How To Perform a Risk Assessment (FTC-Compliant Guide)

An FTC-compliant risk assessment is a documented, risk-based process for identifying how customer information could be exposed, misused, or disrupted—and deciding what safeguards are reasonable for your business. Under the FTC Safeguards Rule, this is not a one-time checklist or a single technical scan, but an ongoing evaluation tied to how your organization actually operates, as required by the Federal Trade Commission (FTC). The objective is defensible decision-making based on real risks, not perfection or tool accumulation. When done correctly, a risk assessment becomes the foundation for your written information security program, vendor oversight, and audit readiness under the Safeguards Rule.

TL;DR

• The FTC requires a documented, risk-based risk assessment, not just tools or scans
• Scope includes data, systems, people, and service providers
• Risks must be evaluated and prioritized, with reasoning documented
• Risk assessments are ongoing and event-driven, not “one and done”
• The business—not a vendor—remains responsible for compliance

Who This Is For

This guide is for owners, partners, and leaders at businesses subject to the FTC Safeguards Rule—such as CPA firms, financial services providers, and other organizations that handle customer financial information—who need a clear, plain-English explanation of how to perform a compliant risk assessment.

This is not a technical how-to for penetration testing or a product-specific security checklist.

What This Is

Under the FTC Safeguards Rule (16 CFR Part 314), a risk assessment is a formal evaluation of foreseeable risks to the security, confidentiality, and integrity of customer information, along with a documented explanation of how your safeguards address those risks.

In practical terms, the FTC expects businesses to answer three questions:

1. What could reasonably go wrong?
2. How likely is it, and how severe would the impact be?
3. What safeguards are in place, and why are they reasonable given the risk?

The Safeguards Rule applies a risk-based and scalable standard, meaning requirements take into account the size, complexity, nature, and scope of the business (FTC Safeguards Rule §314.4). If applicability is unclear, confirm expectations with legal or compliance counsel.

Why This Matters

The FTC has been explicit that it does not mandate specific technologies. Instead, it requires businesses to demonstrate that they have identified risks and made reasonable, documented decisions about how to address them (FTC Safeguards Rule, Statement of Basis and Purpose).

From a business perspective, a properly performed risk assessment:

• Anchors your Written Information Security Program (WISP)
• Supports leadership oversight and accountability
• Reduces friction during audits, lender reviews, and insurance renewals
• Creates continuity when systems, staff, or vendors change

Scenario (Anonymized):
A small accounting firm relied on antivirus software and annual IT checkups but had no written risk assessment. During a lender review, they were asked how vendor access risks were evaluated. Without documented analysis, the review stalled—delaying financing that could have proceeded with basic FTC-aligned risk documentation.

Detailed Plain-English Breakdown

1. Define the Scope

Meaning:
Identify where customer information is collected, stored, processed, or transmitted, including systems, applications, users, and service providers.

FTC reference:
The Safeguards Rule requires covered institutions to evaluate risks to customer information in each relevant area of operation, including information systems and service providers (16 CFR §314.4(b)).

Common failure:
Only listing office computers while ignoring cloud services, email systems, or remote access tools.

What good looks like:
A written scope covering data types, storage locations, access paths, and third-party providers.

---

2. Identify Foreseeable Threats

Meaning:
Document reasonably foreseeable internal and external threats that could compromise customer information.

FTC reference:
The FTC explicitly requires identification of reasonably foreseeable internal and external risks to customer information (16 CFR §314.4(b)(1)).

Common failure:
Using generic threat lists that do not reflect how the business actually operates.

What good looks like:
Threats tied directly to business workflows, user behavior, and system usage.

---

3. Identify Vulnerabilities

Meaning:
Determine weaknesses that could allow a threat to succeed, including technical, procedural, or training-related gaps.

FTC reference:
The Safeguards Rule requires assessment of the sufficiency of safeguards in place to control identified risks (16 CFR §314.4(b)(2)).

Common failure:
Treating vulnerability identification as a single scan or report.

What good looks like:
A combination of technical findings and operational weaknesses.

---

4. Assess Likelihood and Impact

Meaning:
Evaluate how likely each risk is to occur and how severe the impact would be if it did.

FTC reference:
The FTC’s risk-based framework assumes prioritization based on the likelihood and potential damage of identified risks (FTC Safeguards Rule commentary).

Common failure:
Treating all risks as equal or skipping prioritization.

