Risk Assessment

A risk assessment is the structured process of identifying threats and vulnerabilities to a service organization's systems and data, evaluating their likelihood and impact, and prioritizing them for remediation. SOC 2 requires a documented risk assessment performed at least annually, covering technology risks, vendor and supply chain risks, fraud risks, and risks introduced by significant business changes. The output is a risk register that catalogs each identified risk with an owner, current controls, residual risk rating, and treatment plan. Common methodologies include qualitative scoring on likelihood-impact matrices and quantitative approaches like FAIR. Risk assessments feed into control selection: high-residual-risk areas typically receive additional controls or compensating monitoring. Auditors test risk assessment by reviewing the methodology document, examining the current risk register, sampling risks to verify treatments occurred, and confirming the assessment cadence was met. Weak risk assessments are usually one-time exercises that gather dust; strong programs treat the register as a living document updated as the business evolves.