IT Examiner School - Oct 2025

Internal Use Only

Attributes of an Inadequate Risk Assessment Let’s discuss what makes a bad risk assessment. What key elements are you seeking to identify in a Risk Assessment to ensure its thoroughness and compliance?

19

Internal Use Only

Attributes of an Inadequate Risk Assessment In reviewing risk assessments from various covered entities, we've identified several recurring inadequacies that typically indicate non-compliance with regulatory expectations.

• Lack of Follow-Up • No Involvement from Key Stakeholders • Not annually reviewed and updated

• Generic Approach • Overlooking Assets • Poor Evaluation Criteria • Absence of Risk Mitigation

20

These materials are for internal training purposes for NYS DFS Staff. It may not be distributed outside the department.