• Compliance

How To Perform a Risk Assessment (FTC-Compliant Guide)

Table of Contents
    Add a header to begin generating the table of contents

    An FTC-compliant risk assessment is a documented, risk-based process for identifying how customer information could be exposed, misused, or disrupted—and deciding what safeguards are reasonable for your business. Under the FTC Safeguards Rule, this is not a one-time checklist or a single technical scan, but an ongoing evaluation tied to how your organization actually operates, as required by the Federal Trade Commission (FTC). The objective is defensible decision-making based on real risks, not perfection or tool accumulation. When done correctly, a risk assessment becomes the foundation for your written information security program, vendor oversight, and audit readiness under the Safeguards Rule.

    TL;DR

    • The FTC requires a documented, risk-based risk assessment, not just tools or scans
    • Scope includes data, systems, people, and service providers
    • Risks must be evaluated and prioritized, with reasoning documented
    • Risk assessments are ongoing and event-driven, not “one and done”
    • The business—not a vendor—remains responsible for compliance

    Who This Is For

    This guide is for owners, partners, and leaders at businesses subject to the FTC Safeguards Rule—such as CPA firms, financial services providers, and other organizations that handle customer financial information—who need a clear, plain-English explanation of how to perform a compliant risk assessment.

    This is not a technical how-to for penetration testing or a product-specific security checklist.

    What This Is

    Under the FTC Safeguards Rule (16 CFR Part 314), a risk assessment is a formal evaluation of foreseeable risks to the security, confidentiality, and integrity of customer information, along with a documented explanation of how your safeguards address those risks.

    In practical terms, the FTC expects businesses to answer three questions:

    1. What could reasonably go wrong?
    2. How likely is it, and how severe would the impact be?
    3. What safeguards are in place, and why are they reasonable given the risk?

    The Safeguards Rule applies a risk-based and scalable standard, meaning requirements take into account the size, complexity, nature, and scope of the business (FTC Safeguards Rule §314.4). If applicability is unclear, confirm expectations with legal or compliance counsel.

    Why This Matters

    The FTC has been explicit that it does not mandate specific technologies. Instead, it requires businesses to demonstrate that they have identified risks and made reasonable, documented decisions about how to address them (FTC Safeguards Rule, Statement of Basis and Purpose).

    From a business perspective, a properly performed risk assessment:

    • Anchors your Written Information Security Program (WISP)
    • Supports leadership oversight and accountability
    • Reduces friction during audits, lender reviews, and insurance renewals
    • Creates continuity when systems, staff, or vendors change

    Scenario (Anonymized):
    A small accounting firm relied on antivirus software and annual IT checkups but had no written risk assessment. During a lender review, they were asked how vendor access risks were evaluated. Without documented analysis, the review stalled—delaying financing that could have proceeded with basic FTC-aligned risk documentation.

    Detailed Plain-English Breakdown

    1. Define the Scope

    Meaning:
    Identify where customer information is collected, stored, processed, or transmitted, including systems, applications, users, and service providers.

    FTC reference:
    The Safeguards Rule requires covered institutions to evaluate risks to customer information in each relevant area of operation, including information systems and service providers (16 CFR §314.4(b)).

    Common failure:
    Only listing office computers while ignoring cloud services, email systems, or remote access tools.

    What good looks like:
    A written scope covering data types, storage locations, access paths, and third-party providers.

    2. Identify Foreseeable Threats

    Meaning:
    Document reasonably foreseeable internal and external threats that could compromise customer information.

    FTC reference:
    The FTC explicitly requires identification of reasonably foreseeable internal and external risks to customer information (16 CFR §314.4(b)(1)).

    Common failure:
    Using generic threat lists that do not reflect how the business actually operates.

    What good looks like:
    Threats tied directly to business workflows, user behavior, and system usage.

    3. Identify Vulnerabilities

    Meaning:
    Determine weaknesses that could allow a threat to succeed, including technical, procedural, or training-related gaps.

    FTC reference:
    The Safeguards Rule requires assessment of the sufficiency of safeguards in place to control identified risks (16 CFR §314.4(b)(2)).

    Common failure:
    Treating vulnerability identification as a single scan or report.

    What good looks like:
    A combination of technical findings and operational weaknesses.

    4. Assess Likelihood and Impact

    Meaning:
    Evaluate how likely each risk is to occur and how severe the impact would be if it did.

    FTC reference:
    The FTC’s risk-based framework assumes prioritization based on the likelihood and potential damage of identified risks (FTC Safeguards Rule commentary).

    Common failure:
    Treating all risks as equal or skipping prioritization.

    What good looks like:
    Documented reasoning that distinguishes high-impact, high-likelihood risks from lower-priority issues.

    5. Evaluate Existing Safeguards

    Meaning:
    Document the administrative, technical, and physical safeguards currently in place.

    FTC reference:
    The Safeguards Rule requires implementation and evaluation of safeguards to control identified risks (16 CFR §314.4(c)).

    Common failure:
    Listing tools without explaining what risks they mitigate.

    What good looks like:
    Safeguards clearly mapped to specific risks in plain language.

    6. Determine Reasonableness of Safeguards

    Meaning:
    Decide whether safeguards are appropriate given the risk, cost, complexity, and size of the organization.

    FTC reference:
    The FTC applies a reasonableness standard, allowing safeguards to vary based on business context (16 CFR §314.4).

    Common failure:
    Assuming that more technology automatically equals compliance.

    What good looks like:
    Written justification explaining why safeguards are sufficient or why enhancements are planned.

    7. Document Results and Decisions

    Meaning:
    Create and retain written documentation of the risk assessment and related decisions.

    FTC reference:
    The Safeguards Rule requires written records sufficient to demonstrate compliance and support oversight (FTC enforcement guidance).

