Should we not assess the risk level before applying controls and then again after applying the selected controls?

ANSWER

Yes, we should. We are talking here about risk assessment and subsequently residual risk assessment. Risk assessment is the process of evaluating the likelihood of a given threat occurring and the effects it may have on the organisation. As part of this process, potential threats are identified, their likelihood of occurrence and impact on the organisation are assessed, and the overall risk associated with them is determined.

Residual risk assessment, on the other hand, is the process of determining the remaining risk after measures aimed at minimising or controlling it have been applied. Once appropriate controls have been implemented to reduce the likelihood of a threat or to limit its effects, the risk that still exists is assessed. This is important for evaluating the effectiveness of the measures taken and for identifying any additional preventive measures that may be necessary to further reduce the risk.

In summary, risk assessment evaluates the overall threat before preventive measures are taken, while residual risk assessment determines the remaining risk after those measures have been applied. Both processes are essential for effective risk management within an organisation.