What good looks like:
Documented reasoning that distinguishes high-impact, high-likelihood risks from lower-priority issues.

---

5. Evaluate Existing Safeguards

Meaning:
Document the administrative, technical, and physical safeguards currently in place.

FTC reference:
The Safeguards Rule requires implementation and evaluation of safeguards to control identified risks (16 CFR §314.4(c)).

Common failure:
Listing tools without explaining what risks they mitigate.

What good looks like:
Safeguards clearly mapped to specific risks in plain language.

---

6. Determine Reasonableness of Safeguards

Meaning:
Decide whether safeguards are appropriate given the risk, cost, complexity, and size of the organization.

FTC reference:
The FTC applies a reasonableness standard, allowing safeguards to vary based on business context (16 CFR §314.4).

Common failure:
Assuming that more technology automatically equals compliance.

What good looks like:
Written justification explaining why safeguards are sufficient or why enhancements are planned.

---

7. Document Results and Decisions

Meaning:
Create and retain written documentation of the risk assessment and related decisions.

FTC reference:
The Safeguards Rule requires written records sufficient to demonstrate compliance and support oversight (FTC enforcement guidance).

Common failure:
Keeping assessments informal or undocumented.

What good looks like:
A repeatable, reviewable document approved by leadership.

---

8. Plan for Ongoing Review

Meaning:
Update the risk assessment in response to changes in systems, threats, or business operations.

FTC reference:
The FTC requires risk assessments to be ongoing, not static (16 CFR §314.4(b)).

Common failure:
Treating the assessment as a one-time exercise.

What good looks like:
Defined review intervals and update triggers.

---

Common Mistakes & Misconceptions

• “We bought security tools, so we’re compliant.” The FTC has made clear that tools alone do not satisfy Safeguards Rule obligations.
• “Our IT provider handles compliance.” The FTC holds the covered institution responsible, even when services are outsourced.
• “We’re too small to need documentation.” Size affects scope—not the obligation to document decisions.
• “Annual scans equal a risk assessment.” Scans inform assessments; they do not replace them.

High-Level Implementation Overview

People

• Leadership oversight and accountability
• Clear ownership of the risk assessment process
• Staff awareness of data handling risks

Process

• Written assessment methodology
• Risk prioritization and documentation
• Scheduled review cadence

Technology

• Safeguards aligned to identified risks
• Monitoring and evidence collection
• Visibility into systems and access

Leader Self-Check

• Do we know where customer data lives?
• Can we clearly explain our top risks?
• Are safeguards mapped to those risks?
• Is our assessment written and reviewable?
• Do we reassess after major changes?
• Are vendors included in scope?
• Has leadership reviewed the results?

How Office Heroes Supports This

Office Heroes helps businesses avoid failed audits, stalled deals, and last-minute compliance scrambles by making sure their risk assessment is clear, defensible, and aligned with how the business actually operates.

In practical terms, Office Heroes helps clients:

• Know what to say, and show, when asked about risk.
  We help turn scattered security activities into a written risk assessment that leadership can confidently explain to auditors, lenders, insurers, and regulators.
• Avoid gaps that get flagged later.
  By looking at people, process, technology, and vendors together, we help surface risks that are commonly missed until an outside review forces the issue.
• Make reasonable decisions and document them.
  We help businesses explain why certain safeguards are in place (or planned), which is exactly what the FTC expects under its reasonableness standard.
• Reduce disruption during reviews and audits.
  A clear, documented assessment reduces back-and-forth, follow-up requests, and delays caused by unclear or incomplete answers.
• Maintain continuity as the business changes.
  As systems, vendors, or operations evolve, we help keep risk documentation current so compliance does not depend on institutional memory.

The result is not “guaranteed compliance,” but clarity, preparedness, and defensibility—so when questions arise, the business is ready with answers instead of scrambling for explanations. Office Heroes can support compliance efforts, but responsibility remains with the business.

Related Resources & Internal Links

• Parent Hub: FTC Safeguards Rule Compliance Guide
• Deep Dive: Risk Assessment Deep Guide

When to Get Help

Consider additional support if:

• You cannot clearly articulate your top risks
• Your assessment exists only as informal notes
• Vendors are not included in risk evaluations
• Leadership has not reviewed or approved results
• The business has changed significantly since the last assessment

If you want help structuring or validating a defensible, FTC-aligned risk assessment, schedule a compliance-focused consultation to review scope, risks, and documentation expectations—before an audit or review forces the issue.