    Common failure:
    Keeping assessments informal or undocumented.

    What good looks like:
    A repeatable, reviewable document approved by leadership.

    8. Plan for Ongoing Review

    Meaning:
    Update the risk assessment in response to changes in systems, threats, or business operations.

    FTC reference:
    The FTC requires risk assessments to be ongoing, not static (16 CFR §314.4(b)).

    Common failure:
    Treating the assessment as a one-time exercise.

    What good looks like:
    Defined review intervals and update triggers.

    Common Mistakes & Misconceptions

    • “We bought security tools, so we’re compliant.” The FTC has made clear that tools alone do not satisfy Safeguards Rule obligations.
    • “Our IT provider handles compliance.” The FTC holds the covered institution responsible, even when services are outsourced.
    • “We’re too small to need documentation.” Size affects scope—not the obligation to document decisions.
    • “Annual scans equal a risk assessment.” Scans inform assessments; they do not replace them.

    High-Level Implementation Overview

    People

    • Leadership oversight and accountability
    • Clear ownership of the risk assessment process
    • Staff awareness of data handling risks

    Process

    • Written assessment methodology
    • Risk prioritization and documentation
    • Scheduled review cadence

    Technology

    • Safeguards aligned to identified risks
    • Monitoring and evidence collection
    • Visibility into systems and access

    Leader Self-Check

    • Do we know where customer data lives?
    • Can we clearly explain our top risks?
    • Are safeguards mapped to those risks?
    • Is our assessment written and reviewable?
    • Do we reassess after major changes?
    • Are vendors included in scope?
    • Has leadership reviewed the results?

    How Office Heroes Supports This

    Office Heroes helps businesses avoid failed audits, stalled deals, and last-minute compliance scrambles by making sure their risk assessment is clear, defensible, and aligned with how the business actually operates.

    In practical terms, Office Heroes helps clients:

    • Know what to say, and show, when asked about risk.
      We help turn scattered security activities into a written risk assessment that leadership can confidently explain to auditors, lenders, insurers, and regulators.
    • Avoid gaps that get flagged later.
      By looking at people, process, technology, and vendors together, we help surface risks that are commonly missed until an outside review forces the issue.
    • Make reasonable decisions and document them.
      We help businesses explain why certain safeguards are in place (or planned), which is exactly what the FTC expects under its reasonableness standard.
    • Reduce disruption during reviews and audits.
      A clear, documented assessment reduces back-and-forth, follow-up requests, and delays caused by unclear or incomplete answers.
    • Maintain continuity as the business changes.
      As systems, vendors, or operations evolve, we help keep risk documentation current so compliance does not depend on institutional memory.

    The result is not “guaranteed compliance,” but clarity, preparedness, and defensibility—so when questions arise, the business is ready with answers instead of scrambling for explanations. Office Heroes can support compliance efforts, but responsibility remains with the business.

    Related Resources & Internal Links

    When to Get Help

    Consider additional support if:

    • You cannot clearly articulate your top risks
    • Your assessment exists only as informal notes
    • Vendors are not included in risk evaluations
    • Leadership has not reviewed or approved results
    • The business has changed significantly since the last assessment

    If you want help structuring or validating a defensible, FTC-aligned risk assessment, schedule a compliance-focused consultation to review scope, risks, and documentation expectations—before an audit or review forces the issue.

    Author Profile
    A soldier from our team stands outdoors in uniform, holding military equipment, with a building and palm trees framing the background.
    Founder & Chief Cybersecurity Strategist at  | Web

    Peter Zendzian is the Founder & Chief Cybersecurity Strategist at Office Heroes, a cybersecurity-focused Managed IT Service Provider helping CPA firms, law firms, credit unions, defense contractors, and small regulated businesses stay secure, compliant, and audit-ready.

    Peter served more than 20 years in the U.S. Navy, retiring as a Chief Petty Officer after leading secure communications, cybersecurity operations, and technology teams across joint military environments. His background in classified systems, compliance, risk management, and operational security directly shapes Office Heroes’ modern, practical approach to protecting small businesses.

    He is the co-author of two bestselling cybersecurity books:


    Your Business Must Have a Cybersecurity Risk Assessment


    Cybersecurity Essentials for Small Businesses

    Peter is a trusted advisor to business owners and a subject matter expert in:

    FTC Safeguards Rule compliance
    GLBA compliance
    NIST SP 800-171
    CMMC Level 2 readiness
    Microsoft 365 and Azure security
    Endpoint protection, EDR, and vulnerability management
    Data protection, disaster recovery, and cloud resilience
    Secure remote access and Azure Virtual Desktop
    Small business workflow automation

    Certifications & Recognition

    Retired U.S. Navy Chief Petty Officer (E-7)
    DoD Cyber & Communications Leadership Training
    20+ years managing classified systems and secure communications
    Co-author of two bestselling cybersecurity books
    Expert in FTC Safeguards, GLBA, NIST SP 800-171, and CMMC Level 2
    Microsoft 365 and Azure security practitioner
    Specialist in data protection, disaster recovery, and ransomware defense

    Peter’s mission is simple: to make world-class cybersecurity, compliance, and IT support accessible to small businesses that don’t have internal IT or security teams — giving them the protection, clarity, and confidence they deserve.

    Related Posts
    Share the Post:

    Stay Updated with the Heroes Journal

    Sign up to receive the latest insights, tips, and updates from the Heroes Journal, and never miss a post that helps you power your business forward.
    A digital superhero encourages taking a quiz on business security, highlighting how automating daily tasks can enhance safety. Text reads: "How secure is your business? Become an Office Hero. Improve efficiency—take the quiz today.
    Scroll to Top