Manage Learn to apply best practices and optimize your operations.

A free IT risk assessment template

A risk assessment is a critical part of the disaster recovery planning process. Read our guide on how to prepare a risk assessment, and then download our free risk assessment template.

In disaster recovery (DR) planning, once you've completed a business impact analysis (BIA), the next step is to perform a risk assessment. The BIA helps identify the most critical business processes and describes the potential impact of a disruption to those processes, and a risk assessment identifies internal and external situations that could negatively impact the critical processes. It also attempts to quantify the potential severity of such events and the likelihood of them occurring.

In this guide on risk assessments in disaster recovery planning, learn how to get started; how to prepare a risk analysis; and how to identify natural and man-made hazards. Read our guide, and then download our free risk assessment template, which is available as a Word doc or PDF.

Free downloads

Risk assessment template (Word doc)

Risk assessment template (PDF)

Getting started with a risk assessment

The risk assessment should be able to help you identify events that could adversely impact your organization. This includes potential damage the events could cause, the amount of time needed to recover or restore operations, and preventive measures or controls that can mitigate the likelihood of the event occurring. The risk assessment will also help you determine what steps, if properly implemented, could reduce the severity of the event.

To get started with a risk assessment, begin by identifying the most critical business processes from the business impact analysis. Then you should gather information on potential threats to your organization.

Numerous sources are available for gathering threat information, such as:

These sources can help you determine the likelihood of specific events occurring, as well as the severity of actual events. For example, it may be possible to rule out certain kinds of events, such as earthquakes, if U.S. Geological Survey maps indicate the region is not in or near an earthquake zone. Use our risk analysis template to list and organize potential threats to your organization.

An excellent document to assist you in preparing a risk assessment comes from the National Institute for Standards and Technology (NIST). The document is Special Publication 800-30, Risk Management Guide for Information Technology Systems.

Preparing the risk analysis

The risk analysis involves risk identification, assessing the likelihood of the event occurring, and defining the severity of the event's consequences. It may also be useful to conduct a vulnerability assessment, which helps identify situations in which the organization may be putting itself at increased risk by not performing certain activities. An example may be the increased risk of virus attacks by not using the most current antivirus software. Finally, the risk analysis results are summarized in a report to management, with recommended mitigation activities. It may be useful to look for vulnerabilities while performing the risk analysis.

Once risks and vulnerabilities have been identified, four types of defensive responses can be considered:

  • Protective measures: These are activities designed to reduce the chances of a disruptive event occurring; an example is security cameras to identify unauthorized visitors and alert authorities before they can cause any damage.
  • Mitigation measures: These activities are designed to minimize the severity of the event once it has occurred. Examples are surge suppressors to reduce the impact of a lightning strike, and uninterruptible power systems to limit the chances of a hard stop to critical systems due to a blackout or brownout.
  • Recovery activities: These activities serve to bring back disrupted systems and infrastructure to a level that can support business operations; an example is critical data that is stored offsite and that can be used to restart business operations to an appropriate point in time.
  • Contingency plans: These process-level documents describe what an organization can do in the aftermath of a disruptive event; they are usually triggered based on input from the emergency management team.

The sequence in which these measures are implemented depends to a large extent upon the results of the risk assessment. Once a specific threat and its associated vulnerability have been identified, it becomes easier to plan the most effective defensive strategy. Remember that contingency plans must cope with the effects, regardless of the causes.

Natural and man-made hazards

Disasters are unique combinations of events and circumstances. The two primary categories are natural and man-made. Within the man-made category, we can further define deliberate and accidental causes.

Natural hazards are typically considered "Acts of God" in which there is no one to blame. By contrast, man-made events are those in which an individual or multiple persons may be held accountable for contributing to the event(s) that caused the disaster. This could be through intent, neglect or accident.

Risk assessment for natural and man-made hazards
This chart identifies natural and man-made disasters that could adversely impact an organization.

Grouping impacts

Once the risks have been identified, you'll want to identify the potential effects, symptoms and consequences resulting from the event.

Basic effects: There are five basic effects that can have disastrous consequences: denial of access, data loss, loss of personnel, loss of function and lack of information.

Symptoms: The perceived symptoms might be a loss (or lack of):

  • Access or availability
  • Data
  • Confidentiality
  • Data integrity
  • Environment
  • Personnel (temporary loss)
  • System function
  • Control
  • Communication

Consequences: Secondary effects or consequences might include:

  • Interrupted cash flow
  • Loss of image
  • Brand damage
  • Loss of market share
  • Lower employee morale
  • Increased staff turnover
  • Costs of repair
  • Costs of recovery
  • Penalty fees
  • Legal fees

The risk assessment process

Risk assessments generally take one of two forms: quantitative, which seeks to identify the risks and quantify them, based on a numeric scale (e.g., 0.0 to 1.0 or 1 to 10); and qualitative, which is based on gaining a general impression about the risks so as to qualify them. The process uses subjective terms like "low to medium," "high or poor," and "good to excellent," instead of numeric values.

