Manage

Craft a winning risk analysis procedure in five easy steps

When managing your organization's risk assessment procedure, the right planning and data handling can make all the difference in crafting a business continuity strategy.

Paul Kirvan

Published: 29 Apr 2016

A proper risk analysis procedure can strengthen any organization's overall business continuity plan. Use the following...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

five tips to ensure the best results in your environment.

Plan your risk assessment carefully

Identify the scope of the risk assessment
Establish links to previously completed business impact analysis results
Determine the level of detail to which you plan to conduct the risk assessment
Identify internal and external resources for your research, such as employees and libraries
Secure management approval of and funding for the risk assessment, just as you did for your prior business impact analysis (BIA)

Gather the most relevant BIA data

Data from the business impact analysis will identify the most critical business processes, the resources needed to support them, and the impact if they are disrupted or destroyed. An organization may have hundreds or even thousands of business processes, but you should only focus on those whose loss will have the biggest overall impact.

impact security level examples — This table from 'Managing Online Risk' by Deborah Gonzalez provides examples of impact severity level.

Determine how much risk data will be needed

You can find useful risk data in many places, such as actuarial tables, public libraries, the Internet, government agencies and subject matter experts. Depending on how much time and funding you have, you may be able to dig deeper into a broad range of data, gathering statistics, financial data, historical records and more to help you perform your risk analysis procedure. It might be enough to simply interview a few people in your organization, especially employees who have been with the company for many years, as they will have a broader base of experience.

Determine how you will analyze the risk data

A simple risk table may be sufficient for your risk analysis procedure. It lists risks and threats to your organization that could impact the critical processes identified in the BIA. It also estimates the likelihood of a specific risk occurring, the potential level of impact to the organization and, optionally, the financial impact. These values (typically in a range from 0.0 to 1.0) are then multiplied together to obtain a composite risk rating factor. More detailed assessments may involve the use of statistical tables and statistical modeling software to arrive at risk values.

Determine how you will present the data

If you end up with mountains of data from your risk analysis procedure, you'll then need to develop conclusions and possibly recommendations as you prepare to present the data to management. Remember that risk assessment data is used with BIA data to initiate the business continuity strategy process. Keeping the results simple and understandable will make it easier when you present your findings to management. Simplicity will also help when you use the results to define how your organization will manage the risks that may impact critical processes in the BIA.

Next Steps

Risk assessments should account for severe weather

Survey: Enterprises more proactive about risk management

The importance of risk analysis in a DR plan

Dig Deeper on Disaster recovery planning - management

business impact analysis (BIA) Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency.

Using a business impact analysis template: A free BIA template and guide If you need to perform a business impact analysis, this guide and our free, downloadable BIA template will assist you in your business continuity planning.

Can you create a BC plan without conducting a risk assessment? If time constraints and other factors force you to eliminate risk assessment from your business continuity plan, discover how to focus your development efforts more precisely.

Risk assessment analysis and BIA data in BC plans Examine how BIA and RA data are used to formulate business continuity strategies. It's common to bypass these steps, but the data can result in more precise and focused BC plans.

Risk analysis boosts disaster recovery planning process Business continuity and disaster recovery are chronically overlooked. Learn what you can do to avoid losses that could impact your organization.

How the risk analysis process and conducting a BIA differ The BIA is related but different from the risk analysis process. Pierre Dorion discusses what each should accomplish in this expert answer.

Paul Kirvan asks:

What is the most important element of your risk assessment plan?

Join the Discussion

Join the conversation

7 comments

Send me notifications when other members comment.

Oldest

[-]

PKirvan - 29 Apr 2016 11:08 AM

What is the most important element of your risk assessment plan?

Sharon Fisher - 29 Apr 2016 11:58 PM

How you present it. All the data in the world won't help you if it's in a form that your audience doesn't understand or doesn't give clear recommendations in a persuasive manner. It needs to be in little words with lots of pictures if you're presenting it to management.

AlbertGareev - 7 Jul 2016 11:20 AM

@Sharon Yep. It should be all framed. Not just risks but threats to achieving business goals, or threats of company's image and credibility. Or even legal threats.

Paul Crocetti - 2 Sep 2016 1:59 AM

Those are good points. Paul mentioned some threats in his table - can you give examples of threats that aren't there?

AlbertGareev - 7 Jul 2016 11:23 AM

I like the risk table presented. I suggest to make it more human though. Abstract language is less appealing to emotions, and decisions aren't just based on the logic - they're also based on how decision-makers feel about the information, on how well they can relate to it.

Paul Crocetti - 8 Aug 2016 1:49 PM

Thank you for the comment! What fields would you add to the table?

AlbertGareev - 18 Aug 2016 12:48 PM

@Paul - not new fields. I suggested altering the descriptions to make it less abstract.
For example.
"Software must perform correctly or grave consequences (loss of life, loss of system, environmental damage, economic or social loss) will occur."