A Simple Risk Assessment Method for Busy Owners: Ranking Your Top Assets and Threats in One Session.
Most risk assessment frameworks are written for compliance teams in large organisations. They assume dedicated resources, technical expertise, and weeks of work. For a business owner in Letterkenny or Donegal Town who has a business to run, these frameworks are not practical tools. They sit in a folder, half-completed, until a client or insurer asks for them.
This is a different approach: a risk assessment method designed to produce a useful output in a single 90-minute session, using only a whiteboard or a blank spreadsheet, and requiring no technical knowledge beyond knowledge of your own business.
What Is a Risk Assessment?
A risk assessment is the process of identifying what your business depends on, what could go wrong with each of those dependencies, how likely it is, and how serious the impact would be — so that you can make informed decisions about where to invest in protection.
It is not a guarantee. It is not a checklist. It is a structured way of thinking about risk that produces a prioritised list of actions — which is exactly what a busy owner needs.
Step One: Identify Your Crown Jewels (20 Minutes)
Begin by listing the assets your business could not operate without. These are your "crown jewels" — the data, systems, and processes that, if lost or disrupted, would cause your business the most harm.
For most Irish SMEs, this list includes: customer and client data, financial records and accounting systems, operational systems (booking systems, stock management, ERP), email and communication systems, intellectual property (pricing models, client contracts, proprietary processes), and employee data.
Rank these by asking one question: if this was unavailable for a week, how severe would the impact be on a scale of one to five? Revenue impact, client impact, regulatory impact, and reputational impact each contribute to the score. You are not looking for precision — you are looking for a rough relative ranking that tells you which assets matter most.
Most Irish SMEs, when they complete this step, find that their customer data and financial systems rank highest — and that those are also the assets with the least specific security controls in place. Book a free 20-minute strategy call — we run structured risk assessment sessions with Irish SMEs regularly.
Step Two: Identify Your Most Likely Threats (20 Minutes)
For each high-ranking asset, identify the two or three most realistic threats to it. Realistic means: threats that have actually affected businesses like yours, not theoretical threats from spy thrillers.
For customer data: phishing email leading to account compromise, ransomware encrypting the database, insider misuse, accidental deletion.
For financial systems: invoice redirection fraud, ransomware, credential theft, system failure without backup.
For email: account compromise through stolen credentials, phishing attack, business email compromise fraud.
Rate each threat on two dimensions: likelihood (one to five, based on how common this threat is for businesses like yours in Ireland) and impact (one to five, based on the harm it would cause to the asset involved). Multiply the two scores to get a risk rating. A likelihood of four and an impact of five gives a risk rating of 20 — the highest possible.
Step Three: Review Your Current Controls (20 Minutes)
For each high-rated risk, note what control currently exists to reduce that risk. Be honest. "We have antivirus" is a control. "We have MFA on all accounts" is a control. "We hope it doesn't happen" is not a control.
For each gap — a high-rated risk with no meaningful control — note it explicitly. This is your action list.
Step Four: Prioritise Your Actions (30 Minutes)
Rank your action list by a simple question: which gaps, if closed, would reduce the most risk for the least cost?
Almost always, the top of this list looks the same for Irish SMEs: enabling MFA on all accounts, testing the backup restore process, implementing a call-back verification procedure for payments, and ensuring patches are applied on a consistent schedule. These four actions, consistently, address the highest-risk gaps for the lowest cost.
Below those, the list becomes more specific to your business — particular systems, particular processes, particular third-party relationships that carry specific risks for your specific situation.
Why This Matters Right Now
NIS2 requires that organisations in scope conduct regular risk assessments as part of their Article 21 obligations [^1]. Enterprise clients are increasingly asking SME suppliers to demonstrate that they have a structured risk management approach. Cyber insurers ask risk assessment questions during underwriting.
Beyond compliance, the practical value is clear. A business owner who has spent 90 minutes thinking systematically about what matters most, what is most likely to go wrong, and what the gaps are, makes better security investment decisions than one who has not. The output of this session is a prioritised action list — which is the most useful thing a security adviser can produce for an Irish SME owner.
What Next
Schedule the 90-minute session this week. With your management team, your key operational staff, and optionally your IT provider. You need the people who know how the business works, not the people who know the most about technology.
Work through the four steps. Crown jewels, threats, current controls, prioritised action list. Document the output in a simple spreadsheet or shared document.
Revisit the assessment annually. Your risk profile changes as your business changes — new systems, new staff, new clients, new threats. An annual review keeps the assessment current and demonstrates to insurers and clients that risk management is an ongoing process.
Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.
Related Reading
- Building a Simple Dashboard to Track Your Security and Resilience Progress
- The Minimum Security Baseline Every Irish Small Business Should Have in 2026
- NIS2 Director Personal Liability: What Irish Directors Must Know
[^1]: NCSC Ireland — NIS2 Risk Management Guidance [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.
