boberdoo blog

Develop a Risk Assessment Plan for Your Company | A Step-By-Step Guide

Written by Taylor Leikness | May 19, 2023 8:55:58 PM

According to the new FTC Safeguards, all companies, including lead generation ones, must develop a written risk assessment plan to identify and prioritize potential risks to customer data. This assessment helps companies evaluate the likelihood and impact of these risks, develop policies and procedures to mitigate them, and guide incident response efforts.


Even without the new ruling, a written risk assessment is vital for companies to demonstrate their commitment to data security and compliance with regulatory requirements. It also enables them to proactively address potential risks and protect customer data from potential breaches.

How To Set Up a Written Risk Assessment Plan

Here is a general overview of the steps you can take to set up a written risk assessment:

  1. Identify the Assets: First, you need to identify the assets that need to be protected. Assets may include sensitive customer information, financial records, intellectual property, and other valuable data your company possesses.
  2. Identify the Threats: Once you have identified the assets, the next step is identifying the potential threats. These include internal and external threats, such as cyber-attacks, physical theft, and human error.
  3. Assess the Risks: After identifying the assets and potential threats, the next step is to assess the risks. Look at the threats and determine the likelihood and impact of each if they occur and the potential damage that could be caused.
  4. Identify Controls: Once you have assessed the risks, the next step is to identify controls to mitigate those risks. These can be firewalls, encryption, and administrative controls such as policies and procedures.
  5. Implement and Test Controls: After identifying the controls, the next step is to implement and test them. Implementation involves ensuring the controls are properly set up and effectively mitigating the identified risks.
  6. Document the Risk Assessment: Finally, the risk assessment should be documented in writing. This documentation should include all the steps, including the identified assets, threats, risks, controls, and testing results. And now you have your written risk assessment!

Stay tuned for more articles on best practices for safeguarding customer data and complying with FTC regulatory requirements.