Risk Assessment: The Best Way to Identify Your Biggest Threats

The threat and risk assessment or TRA is one of the cornerstones of business continuity methodology. Today, we’ll talk about what it is, why it’s important, and how to do one.  

Defining the TRA 

In business continuity management (BCM), a threat and risk assessment is a study where you identify and assess the factors that have the potential to damage your organization or interrupt your critical business processes. 

More specifically, a risk assessment should do the following: 

  • Identify conditions or situations that may cause a business process outage 
  • Determine the probability of the occurrence of each threat 
  • Pinpoint the threats and hazards across all areas, including human, natural, and technological 
  • Determine ways to eliminate or control the risk and prevent impacts and outages 

The risk assessment should also assess the mitigation level of the identified threats. This involves looking at the measures that are in place to protect against the threat and seeing how much risk remains after they are taken into account. 

The Risk Assessment vs. the BIA 

Many people who are new to business continuity are confused about the difference between the threat and risk assessment (TRA) and the business impact analysis (BIA). 

Both are fundamental aspects of BCM methodology. The BIA is better known. Almost every organization does BIAs. Not enough perform TRAs. 

BIAs identify and prioritize the organization’s most critically time sensitive business processes. They show what the organization should protect in order to limit the damage that would be caused by an outage or event. The identification and prioritization of business processes is done by the team performing the BIA in consultation with departmental experts and senior executives. The final results represent their collective judgment about what processes are most critical. 

The TRA looks at threats that could potentially strike the organization and disrupt the processes analyzed in the BIA. 

The BIA is about business processes. The TRA is about trouble. 

The BIA looks at what might be impacted, and the TRA looks at what does the impacting. 

Both are required to understand the organization’s situation and develop a sound BCM strategy. 

Completing a Risk Assessment  

The process of completing a threat and risk assessment can be divided into three phases: preparation, assessment, and analysis. Each phase is made up of several steps as shown below. 

As part of the preparation phase of the TRA, you should gather the following information: 

  1. Maps of your facilities (GIS maps with layering is best) 
  1. History of recent events (say within the last five years) 
  1. List of high-value assets  
  1. Information on key infrastructure locations (power, water, data/voice network, etc.) 
  1. Relevant threat list based on location and past history  
  1. FEMA weather-based history (hurricanes, floods, earthquakes, etc.) 
  1. Use of facilities for high-profile events 
  1. Maximum population of facilities at peak time 

The assessment phase involves the following: 

  1. Schedule interviews of key personnel  
  1. Interview personnel to determine level of mitigation in place for their key areas of responsibility (to include emergency plans, backup power, network resiliency, business continuity, disaster recovery, stakeholder communications, evacuation planning, active shooter preparation, hazardous material spills, community readiness, ability of community to respond to an event, etc.) 
  1. Interview department leaders and senior executives to learn their understanding of risk/threats,  level of mitigation currently in place, and most pressing concerns 
  1. Tour high value assets and assess the level of mitigation and hardening 
  1. Tour key infrastructure areas (power, water, network, etc.) and assess the level of mitigation and hardening 
  1. Determine what high value assets need to have the most hardening 
  1. Include technology and process threats as part of the discussions  

Finally, we come to the analysis phase:  

  1. Assess level of mitigation based on results of the interviews 
  1. Document critical exposures and opportunities for improvement 
  1. Prioritize exposures and opportunities for improvement 
  1. Determine the most relevant threats to the organization  then focus on the top five 
  1. Document management report and mitigation plan over the next 18 to 24 months 
  1. Review report and mitigation plan with management 
  1. Integrate the risk assessment with the BIA 

Devising a Sound Strategy 

The threat and risk assessment is one of the central pillars of BCM methodology. It identifies and assesses the human, natural, and technological threats that have the potential to strike the organization, interrupting its critical business processes. 

The TRA also looks at existing risk mitigations to arrive at a fuller understanding of the organization’s exposure. Together with the BIA, the risk assessment enables the organization to devise a sound business continuity strategy, thus providing optimal protection to the organization and its stakeholders. 

Further Reading 

For more information on risk assessment and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: 

 

About
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
Inherent Risk vs. Residual Riskdata protection