University of Minnesota  Procedure

Conducting Risk Assessments


Expand all


Table of Contents

TOC placeholder


Please use the contact section in the governing policy.


Risk Assessments conducted as part of the Information Security Risk Management Program are a method for the University to identify information security risks, determine their likelihood and impact, monitor the implementation of plans for remediation, and provide guidance for strategic resource planning. 

The Information Security Risk Management process below represents the business processes for the majority of the risk assessments. Variations in the processes are normal and should be expected based on the unique needs of a given unit. 

Schedule an Information Security Risk Assessment 

To request an Information Security Risk Assessment, email [email protected]

The Information Security Risk Management Program will also identify and schedule Information Security Risk Assessments. 

University Information Security will be responsible for scheduling and prioritizing according to metrics-based risk criticality.

Conduct a Risk Assessment 

A standardized approach will be followed for assessing risks, planning risk treatment, and the ongoing monitoring/review of the identified risks. 

There are five phases: 

  • Phase 1: Identify assets and define scope. 
  • Phase 2: Complete in-depth risk assessment. 
  • Phase 3: Collaborate on risk treatment plan. 
  • Phase 4: Accept risk treatment plan. 
  • Phase 5: Monitor status of risk treatment plan. 

Additional detailed process information is published on the Collaborate on a Risk Assessment Website.