Annual Risk Assessment Checklist
A formal risk assessment helps identify potential threats to your organization's operations, systems, and data. This annual checklist ensures you’re meeting core SOC 2 requirements while keeping your risk management process structured and auditable.
Item | Description | Evidence Examples |
|---|---|---|
1. Define Assessment Scope | Identify which systems, departments, and third-party vendors are included | List of in-scope assets or business units |
2. Identify Risks | List internal and external threats (e.g., insider threats, data breaches, outages) | Risk register with unique IDs |
3. Assess Likelihood & Impact | Score each risk for probability and business impact | Risk matrix (High, Medium, Low) |
4. Assign Risk Owners | Appoint responsible persons for each risk item | Named individuals in risk register |
5. Document Existing Controls | Note technical and operational safeguards in place for each risk | Access controls, monitoring tools, policies |
6. Evaluate Control Effectiveness | Rate how well controls mitigate each risk | Control effectiveness column in risk register |
7. Determine Residual Risk | Calculate risk level after current controls are applied | Updated risk score (post-control) |
8. Create or Update Mitigation Plans | Define actions for high or unacceptable risks | Action plans with deadlines |
9. Review and Approve Findings | Have leadership review and sign off on the risk report | Executive sign-off document or meeting notes |
10. Archive the Assessment | Store the risk register and any related evidence securely | Versioned risk log in Google Drive or Notion |
11. Schedule Next Assessment | Set calendar reminders for annual re-assessment | Calendar event with stakeholders invited |