What is a Risk Assessment?
A risk assessment enables an organization to understand the risks to and vulnerabilities of its most critical activities and supporting resources, as well as the impact that would arise if an identified risk leads to an actual disruptive incident.
A properly conducted risk assessment, performed in conjunction with a business impact analysis (BIA), enables an organization to clearly identify key risks to its most critical activities and resources. The information resulting from this analysis enables management to identify where risks exceed its risk tolerance and sets the stage for developing business continuity strategies and plans to reduce the likelihood of a disruption, shorten the period of the disruption, or limit the impact to the delivery of the organization’s key products and services.
The major outcomes associated with the risk assessment include:
- Understanding of potential business risks, including their likelihood and impact
- Identification of existing controls, and potential control enhancements or new strategies to mitigate business risk by protecting resources (as to decrease the likelihood or severity associated with a disruptive incident)
What are the Common Challenges with Risk Assessment?
Understanding the Risk Assessment
It is not uncommon for organizations to struggle with understanding the purpose and usefulness of a risk assessment. Some may suggest foregoing the risk assessment altogether. However, before an organization can develop strategies to mitigate against risks facing the organization, it must first understand what those risks are. By performing a risk assessment, the organization is able to identify all the relevant risks to the business, as well as understand what the likelihood of that risk occurring is and what the associated impacts would be. The business can then measure the identified risks against the organization’s specified amount and type of risk that it may or may not be willing to take, relative to its objectives.
Knowing what to do with the Outcomes of a Risk Assessment
Many organizations have difficulties taking the outcomes of the risk assessment and applying them to the business in a practical manner. As a first step, upon completion of the risk assessment, it is imperative to conduct a gap analysis to understand which risks identified during the assessment exceed the organization’s risk tolerance. These risks can be identified by asking two key questions:
- Based on the results of the risk assessment, which risks associated with the loss of that activity or resource exceed the organization’s stated risk tolerance due to lack of response and recovery planning or control measures?
- For the risks identified in #1, what are the risk treatment opportunities or controls available to the organization to get the risk below the organization’s stated risk tolerance?
The answers to the second question form the basis for strategy selection to treat the identified risks. After reviewing the various options and performing a cost-benefit analysis, management will select the strategy it feels is most appropriate, then the organization can begin developing business continuity plans that reflect the selected strategy.
When Management Chooses to do Nothing
Selecting mitigation strategies can often be difficult – or even contentious – for some organizations. A common source of frustration occurs when management chooses not to address certain risks. However, choosing to not take action to treat a risk is an option and a strategy itself. There are many reasons why management may choose to accept a risk and not take any action. Most commonly, management feels that the costs (measured in dollars and/or time commitment) outweigh the benefits, or the costs are simply too high, and the likelihood of the risk being realized are too low, to justify taking proactive measures to treat the risk. Instead, management may opt to address the risk from a reactive standpoint should it occur. Another common reason management may choose to accept a risk is, that the potentially impacted product or service may not be critical to the organization’s long-term business strategy. Castellan’s consultants can help advise on what risks are acceptable and which ones may require additional mitigation.
Get The Business Continuity Operating System Book by Brian Zawada
Risk Assessment versus Threat Assessments
Organizations are often confused whether a risk assessment and threat assessment are one in the same. The short answer is, no. While Castellan is capable of assisting organizations with both types assessments, they are two very different things. A threat assessment focuses on specific threats to a business (e.g., hurricane, fire, flood), while a risk assessment takes a resource-based loss approach, which looks at risks associated with the loss of specific facilities, personnel, technology, or third-party suppliers – agnostic to what threat actually caused the loss of the resource. In the latter example of a risk assessment, we don’t focus on why we lost access to the specific resource. Instead, we focus on what the likelihood of that loss is, as well as the impacts associated with the loss. Castellan’s software tool is built to easily conduct a resource-based risk assessment using inputs from the BIA and can help make this an effective tool in assessing your organization’s risk. The threat assessment on the other hand, is much more focused on the likelihood and impact of a specific event occurring. For example, what is the probability and impact of a specific threat affecting operations.
Castellan’s key differentiators when it comes to helping organizations with their risk assessments are two-fold. First, is Castellan’s breadth and depth of experience. In our 10+ years of experience, we have worked in almost every industry and with organizations of all sizes. This perspective gives a unique vantage point to help you understand what risks exist and the most effective means to manage those risks. Clients find great value in Castellan’s post-assessment analysis, as we don’t just leave the client with results of the assessment. Instead we help them make sense of those risks as it relates to their organization’s risk tolerance and objectives.
Our other big differentiator is our business continuity software solution. It helps remove unnecessary complexity from the BIA and risk assessment process. This results in fewer meetings and reduced time commitment from the business. It introduces automation to the risk assessment process by allowing the user to ask a few additional questions during the BIA, and then the responses are used to calculate the risk score automatically. This allows our clients to spend more time on strategy selection and planning, and less time on aggregating the information obtained during the assessment.
Castellan’s process for conducting a risk assessment can be broken down into three phases:
- Assessment Preparation: During this phase, Castellan will work with the client on developing the appropriate rating scales for impact and likelihood, as well preparing interview participants to think about specific risk assessment-related topics ahead of the discussion.
- Data Gathering and Assessment: While the BIA typically precedes the risk assessment, Castellan collects much of the data required to perform the risk assessment during the BIA meeting. Due to the nature of the topics covered in the BIA meeting, a few additional probing questions allows us to garner the information needed to successfully complete the risk assessment.
- Post-Assessment Analysis: During the analysis phase, we seek to understand where specific risks exceed the client’s predetermined risk tolerance. These risks are sorted by their assigned risk score (Catalyst automatically calculates and ranks identified risks according to the risk score). Clients who are using other software or no software at all have nothing to fear, as Castellan will perform the data aggregation and reporting as part of the assessment. Castellan will then work with the client to determining prioritization for key risks to mitigate. Once the key risks have been identified, Castellan and the client can begin to identify risk treatment strategy options and present those to leadership for selection.
During a recent risk assessment, Castellan worked with a mid-sized life sciences company on a business impact analysis and risk assessment. While the outputs of the BIA helped the organization understand its recovery requirements and served to inform the development of current state recovery plans, the outputs of the risk assessment helped the organization identify it’s most impactful and likely risks overall. While the organization was aware of the existence of some of the risks even prior to the assessment, the organization did not have a solid understanding on where the risks fit into the risk profile of the organization as a whole, or how they measured up against the organization’s stated risk tolerance.
In considering the organization’s risk tolerance overall, the client was able to prioritize risks for mitigation, as well as identify risks that leadership was willing to accept. The client identified at the beginning of the assessment that it was most unwilling to accept downtime that impacted critical infrastructure that enabled core lab and development activities. While other operational enablers were important, these functions were deemed most critical. Castellan and the client used the outcomes of this assessment to develop a risk register in conjunction with a multi-year plan reduce the organizations risk footprint. This approach takes a realistic view of addressing the organization’s overall risk footprint and does not attempt to boil the ocean and address every single risk, nor does it dedicate all of its resources towards planning for and mitigating “black swan” events (highly impactful, but extremely unlikely, disasters).
This risk assessment in conjunction with the BIA laid the foundation for the client to not only be able to confidently plan for disruptions with current-state recovery capabilities, but it helped the client identify a clear path forward for implementing strategies to both reduce the likelihood of the risks occurring, as well as identify optimal recovery strategies, should the risk be realized.