The R in our SMART Assessment series is Relevant. We were reading through some assessments and ran across a data center risk assessment where “meteor strike” was listed as a risk. Meteor strike. Is it a risk? The sun could blow up. It’s a risk. Okay, sure, but how relevant is that, really?
When you’re having a risk assessment done, you’re looking for actual risks. Not risks that have a .0001% likelihood. Or risks that have essentially no mediation.
Assessments have started to garner a bad reputation because too many dubious vendors are providing irrelevant assessments. In an effort to cover their behinds, they list every possible risk, regardless of probability. That way it appears they’ve done their due diligence. It appears they’ve thought through your problems.
But did you pay for smoke and mirrors? No. You expect the outputs you’re paying for to be applicable to your situation. Relevant risk assessments. Relevant remediation steps. Relevant to you and your business objectives.