Manage Learn to apply best practices and optimize your operations.

Craft a winning risk analysis procedure in five easy steps

When managing your organization's risk assessment procedure, the right planning and data handling can make all the difference in crafting a business continuity strategy.

Paul Kirvan
Follow:

A proper risk analysis procedure can strengthen any organization's overall business continuity plan. Use the following...

five tips to ensure the best results in your environment.

Plan your risk assessment carefully

  • Identify the scope of the risk assessment
  • Establish links to previously completed business impact analysis results
  • Determine the level of detail to which you plan to conduct the risk assessment
  • Identify internal and external resources for your research, such as employees and libraries
  • Secure management approval of and funding for the risk assessment, just as you did for your prior business impact analysis (BIA)

Gather the most relevant BIA data

Data from the business impact analysis will identify the most critical business processes, the resources needed to support them, and the impact if they are disrupted or destroyed. An organization may have hundreds or even thousands of business processes, but you should only focus on those whose loss will have the biggest overall impact.

impact security level examples
This table from 'Managing Online Risk' by Deborah Gonzalez provides examples of impact severity level.

Determine how much risk data will be needed

You can find useful risk data in many places, such as actuarial tables, public libraries, the Internet, government agencies and subject matter experts. Depending on how much time and funding you have, you may be able to dig deeper into a broad range of data, gathering statistics, financial data, historical records and more to help you perform your risk analysis procedure. It might be enough to simply interview a few people in your organization, especially employees who have been with the company for many years, as they will have a broader base of experience.

Determine how you will analyze the risk data

A simple risk table may be sufficient for your risk analysis procedure. It lists risks and threats to your organization that could impact the critical processes identified in the BIA. It also estimates the likelihood of a specific risk occurring, the potential level of impact to the organization and, optionally, the financial impact. These values (typically in a range from 0.0 to 1.0) are then multiplied together to obtain a composite risk rating factor. More detailed assessments may involve the use of statistical tables and statistical modeling software to arrive at risk values.

risk assessment rating scale
risk assessment analysis table

Determine how you will present the data

If you end up with mountains of data from your risk analysis procedure, you'll then need to develop conclusions and possibly recommendations as you prepare to present the data to management. Remember that risk assessment data is used with BIA data to initiate the business continuity strategy process. Keeping the results simple and understandable will make it easier when you present your findings to management. Simplicity will also help when you use the results to define how your organization will manage the risks that may impact critical processes in the BIA.

Next Steps

Risk assessments should account for severe weather

Survey: Enterprises more proactive about risk management

The importance of risk analysis in a DR plan

This was last published in April 2016

Dig Deeper on Disaster recovery planning - management

Join the conversation

7 comments

Send me notifications when other members comment.

Register

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is the most important element of your risk assessment plan?
Cancel
How you present it. All the data in the world won't help you if it's in a form that your audience doesn't understand or doesn't give clear recommendations in a persuasive manner. It needs to be in little words with lots of pictures if you're presenting it to management.
Cancel
@Sharon Yep. It should be all framed. Not just risks  but threats to achieving business goals, or threats of company's image and credibility. Or even legal threats.
Cancel
Those are good points. Paul mentioned some threats in his table - can you give examples of threats that aren't there? 
Cancel
I like the risk table presented. I suggest to make it more human though. Abstract language is less appealing to emotions, and decisions aren't just based on the logic - they're also based on how decision-makers feel about the information, on how well they can relate to it.
Cancel
Thank you for the comment! What fields would you add to the table?
Cancel
@Paul - not new fields. I suggested altering the descriptions to make it less abstract.
For example.
"Software must perform correctly or grave consequences (loss of life, loss of system, environmental damage, economic or social loss) will occur."
Cancel

-ADS BY GOOGLE

SearchDataBackup

SearchStorage

SearchConvergedInfrastructure

Close