When conducting Risk Assessments, both RCSA and Enterprise level assessments, how is it criticality considered in the assessment? Are you considering/factoring this in when assessing inherent risk impact? Or are you considering this when you identify the process/asset that is being assessed?

We consider criticality with controls when doing assessments.  As part of the risk assessment/RCSA process we ask the risk/control owner the level of criticality the control addresses in the reduction and management of the risk. They select from a 5-rating scale (minor, moderate, high, very high and critical).  This information is retained within the risk register/control library.  We then take that rating and multiply it by the "inherent risk impact" (also on a 5 rating scale) to give us a control priority rating (PR1 - PR4).  The control priority aligns to our risk heat map: PR1-very high, PR2-high, PR3-moderate, PR2-low/very low) and is leveraged for prioritizing  key controls for monitoring and testing. 

Hi Stephanie, When complying data top-down and bottoms-up, we bring the numbers (1-5) to really understand the "true" risk exposure, and that is the Inherent Risk for the next assessment to work on.  In addition, these assessments may end up in some sort of Remediation / Mitigation plan to improve the risk score.  Hope this helps.