Risk Assessment Method for Canadian SMBs
A pragmatic and accessible methodology to complete your first security risk mapping — no advanced GRC expertise required.
Risk assessment is the cornerstone of any GRC program. It allows you to prioritize your security investments where they have the most impact. Here is a 6-step method designed to be applied without being a specialized consultant.
The 6-step method
Define your risk appetite
Before assessing risks, your leadership must define the acceptable level of risk for the organization. This guides all subsequent treatment decisions.
Example: We accept risks with low residual exposure; we prioritize high and critical risks before year-end.
Inventory your information assets
List the assets that have value for your organization: customer data, critical systems, business processes, confidential information, intellectual property.
Typical SMB: ERP, CRM, customer data, banking data, servers, cloud access, network shares, emails.
Identify threats and vulnerabilities
For each asset, identify what could happen to it (threats) and why it is possible (vulnerabilities). Use the MITRE ATT&CK registry or OWASP Top 10 as a reference.
Asset: customer database → Threat: unauthorized access → Vulnerability: weak passwords, no MFA.
Assess impact and likelihood
Use a simple scale from 1 to 4 (low, moderate, high, critical) to assess likelihood and potential impact. Multiply both to get the gross exposure.
Likelihood 3 (high) × Impact 4 (critical) = Exposure 12/16 → High risk, priority treatment required.
Define treatments
For each significant risk, choose a strategy: Accept (low risk), Mitigate (implement a control), Transfer (insurance, third party), Avoid (do not perform the activity).
High phishing risk → Treatment: mandatory training + anti-phishing filter + quarterly simulation.
Monitor and review
The risk map is not a static document. Review it at least once a year, after a significant incident, or during a major change (new system, acquisition, etc.).
Best practices: quarterly review with the CISO, full annual review with leadership.
Choosing the right tool
| Tool | Best for | Limitations |
|---|---|---|
| Excel/Sheets spreadsheet | Simple starting point | Hard to maintain, no workflow, no traceability |
| SharePoint/Confluence | Documentation and collaboration | Not structured for risk management, no exposure calculation |
| Dedicated GRC tool (e.g. CapGRC) | Mature or growing organization | Initial cost, short learning curve |
Free risk register template
We have prepared a pre-configured Excel template with exposure calculation formulas, probability/impact dropdown lists and a summary dashboard.
Download the free template (XLSX)Move from spreadsheet to a professional risk register
CapGRC centralizes your risk management with configurable methodology, treatment plans and executive dashboards.