Manage Learn to apply best practices and optimize your operations.

Risk assessment procedure: How to keep it simple

A risk assessment process is an important factor in creating a business continuity strategy. Explore how to conduct and evaluate a risk assessment plan in a straightforward manner.

Risk assessments identify those situations that present the greatest potential threat to an organization, their...

likelihood of occurring and the potential damage they could cause. Data from a risk assessment is used with business impact analysis data to help pinpoint key business processes and their associated risks. This helps an organization focus its efforts on the most critical business activities when developing business continuity plans.

A risk assessment procedure can be highly complex or relatively simple. It's a matter of how many risks can be identified, the nature of those risks, the likelihood of them occurring and the damage they could cause to an organization.

You should define the scope of the risk assessment procedure by identifying which aspects of your organization you wish to evaluate, such as physical buildings, staffing, surrounding area, technology, specialized systems and the supply chain. Next, identify the risks, threats and vulnerabilities of the elements you are assessing. Identify the end game of your assessment, such as an overview of operational or financial risks. This is also the point at which you can isolate resources for obtaining risk data, such as geological maps, weather maps, historical records of events in the region and actuarial tables.

Conducting a risk assessment procedure

Set up an assessment table that identifies a specific risk, threat or vulnerability; the likelihood of the event occurring; potential damage or destruction if the event occurs; and, optionally, the financial implications to the organization. The following sample risk assessment table offers a variety of topics and examples.

risk assessment table, calculated risk factor

The lowest value in each of the above columns is 0.0 -- not likely to occur or no damage or impact -- while the highest is 1.0 -- extremely likely to occur or severe or total loss. The three values -- likelihood of occurring, potential for business damage and potential financial impact -- are then multiplied together, resulting in the calculated risk factor.

You can then use the following rating scale to evaluate the calculated risk factor; this can be used to identify the most significant risks and threats.

risk assessment scale

Evaluating the results

Once the risk table has been completed, examine the results in the far right column -- the calculated risk factor. The higher the value, the greater and more serious the risk/threat is to the organization. Results are then mapped with business impact analysis results to identify the following:

  • Business processes that are most critical to the organization.
  • Risks that are most likely to negatively impact the completion of those processes.

This is a very simplistic risk assessment procedure. More detailed risk assessments can take weeks, months or longer, especially when trying to gather historical or empirical data for the analysis. It may also be necessary to interview subject matter experts, visit libraries and seek out other information sources to collect detailed risk data.

Next Steps

Perform a risk analysis to determine focus of DR planning resources

Choose the correct risk assessment framework

Explore keys to enterprise risk assessments

This was last published in April 2016

Dig Deeper on Disaster recovery planning - management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How confident are you in your organization's risk assessment management?
Cancel
"Completing risk assessment"? This is an ongoing process. New risks arise, and likelihoods of existing risks change. New features get introduced.
Cancel
"Completing risk assessment"? This is an ongoing process. New risks arise, and likelihoods of existing risks change. New features get introduced.
Cancel
Paul, the model is simple however it will lead to serious errors. Threats come in many gradations and that means that some threats may occur 'more than once' in a year, ex; loss of application, loss of data networking, loss of internet access.  These threats happen during the regular course of business-operations and the frequency of their loss could put the organization at greater risk than many threats with larger loss potentials.  By capping the likelihood at 1.0 the model has introduced a serious bias that will lead to serious blunders in judgment with respect to risk by systematically ignoring operational-risks that have a high frequency. 
Cancel
Thank you for the comments. How would you change the number value in the table?
Cancel

-ADS BY GOOGLE

SearchSolidStateStorage

SearchCloudStorage

SearchDataBackup

SearchStorage

Close