freshidea - Fotolia


Craft a winning risk analysis procedure in five easy steps

When managing your organization's risk assessment procedure, the right planning and data handling can make all the difference in crafting a business continuity strategy.

A proper risk analysis procedure can strengthen any organization's overall business continuity plan. Use the following...

five tips to ensure the best results in your environment.

Plan your risk assessment carefully

  • Identify the scope of the risk assessment
  • Establish links to previously completed business impact analysis results
  • Determine the level of detail to which you plan to conduct the risk assessment
  • Identify internal and external resources for your research, such as employees and libraries
  • Secure management approval of and funding for the risk assessment, just as you did for your prior business impact analysis (BIA)

Gather the most relevant BIA data

Data from the business impact analysis will identify the most critical business processes, the resources needed to support them, and the impact if they are disrupted or destroyed. An organization may have hundreds or even thousands of business processes, but you should only focus on those whose loss will have the biggest overall impact.

impact security level examples
This table from 'Managing Online Risk' by Deborah Gonzalez provides examples of impact severity level.

Determine how much risk data will be needed

You can find useful risk data in many places, such as actuarial tables, public libraries, the Internet, government agencies and subject matter experts. Depending on how much time and funding you have, you may be able to dig deeper into a broad range of data, gathering statistics, financial data, historical records and more to help you perform your risk analysis procedure. It might be enough to simply interview a few people in your organization, especially employees who have been with the company for many years, as they will have a broader base of experience.

Determine how you will analyze the risk data

A simple risk table may be sufficient for your risk analysis procedure. It lists risks and threats to your organization that could impact the critical processes identified in the BIA. It also estimates the likelihood of a specific risk occurring, the potential level of impact to the organization and, optionally, the financial impact. These values (typically in a range from 0.0 to 1.0) are then multiplied together to obtain a composite risk rating factor. More detailed assessments may involve the use of statistical tables and statistical modeling software to arrive at risk values.

risk assessment rating scale
risk assessment analysis table

Determine how you will present the data

If you end up with mountains of data from your risk analysis procedure, you'll then need to develop conclusions and possibly recommendations as you prepare to present the data to management. Remember that risk assessment data is used with BIA data to initiate the business continuity strategy process. Keeping the results simple and understandable will make it easier when you present your findings to management. Simplicity will also help when you use the results to define how your organization will manage the risks that may impact critical processes in the BIA.

Next Steps

Risk assessments should account for severe weather

Survey: Enterprises more proactive about risk management

The importance of risk analysis in a DR plan

Dig Deeper on Disaster recovery planning - management