Performing a risk assessment: how to identify and prioritize risk

RiskRisk. You can’t avoid it. Shouldn’t even try.

You can prepare for it, however. Assessing risk should be the first step you take any time you’re planning for business continuity. But many companies either don’t do it thoroughly enough or don’t do it at all.

This is shortsighted. Just because R-I-S-K has four letters doesn’t mean it has to be a four-letter word.

The good news is that with some careful thought—imagining the worst but preparing for the most likely—you’ll get a better handle on risk.

Identifying threats: what’s the worst that could happen?

Threats to your business can be classified in three categories: natural threats, human threats and technical threats.

Below are some of the most common in each category (organized alphabetically). To get started on planning for your company, borrow from these lists or use them to spark ideas of your own.

Natural Threats

  • Earthquake or volcano damage
  • Electromagnetic interference
  • Flooding (river, dam, flood plain, etc.)
  • Forest fire
  • Heat wave
  • Hurricane/tropical storm
  • Severe winter weather (extreme cold/snowfall, ice storm, etc.)
  • Tornado or other severe wind damage

Human Threats

  • Aircraft incident (on-site helipad, nearby airport or flight path, etc.)
    Vandalism, rioting or civil unrest
  • Burglary
  • Data-entry error
  • Disease pandemic
  • Embezzlement
  • Executive management lost in common accident
  • Explosion (gas, steam, etc.)
  • Extortion
  • Fire in building or immediate neighborhood
  • Flooding in building
  • Hazardous material/waste – in transit
  • Improper handling of sensitive or confidential data
  • Labor dispute/strike
  • Malicious damage/ destruction of software or data
  • Nuclear accident (direct impact) or fallout
  • Robbery
  • Terrorism or sabotage, either to your location or one that’s close (military base, foreign embassy, major attraction, etc.)
  • Transit disruption (strike)
  • Unauthorized access to or theft of data
  • Unauthorized modification of software or hardware
  • Unauthorized physical access
  • Work stoppage by employees
  • Workplace violence

Technical Threats

  • Data network, cloud or content delivery network outage
  • Heating, ventilation or air conditioning (HVAC) failure
  • ISP outage / Wi-Fi outage
  • Malfunction or failure of computer servers or hardware
  • Power fluctuations or outages
  • Software failure
  • Telephone service loss

Prioritizing threats: what’s likely to happen—or likely to be catastrophic?

Once you’ve exhausted your ideas and identified as many threats to your business as you can, it’s time to rank them.

Consider scoring each one of the criteria below with a 0, 1, 2 or 3.

  • Speed of onset (e.g. slow, steady, fast, sudden)
  • Amount of forewarning (e.g. total, some, almost none, none)
  • Duration (e.g. short, medium, long no end in sight)
  • Probability of occurrence (e.g. no chance, some chance, probably, highly likely high probability)
  • Impact on functional areas (e.g. no impact, some impact, severe impact, critical impact)

Then, add the scores from each of these criteria to give you a total rating for each threat you identified. (Under the system described in this blog post, a minimum score is 0 and a maximum score is 15.) Obviously, the higher the rating, the more you should be thinking about mitigating that risk.

When you’re finished scoring, create a risk matrix and place each identified threat on it. On the vertical axis of your matrix, plot the likelihood of each threat coming to pass—low, medium or high. On the horizontal axis, plot the severity of the consequences to your organization—again, low, medium or high—should a threat come to fruition. When your matrix is done, the upper right section will indicate your areas of biggest concern.

Using what you’ve learned

Now that you’ve identified threats and prioritized them, you can move on to the next stage of the business continuity planning process—figuring out what to do about the risks that concern you.

For more on conducting a risk assessment, including visual examples of the prioritization tools mentioned here, download Contingencies: Are you covered?, a free white paper in our Business Continuity from A to Z series.

Interested in finding the best emergency notification system? Download the Automated Notification System RFP Template.