When you ignore known risks, they eventually turn into expensive incidents that damage your business. For example, if you know your employee records are stored on an unsecured shared folder but do nothing about it, a disgruntled staff member or external hacker can steal salary data and demand ransom—or worse, sell it online, exposing your company to DPDP Act fines (up to ₹50 crore) and permanent loss of customer trust. An audit by a large client (like a bank or government contractor) will immediately flag unaddressed risks as a reason to drop you as a vendor. Operational downtime from a preventable cyber-attack or data loss can cost an MSME thousands of rupees per hour and take weeks to recover from.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no documented list of risks that could harm your business. When something bad happens, you deal with it reactively and then move on without understanding why it occurred.
Initial
You have identified 3–5 major risks (ransomware, staff theft, fire, power failure) and discussed them in informal meetings, but there is no written risk register and no clear action plan for any of them.
Developing
You have a written list of 5–10 risks with a brief description of each, and you have assigned one or two basic controls (like backing up data weekly or locking the server room) but you do not track whether these controls actually work or are consistently applied.
Defined
You have a documented risk register with 10+ risks, assigned ownership for each, clear remediation actions with target dates, and you review progress quarterly. Most medium-priority risks have at least one control in place and you know who is responsible.
Managed
Your risk register is regularly reviewed (at least monthly), controls are tested for effectiveness, new risks are identified promptly, and resource allocation is made based on risk severity. You have metrics showing which risks have been reduced and why.
Optimised
Risk management is embedded in your culture: every project and decision considers security and operational risk from the start, controls are continuously monitored with automated alerts, and you adjust your strategy based on emerging threats and lessons learned from incidents.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Hold a 2–3 hour workshop with the business owner, IT person (if any), finance lead, and operations lead to brainstorm and list all the risks that could harm the business (cyber-attack, data loss, staff fraud, physical theft, power failure, etc.). Write them down on a sheet or simple spreadsheet. | Business owner or Operations lead | 1 day |
| 1 → 2 | Create a simple Risk Register spreadsheet with columns: Risk ID, Risk Description, Likelihood (High/Medium/Low), Impact (High/Medium/Low), Current Control (if any), Owner, and Target Action. Rank risks by likelihood × impact. Assign each risk to a responsible person. | IT person or Finance lead | 3–5 days |
| 2 → 3 | For each top 10 risk, write a one-page action plan: what specific control will be put in place, who will implement it, what is the target completion date, and how much will it cost. Get approval from the business owner and assign clear ownership. Document completion evidence (e.g., backup logs, access control list, insurance policy, training certificate). | IT person and Risk Owner | 2–4 weeks |
| 3 → 4 | Establish a monthly risk review meeting where each risk owner reports on the status of their assigned control. Measure effectiveness: e.g., 'We backed up data 26 out of 30 days last month' or 'Zero unauthorized access attempts detected.' Update the register with metrics and adjust priorities based on changes in the business. | IT person and Risk Coordinator | 1–2 months |
| 4 → 5 | Integrate risk management into all new projects and hiring. Conduct quarterly risk workshops to identify emerging threats (e.g., new regulatory requirements, industry incidents). Automate monitoring of key controls (e.g., backup success alerts, access logs) and conduct annual third-party risk assessments. Share risk culture training with all staff. | Business owner, IT person, and all department leads | Ongoing |
Documents and records that prove your maturity level.
- Risk Register spreadsheet or document containing at least 8–10 identified risks with description, likelihood, impact, and owner
- Risk Remediation Action Plan for each High or Medium priority risk, showing what control will be implemented, owner, target date, and budget
- Completion records for implemented controls: backup logs, access control lists, firewall/antivirus reports, employee training certificates, insurance policies, locked server room photo, or password manager audit log
- Monthly or quarterly Risk Review meeting minutes showing attendance, risks discussed, control effectiveness metrics, and any risks that have been reduced or escalated
- Evidence of communication to staff: email or training slides explaining the top 3–5 risks and what each person should do to help mitigate them
Prepare for these questions from customers or third-party reviewers.
- "Show me your risk register. How many risks have you identified and how often do you update it?"
- "For your top three risks, what specific control have you put in place? How do you know that control is actually working?"
- "Walk me through one risk remediation action plan. When was the control supposed to be in place and is it in place now? What evidence do you have?"
- "If a critical system went down tomorrow, do you have a tested backup and recovery plan? When was it last tested and by whom?"
- "Tell me about a risk that you identified six months ago. Has it been reduced? What changed?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and track a simple risk register and action plan | Google Sheets or Microsoft Excel with a custom template (create columns for Risk ID, Description, Likelihood, Impact, Control, Owner, Target Date, Status) | LogicGate Risk Cloud (₹3–5 lakhs/year for SMEs), Sword GRC (₹2–4 lakhs/year), or Risk.net (₹4–8 lakhs/year) |
| Identify and scan for common cyber risks (open ports, weak passwords, unpatched software) | Nessus Essentials (free version scans up to 16 IPs once per week), OpenVAS (open-source), or Shodan (search engine for exposed devices) | Nessus Professional (₹50,000–1 lakh/year), Qualys VMDR (₹2–5 lakhs/year) |
| Automate data backup and track completion to mitigate data loss risk | Bacula (open-source), or Veeam Community Edition (up to 2 sockets), or cloud provider free tier (AWS S3, Google Drive, OneDrive) | Veeam Backup & Replication (₹1–3 lakhs/year), Carbonite (₹20,000–50,000/year), or Acronis Backup Cloud (₹30,000–1 lakh/year) |
| Manage and monitor access logs to reduce insider threat and unauthorized access risk | Windows Event Viewer (built-in), Splunk Free (500 MB/day), or ELK Stack (Elasticsearch + Logstash + Kibana) | Splunk Enterprise (₹2–5 lakhs/year), Datadog (₹50,000–2 lakhs/year), or Rapid7 InsightIDR (₹1.5–4 lakhs/year) |
| Document and communicate risk policies and incident response procedures to staff | Google Docs or Notion to create a simple Information Security Policy document and checklist | Policy template services like Compliance.ai (₹30,000–1 lakh/year) or SecurityCompass (custom quotes) |
- Creating a risk register once and never updating it: risks change as your business grows, regulations change, and new threats emerge. Review your register at least quarterly and add new risks when you discover them.
- Identifying risks but not assigning clear ownership or deadlines: a risk with no owner is a risk that will be ignored. Always assign one specific person and a target completion date for every control.
- Confusing 'low likelihood' with 'doesn't matter': even a low-likelihood, high-impact risk (like ransomware or major fire) must have at least a basic control (backup, insurance, fire extinguisher). Don't just accept it and hope it doesn't happen.
- Not communicating risks to staff: employees who don't understand why a control exists (e.g., 'Why do I have to lock my computer?') will bypass it. Spend time explaining the top 3–5 risks in language staff understand.
- Forgetting to test controls: a backup that has never been restored is not a real backup. A disaster recovery plan that has never been practiced will fail when you need it most. Test at least once a year.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Privacy by Design) and Schedule I (Obligations of Data Fiduciaries) require identification and mitigation of risks to personal data |
| CERT-In 2022 | Direction 3 requires organizations to conduct a risk assessment and maintain a register of security risks and mitigation measures |
| ISO 27001:2022 | Clause 6.1.2 (Information Security Risk Assessment) and Clause 6.2 (Information Security Risk Treatment) mandate risk identification and remediation |
| NIST CSF 2.0 | Govern function (GV) – specifically GV.RR (Organizational Risk Profile) and GV.RM (Risk Management Strategy) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →