Process 3: Evaluate Mitigation Progress and Plan Next Assessment
Step 1: Evaluate mitigation progress and success.
Progress of the risk mitigation plans should be evaluated periodically. Depending on the extent of the mitigation plan, progress might be reported monthly for shorter-term plans or annually for longer-term plans. Reports should be provided to the administrative-level sponsor of the risk assessment.
Upon completion of a mitigation, use the metrics established in Phase 3, Process 2 to evaluate the success of the mitigation plan. Report to the administrative-level sponsor of the risk assessment.
Process 3: Evaluate Mitigation Progress and Plan Next Assessment
Step 2: Document improvements to risk assessment procedures.
Throughout the risk assessment process, you will notice that some things work well for your institution and some things do not. Collect feedback from management, IT workers, staff and others that participated during the risk assessment process. It also helps to review current risk assessment literature for process improvements. Consider changes that might simplify the process and/or produce better results. As a group, decide what changes can be made to improve the next risk assessment. Document the changes in your risk assessment procedures.
#Top of page
Process 3: Evaluate Mitigation Progress and Plan Next Assessment
Step 3: Plan the next risk assessment.
Depending on size and organization, every institution has different risk needs. The institution's appetite for risk will influence the frequency that risk assessments are needed. Compliance requirements will also influence frequency. Some institutions may want to perform a comprehensive risk assessment annually, though every one to three years is probably sufficient for most institutions. Risk assessments of a more narrow scope or of systems where risk impact is very high should probably be conducted more frequently. The following types of changes should serve as trigger points for an institution to then evaluate the need for conducting the next risk assessment.
- New systems or infrastructure
- Major changes to existing systems or infrastructure
- Changes in compliance requirements
- Follow-up to significant incidents or exploits
For comprehensive risk assessments, it's advisable to schedule the next assessment upon completion of the current one. Assigning the role who will be responsible for the next assessment will help ensure it is conducted on schedule.
#Top of page
Previous process, last step: Phase 3, Process 2, Step 3
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).