You've completed a security risk assessment across multiple sites. What do you do with the results?
This scoring template is one option. It provides a visual structure for your results, which may help facilitate high-level examination of gaps in policy and safeguards and site-specific consideration of improvements. This is not intended to be a punitive exercise, instead it should be used to help prioritize action by security and stakeholders to shore up gaps.
A pdf of the template is available for download below.
How to Use the Template
The template is a sample and it should be customized by the user to reflect his or her organization's own site security elements and issues.
To use the template, consider each of the sites that have undergone a risk assessment. Based on the results of the on-site review against accepted standards of asset protection each site will be assigned a "level of concern" score. In this example a value of 1 to 5 was used, 1 being a low level of concern and 5 representing a high level of concern.
How you choose to summarize the scores in this exercise will depend on what message you hope to convey. Here are some examples:
- Sum or calculate the average of the scores by site (by column) and put them in the bottom row. This is effective if you plan to compare sites to each other.
- Sum the score by risk indicator (by row) and place them in the rightmost column. This helps obtain a sense of the overall performance in each risk indicator category.
- Scores can be weighted depending on how important the various elements are to stakeholders or to the specific sites.
- Scores can be placed in ranges to more quickly convey, based on your evaluation, of how much risk is too much. For example, scores from 15-30 are low concern and 60-75 are high concern. Color coding these ranges can further their communicative value (e.g., yellow is a medium level of concern and red is high level of concern).
Need more guidance? We can help you interpret your risk assessments, recognize and eliminate gaps, and determine the next steps to improve security and risk management in your organization.