Quantitative methods, which assign a numeric value to the risk, usually require access to reliable statistics to project the future likelihood of risk. As mentioned earlier, qualitative methods often include subjective measures, like low, medium and high. However, sometimes the qualitative approach is more acceptable to management. In our risk analysis template, you will find columns that allow you to assign qualitative terms to each of the risks to your organization.

Learn more about risk assessments

Study our primer on enterprise risk management

Read about risk assessment best practices

Lead about risk assessment best practices

A basic formula, Risk = Likelihood x Impact, is typically used to compute a risk value. For example, we can use a scale of 0.0 to 1.0, in which 0.0 means the threat is not likely to occur, and 1.0 means the threat will absolutely occur. The impact 0.0 means there is no damage or disruption to the organization, whereas 1.0 could mean the company is completely destroyed and unable to further conduct business. Numbers in between can represent the result of a statistical analysis of threat data and company experience. The downloadable risk assessment uses this approach.

Using the quantitative range 0.0 to 1.0, you may decide to assign qualitative terms to results (e.g., 0.0 to 0.4 = low risk, 0.5 to 0.7 = moderate risk, and 0.8 to 1.0 = high risk).

Once all relevant risks have been analyzed and assigned a qualitative category, you can then examine strategies to deal with only the highest risks, or you can address all risk categories. This will depend on management's risk appetite, which is their willingness to deal appropriately with risks. The strategies you define for risks can next be used to help design business continuity and disaster recovery strategies.

Risk assessments are key activities in a business continuity or disaster recovery program. The process can be relatively simple, e.g., if you elect to use a qualitative approach. They can be more rigorous, when using a quantitative approach, as you may want to be able to substantiate your numerical factors with statistical evidence. Results should be updated periodically to determine if any changes to the risks (e.g., likelihood and impact) have occurred. Regardless of the methodology, the results should map to the critical business processes identified in the business impact analysis, and can help define strategies for responding to the identified risks.

About the author: Paul Kirvan, CISA, CISSP, FBCI, CBCP, has more than 20 years of experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.

Next Steps

What is an IT risk assessment?

Business risk assessments in IT disaster recovery planning

Making the move to proactive risk assessment and crisis management

Improve disaster preparedness with the National Mitigation Framework

This was last published in April 2010



Find more PRO+ content and other member only offers, here.

Essential Guide

Essential guide to business continuity and disaster recovery plans

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What types of disasters are you most concerned about -- natural or man-made?
I'd be more worried about man-made disasters, as there's a likelihood of them happening every day - natural disasters seem fewer and farther between, although that may be colored by the fact that I live in an area with fewer major disasters (famous last words). 
As Ben mentioned, I think it really depends on your location. For example, if I were located in the Midwest / West, I would be worried more about natural disasters. But since I'm in the East, I'm more worried about man-made disasters.
well, a company here in the Midwest was broken-into over a holiday weekend and a shotgun was used to blast everything in the computer room away!
BTW: their operations did not run on the weekend, so no employees were present 
Whoa - any idea what the reason was for the break-in? An angry competitor or just someone having some fun?
disgruntled FORMER employee
Man made by far. The man-made might be able to be prevented if enough precautions are taken.

As for nature, you may still not be able to prepare for things like floods, wildfires or earthquakes. Even if you have off-site scenarios these sites may also be effected by Mother Nature.
As for the shotgun blast... That's harsh... It could have been worse. If  he was that disgruntled he may have been able to walk of with sensitive data. That is my biggest fear.
Also if stupidity counts as a disaster,  man-made wins hands down.

A local bank in my area a while back lost their nightly back-up tapes.
They were not encrypted.. They say not to worry, but how can you not if that is their business practice ?
well, their security would have kept him from accessing the data electronically, and the physical security kept him from being able to take any hardware, it just wasn't up to protecting the equipment from being shot
BTW: it doesn't matter how good the lock is if someone can blow a hole in the door and reach in to open it.  Expensive lock - Cheap door!  DOH!
What's next Kevlar enclosures for machines? So many things can go wrong hardware wise that nobody really thinks of. Knock it on it's side, pour water in it, spray with fire extinguisher or just open it and rip the wires out..... Evil people will do evil things.
and if you did enclose it in Kevlar, it would probably cook itself
On the other hand, with global warming and rising sea levels, we may see many more natural disasters on the coastlines, such as with New York City a couple of years back. And with managers showing they still want to keep building data centers in such places because it's more convenient, chances are we're going to see a lot more issues.