What Is an IT Risk Assessment?
An IT risk assessment is a systematic evaluation of the threats and vulnerabilities affecting your technology systems, the likelihood of those threats materialising, and the impact they would have on the business. The output is a prioritised list of risks and a plan for addressing them.
What Is an IT Risk Assessment?
The term appears under several names, such as an IT risk assessment, cyber risk assessment, or cybersecurity risk assessment, but for a UK SMB the practical scope is the same.
It is not a compliance exercise, though it supports compliance. UK GDPR requires organisations to assess risks to personal data, but the value of a proper IT risk assessment goes well beyond satisfying a regulatory checkbox. It shows exactly how an operational failure, a security incident, or a system outage would hurt the company and what needs to be done to avoid or recover from each one.
It's important to distinguish this from an IT audit, as an IT audit simply tells you what you have and what state it is in, with no action plan included. Still, both audits are useful, so if you have not yet done an IT audit, the IT audit checklist is a good place to start before diving into this process.
What is risk assessment in IT security specifically? The focus narrows to confidentiality, integrity, and availability of data and systems — i.e., who can access what, whether data could be altered or lost, and whether systems can be kept running. The same five steps apply to an SMB, with special consideration given to data handling, access controls, and unsupported software.
Why SMBs Need This More Than Large Enterprises
Large organisations have dedicated risk management functions, security teams, and compliance departments, while SMBs face the same threats with a fraction of the resources to manage them.
The NCSC's own guidance for small organisations reports that 1 in 2 small businesses in the UK suffers a cyber incident every year. The NCSC's Annual Review 2025 recorded 204 nationally significant incidents in the year to August 2025 — up from 89 the year before — and smaller organisations without dedicated security oversight are consistently among the most affected.
The financial exposure is significant regardless of business size. Under UK GDPR, the ICO can issue fines of up to £17.5 million or 4% of global annual turnover for serious breaches, and those maximum thresholds apply equally to a 20-person accountancy firm and a FTSE 250 business. An unpatched system, an untested backup, or an access control that was never reviewed can trigger the same regulatory scrutiny for both.
Beyond security, the operational risk is often underestimated. A legacy system that nobody has formally assessed might be running payroll, managing client records, or scheduling production. If it fails, what happens? For most SMBs, the answer to that question has never been written down. For context on how these systems get into that position, see our guide to what a legacy system is.
The 5-Step IT Risk Assessment Process
This process is designed to be worked through by a business leader or IT manager without specialist risk management training. It produces a prioritised list of risks with owners and actions rather than a hundred-page report.
Step 1: Inventory Your IT Assets
You cannot assess risk for systems you do not know you have, which is why the starting point is a complete list of everything your business depends on technologically. This includes:
- servers and physical hardware;
- software applications: licensed, custom-built, and the unofficial tools staff have installed themselves;
- cloud services and SaaS subscriptions;
- data: where it is stored, who has access, and how sensitive it is;
- network infrastructure;
- the people and access credentials that connect all of the above.
For a business with 30 to 50 people, this list typically has 40 to 80 entries once shadow IT is included. A logistics company with a bespoke Access database, three cloud services, a shared server, and twelve staff laptops has a meaningful asset inventory even before you add the integrations between them.
If you have already completed an IT audit, your asset inventory is largely done. If not, the IT audit checklist covers what to document.
Step 2: Identify Threats and Vulnerabilities
For each asset in your inventory, the question is: what could go wrong? Threats fall into a few consistent categories for UK SMBs.
- Cyber threats: phishing, ransomware, unauthorised access, credential theft.
- System failures: hardware failure, software corruption, database errors.
- Dependency risks: a system only one person understands, a supplier that has gone out of business, software that is no longer supported.
- Data risks: accidental deletion, data breach, regulatory non-compliance.
- Physical risks: fire, flood, power failure at a site with on-premise infrastructure.
Vulnerabilities are instances in which a threat is more likely to manifest, such as unsupported software with unpatched security gaps, a backup that has never been tested, remote access without multi-factor authentication, or a critical process that operates on a system that has not been documented. For more on how these vulnerabilities accumulate over time, the guides to legacy systems and technical debt cover the pattern in detail.
The NCSC's cyber security risk management guidance is a useful reference for this step, particularly for identifying cyber-specific threats relevant to your sector and size.
Step 3: Assess Likelihood and Impact
For each threat identified, assess two things: how likely is it to occur, and how serious would the consequences be?
A simple three-point scale works well for most SMBs:
- Likelihood: Low (unlikely in the next 12 months), Medium (possible), High (already occurring or very likely).
- Impact: Low (minor disruption, recoverable quickly), Medium (significant operational disruption or cost), High (major financial loss, regulatory action, or business-critical failure).
IT Risk Matrix
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| High Likelihood | Medium | High | Critical |
| Medium Likelihood | Low | Medium | High |
| Low Likelihood | Low | Low | Medium |
Applied to a real example: an accountancy firm running a payroll system on unsupported software. Likelihood of a security incident or system failure: High. Impact of payroll failure: High. Risk level: Critical. The same firm's office printer network: likelihood of failure, Medium; impact, Low. Risk level: Low. Both are on the list; they are just not the same priority.
