best practices

IT risk management provides a framework to understand and respond to business uncertainties and opportunities with relevant risk insight delivered through common, integrated risk identification, analysis and management disciplines. IT risk management enhances organizational resiliency by improving decision making, strengthening governance and supporting a risk intelligent culture.

Brier & Thorn believes in a phased and structured approach to implementing risk management so that our clients can develop baseline frameworks than can be expanded and enhanced over time.



The risk assessment process encompasses three main activities that our advisors perform:

  • Risk Assessment: Identification and evaluation of risks and risk impacts, and recommendation of risk-reducing measures
  • Risk Mitigation: Prioritization, implementation, and maintenance of appropriate risk-reducing measures recommended from the risk assessment process
  • Continual Evaluation: Ongoing evaluation of the treated risks

Our advisors perform risk assessments according to the ISO 27005 standard framework, which drives all security planning, analysis, and design activities later in the risk management lifecycle. The ISO 27005 standard provides guidelines for information security risk management that support the requirements of an ISMS as defined by ISO 27001.

A risk assessment is a driving factor to our clients businesses that keeps the risks associated with the collection, processing, and storage of information under management through:

  • cost-benefit analysis and the selection, implementation, testing, and evaluation of security controls;
  • an overview of information risk management and its components;
  • ensuring the risk assessment process is in perspective with enterprise risk management, business continuity, and compliance assessments; and
  • an overall system security review that considers both effectiveness and efficiency, including impact and constraints due to policy, regulations, and laws.

Our unique methodology for performing a risk assessment under our proprietary risk management model follows a process of vulnerability and threat identification to information assets that equips our clients with the requisite information needed to make informed decisions about their risk profile so that risk can be treated to an acceptable level to the business.

The risk assessment approach our advisors implement includes identification of information assets, performing a subsequent asset valuation; identification of threats, vulnerabilities, and risk; and a subsequent risk treatment approach where the client decides which action is needed to bring the risk to an acceptable level.

A risk assessment brings support in strategic and business planning, identifies the need for capital expenditure/budgets to be allocated to control certain risks, promotes continuous improvement of the ISMS, and demonstrates that the client is following the PDCA cycle in the continuous identification, assessment, and control of IT risks.

Asset Valuation

Asset valuation, based on the business needs of an organization, is a major factor in our risk assessment methodology. In order to identify the appropriate protections of an asset, it is necessary to assess their values in terms of their importance to the business or their potential values given certain opportunities. The values assigned are relative to the impacts the loss of confidentiality, integrity, and availability could have to the business of our clients.

Threat Identification

Threats are any circumstance or event with the potential to cause harm to an information asset. The goal of threat identification is to identify the potential threat-sources and compile a threat group listing of potential threat-sources that are applicable to the information assets being evaluated.

Vulnerability Identification

A vulnerability is a flaw or weakness in system security procedures, design, implementation or internal controls that could be exercised by a threat resulting in a security breach or a violation of the client’s security policy. The analysis of the threat to an information asset must include an analysis of the vulnerabilities associated with the organization’s environment.

Threat-Vulnerability Analysis

Threat-vulnerability analysis is the process of multiplying the threat group rating with the corresponding vulnerability rating (TR*V Rating). Along with specifying the Threat-Vulnerability Applicability, a process of identifying all of the applicable threat groups to each of the information asset classes, this process ensures that threat-vulnerability pairs for each asset are determined to be applicable and subsequently calculated should a threat-vulnerability pair be realized against an asset.

Brier & Thorn’s advisors perform both asset-based and scenario-based risk assessments against client assets. A scenario-based risk assessment is the process of computing the risk exposure level by identifying scenarios applicable to the asset class and multiplying the likelihood and impact of the scenario. A scenario is the description of a threat exploiting a certain vulnerability in an information security incident.

The risk calculation in asset-based risk assessments is a process of computing the risk rating by multiplying the asset class value by the final threat and vulnerability rating for the asset class (Risk Rating = (Asset Class Value) * (Final TR * V))

Once the risk has been calculated, any assets above the acceptable risk level for the client must be treated. Several risk treatment options exist:

  • Accept/Retain: Risk retention means that the client has decided to continue doing business with a particular risk, operating as-is;
  • Transfer: The client can transfer the risk to other agencies by shifting all or part of the risk to other parties by using options such as purchasing insurance coverage or having an agreement/AMCs with third-party vendors;
  • Avoid: The client can avoid the risk by eliminating the cause of the risk or not proceed with the activity that leads to the risk; and
  • Mitigate/Reduce: The risk can be mitigated by the client, developing a plan that prioritizes, implements, and maintains controls to reduce either the likelihood of the risk occurring, the consequences of the risk, or both.



Client Results

We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.

Badger Meter secures smart meter SaaS platform with help from Brier & Thorn in development of new ISMS, ISO 27001 certification, and SOC 2 Type 1 attestation

Badger Meter strengthens IT security by retaining Brier & Thorn to build new ISMS, later receiving ISO 27001 certification and SOC 2 attestation.

E&P company selects Brier & Thorn to perform risk assessment of enterprise business and oil assets

Large upstream and midstream E&P company with assets in domestic oil basins retains Brier & Thorn to perform risk assessments of its business and oil assets.