Andrea Danti - Fotolia


Risk assessment procedure: How to keep it simple

A risk assessment process is an important factor in creating a business continuity strategy. Explore how to conduct and evaluate a risk assessment plan in a straightforward manner.

Risk assessments identify those situations that present the greatest potential threat to an organization, their...

likelihood of occurring and the potential damage they could cause. Data from a risk assessment is used with business impact analysis data to help pinpoint key business processes and their associated risks. This helps an organization focus its efforts on the most critical business activities when developing business continuity plans.

A risk assessment procedure can be highly complex or relatively simple. It's a matter of how many risks can be identified, the nature of those risks, the likelihood of them occurring and the damage they could cause to an organization.

You should define the scope of the risk assessment procedure by identifying which aspects of your organization you wish to evaluate, such as physical buildings, staffing, surrounding area, technology, specialized systems and the supply chain. Next, identify the risks, threats and vulnerabilities of the elements you are assessing. Identify the end game of your assessment, such as an overview of operational or financial risks. This is also the point at which you can isolate resources for obtaining risk data, such as geological maps, weather maps, historical records of events in the region and actuarial tables.

Conducting a risk assessment procedure

Set up an assessment table that identifies a specific risk, threat or vulnerability; the likelihood of the event occurring; potential damage or destruction if the event occurs; and, optionally, the financial implications to the organization. The following sample risk assessment table offers a variety of topics and examples.

risk assessment table, calculated risk factor

The lowest value in each of the above columns is 0.0 -- not likely to occur or no damage or impact -- while the highest is 1.0 -- extremely likely to occur or severe or total loss. The three values -- likelihood of occurring, potential for business damage and potential financial impact -- are then multiplied together, resulting in the calculated risk factor.

You can then use the following rating scale to evaluate the calculated risk factor; this can be used to identify the most significant risks and threats.

risk assessment scale

Evaluating the results

Once the risk table has been completed, examine the results in the far right column -- the calculated risk factor. The higher the value, the greater and more serious the risk/threat is to the organization. Results are then mapped with business impact analysis results to identify the following:

  • Business processes that are most critical to the organization.
  • Risks that are most likely to negatively impact the completion of those processes.

This is a very simplistic risk assessment procedure. More detailed risk assessments can take weeks, months or longer, especially when trying to gather historical or empirical data for the analysis. It may also be necessary to interview subject matter experts, visit libraries and seek out other information sources to collect detailed risk data.

Next Steps

Perform a risk analysis to determine focus of DR planning resources

Dig Deeper on Disaster recovery planning - management