An e-commerce business running a legacy CMS that has not received security updates in two years: likelihood of a breach attempt, High (known vulnerabilities publicly documented); impact of a customer data breach, High (ICO notification requirements, reputational damage, potential fine). Risk level: Critical.
Step 4: Prioritise and Plan
The risk matrix produces a prioritised list. What you do with each risk falls into four categories.
- Mitigate. Implement multi-factor authentication, patch the software, transfer data to a supported platform, and test the backup to lessen the impact or likelihood. The NCSC's Cyber Essentials scheme provides a baseline of five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. They address the most common attack vectors and are worth considering as part of your mitigation plan.
- Accept. Some risks are low enough in likelihood and impact that the cost of mitigating them exceeds the cost of the risk itself. Document the decision and the reasoning.
- Transfer. Cyber insurance does not eliminate risk, but it transfers the financial consequences of certain incidents. For risks you cannot fully mitigate, insurance is worth considering.
- Avoid. In some cases, the right answer is to stop using the system or process that creates the risk entirely.
For Critical and High risks, assign an owner and a deadline. A risk with no owner is a risk nobody is addressing.
Step 5: Document and Review
A risk assessment that exists only in someone's head is not a risk assessment. Asset inventory, threats and vulnerabilities, risk ratings, decisions, and actions assigned to owners and due dates should all be included in the output, which should be a document.
This document serves two purposes. First, it gives the business a reference point for tracking progress. Second, it provides evidence of due diligence if a regulator or insurer asks how risks were identified and managed.
Why is it important to regularly review risk assessments? Because the risk picture changes — new systems are added, staff leave, software reaches end of life. A risk assessment that was accurate eighteen months ago may no longer reflect the current exposure. Review every six to twelve months, and immediately after any significant change, such as a new system, a security incident, or a material change in how the business operates.
Common IT Risks SMBs Overlook
Shadow IT. Applications and services that staff use without formal IT awareness, such as personal cloud storage for client files, messaging apps for internal communication, browser extensions with broad data access. Each is a potential data exposure that does not appear on any official inventory.
Single point of failure in people. One person who understands the configuration of a critical system, holds the admin credentials, or manages the supplier relationship. When that person is unavailable, operations stop, which is consistently one of the highest-impact risks in SMBs and one of the least formally managed.
Unsupported software. The NCSC identifies end-of-life software as one of the most consistently exploited vulnerabilities in UK cyber incidents. Systems without security patches accumulate known vulnerabilities with no remediation path.
Untested backups. Backups that run automatically but have never been restored from are not reliable. Not having a backup plan is not the risk; the risk is believing that recovery is possible when it has never been tested.
Excessive access rights. This includes former staff, contractors, or suppliers with active credentials, users with admin rights they do not need, as well as instances where access was granted for a specific project and never revoked. Each represents an unnecessary attack surface.
No incident response plan. When something goes wrong — a ransomware attack, a data breach, a critical system failure — the cost is significantly higher without a documented plan for who does what in the first hours and days. Most SMBs do not have one.
IT Risk Assessment vs. IT Audit: What's the Difference?
These two processes are related but distinct, and both are worth going through.
| IT Audit | IT Risk Assessment | |
|---|---|---|
| Question it answers | What do we have, and what state is it in? | What could go wrong, and how serious would it be? |
| Output | Inventory of systems, gaps, and issues | Prioritised list of risks with likelihood and impact |
| When to do it | Annually, or before major changes | Annually, or after incidents and significant changes |
| Who leads it | IT manager or external auditor | Business leader, IT manager, or specialist |
The two processes complement each other: an audit gives you the asset inventory that a risk assessment needs as its starting point; a risk assessment gives you the prioritisation framework that turns audit findings into a plan. For a detailed checklist of what to cover in an IT audit, see the IT audit checklist for SMBs.
When to Bring in a Specialist
The five-step process above is designed to be completed internally. For many SMBs, starting there is the right move regardless of whether external help follows.
External involvement is worth considering when:
- the internal assessment surfaces risks the business does not have the expertise to evaluate accurately;
- when compliance requirements add regulatory complexity;
- when the business has experienced a security incident and needs an independent view of current exposure;
- or when the results suggest a level of risk that requires independent assessment before presenting to leadership or a board.
The cost of a structured external assessment for most SMBs is considerably less than the cost of a single significant incident.
Key Takeaways
- An IT risk assessment identifies what could go wrong with your technology, how likely it is, and what it would cost. It is not a compliance exercise, though it supports compliance.
- 1 in 2 small UK businesses suffers a cyber incident every year, according to NCSC; SMBs carry the same risks as larger organisations with fewer resources to manage them.
- The five steps: inventory your assets, identify threats and vulnerabilities, assess likelihood and impact using a simple matrix, prioritise and plan, document and review.
- The risks SMBs most commonly miss are shadow IT, single points of failure in people, unsupported software, untested backups, and excessive access rights.
- Review the assessment every six to twelve months — the risk picture changes as your systems, staff, and suppliers change.