Planning for the future of your business is essential. We’ve talked recently about the importance of business continuity planning and how to perform a business impact analysis, but the first step to the full planning process is performing a risk assessment. A risk assessment is the process of identifying all possible hazards or risks that could affect your business’s ability to function at full capacity.
A risk assessment is critical in helping you determine any inherent risks your business faces, and any unnecessary risks that can be immediately addressed. The goals of this assessment tend to be fairly straightforward, but can vary based on your industry, business size, and any compliance or regulatory standards you must meet.
Possible goals or outcomes for your risk assessment could be:
- Creating a full inventory of all technical and non-technical assets (this includes data)
- A total understanding and justification of all costs associated with proactive security measures vs. reactive measures
- Obtaining complete knowledge of all threats facing your business
- Compiling data to aid in the budgeting process for current and future security measures to mitigate any risks highlighted in the assessment
- Calculating ROI for any software or infrastructure investments made based on the assessment results
A risk assessment is a key step in your entire business continuity planning process, so how do you go about performing a risk assessment?
First you need to decide what type of risk assessment is going to give you the information you need to plan for the future.
Quantitative vs. Qualitative
A quantitative assessment is used when you want the ability to assign numerical values to each risk to ultimately determine the monetary cost of each one. In a quantitative assessment each risk type will be assigned two numerical values, one for the overall likelihood and one for the potential impact on the business. These two numbers are multiplied together to give you a risk factor which can be used to determine the total financial impact of each risk.
A qualitative assessment is used to simply rank the potential risks in order of most to least impact on business operations. These types of assessments don’t include any numerical assignments or monetary loss predictions.
Once you’ve determined the type of risk assessment you can begin gathering all the data you need.
Assessing your Risk
Identify all Possible Risks
It shouldn’t be a shock that the first step in a risk assessment is to identify all possible risks your business may reasonably face. Some risks will be universal to all businesses, but some will be unique to your business which is why it’s important to think this through completely. The types of hazards you need to think about and plan for include (but are not limited to):
- Meteorological: Flooding, Severe weather, Tornadoes, Hurricanes, Tropical storms
- Geological: Earthquakes, Landslides, Volcano
- Accidents: Workplace accidents, Transportation accidents, Structural failures, Machine breakdowns
- Intentional acts: Labor strikes, Workplace violence, robbery, cyber attack
- IT: Connection loss, Hardware failure, lost data
- Utilities: Communications, Electric, Water, Heating/AC
- Supply chain failures: Supplier contract failure, Transportation interruptions
Identify all Assets
When planning for risk or disaster recovery it’s important to have a complete list of what you’re protecting, this may include:
- Physical assets
- Human assets
- Technology/cloud-based assets
- Environmental assets
- Monetary assets
Evaluate and Determine Impact
Now it’s time to take all the data compiled in the first two steps to determine the impact each risk could have. Impacts like data loss, property damage, casualties, operational downtime, revenue/income loss, impact to customers and reputation, and any legal ramifications.
Often during this step many businesses develop a risk matrix to measure the different risk level to employees or critical business functions.
What should you consider when building your matrix?
- What are all the consequences?
- How bad could those consequences get?
- How likely is this risk to occur?
- How many people or functions will this risk impact?
Put the Data to Work
Once you have all the data on individual risks and the impact of each it’s time to put them to use developing plans and procedures to address each risk either before it happens or during the recovery efforts.
This can just be a short guide or list of actions/procedures as you will go into more detail on this during the development of your business continuity plan.
Record your Findings
Once you’ve finished the risk assessment it’s important you organize all the information into an easy to read document that can be used to complete your business impact analysis and your full business continuity plan. It’s also important to make the information visible and accessible to employees so they can begin to understand how risks might affect them, how they can prepare, and how they will be included in any recovery efforts.
As the years go by, make sure you’re constantly evaluating this assessment and taking note when:
- Business assets change
- Offices move
- Staff count changes
- Major organizational or operational changes
Understanding risk is one of the most important parts of running a business. You can’t plan for the future if you don’t know what you’re planning for.
Having a business continuity plan should be your overall goal, but building that plan should be a process, so our advice is: