How to conduct a Risk Assessment – step by step

Conducting a risk assessment helps businesses identify potential hazards and determine what impacts those hazards could have on the business should they occur.
The difference between a risk assessment and a business impact analysis (BIA) is that a risk assessment includes all hazards—big and small. Whereas the BIA calls out potential impacts that can affect critical business functions and processes.
For a risk assessment, there are many hazards to evaluate, and the impact of each hazard can vary based on location, magnitude, and timing. Some of these hazards might include:
• Technology hazards: data corruption, technology failure, internet or connectivity outages, utility outages, hazardous materials spills or leaks, transportation interruptions, etc.
• Human-caused hazards: accidents (vehicle, workplace, structural collapse, etc.) and intentional acts (robbery, terrorism, malware hacking, fraud, labor strikes, bomb threats, arson, workplace violence, etc.)
• Natural hazards: severe thunder and winter storms, flooding, tornados, hurricanes, earthquakes, landslides, sinkholes, pandemics, etc.
These hazards (and more) can negatively impact the business and its assets. Avoiding staff injuries should be the business’s top priority when analyzing hazards. In addition to employees, physical assets may also be at risk, including buildings, machinery, goods and materials, technology systems, resources, data, documentation, and more.
Another important asset to consider is the impact a hazard can have on business relationships. This can include the relationship between stakeholders, customers, employees, and the community, as well as their perception of the business.
While conducting a risk assessment, it’s important to uncover any weaknesses the business has that could make it more vulnerable to damages from a hazard. Vulnerabilities might include any number of deficiencies in security, loss prevention, building construction, processes, etc. These weaknesses can magnify the effect of a hazard. Even a minor hazard can become a major issue when a vulnerability leaves a gap for a hazard to occur rather than reducing the likelihood that the hazard will occur. By addressing these weaknesses, the business will be in a better position to handle and reduce hazards to minimize their impact should they occur.
To conduct a risk assessment, use the following steps:

Step 1: Compile the assets

Create a list of all the company’s assets (people, machinery, goods, technology, materials, facilities, etc.).

Step 2: List hazards for each asset

For every asset listed, create a list of hazards that could cause an impact to that asset.

Step 3: Determine probability and impact

For each hazard, determine the scenarios in which the hazard might have an impact on the business, its likelihood of occurring, and its level of impact. This should include high-probability/low-impact scenarios and low-probability/high-impact scenarios.

Step 4: Identify weaknesses and vulnerabilities

Determine if there are any existing vulnerabilities or weaknesses that could make the asset more susceptible to loss from a hazard event. Identifying these weaknesses creates an opportunity for the business to engage in risk mitigation by closing these gaps before any hazards occur. By strengthening the business, it will have a much stronger response system should a hazard occur.

Step 5: Estimate probability

Determine how likely or unlikely the hazard is to occur. Hazards should be weighed by low, medium, and high probability.

Step 6: Estimate level of impact

Using impact measurements of low, medium, and high, determine the potential impact that a hazard event could have on the business. Use information from the business impact analysis (BIA) to help determine and rate potential impacts.

Step 7: Estimate potential effects

Determine the financial, reputational, and regulatory impacts that the events could have on the business.

Step 8: Assign hazard ratings

Assign a rating to each hazard that consists of the hazard’s probability rating and impact rating.

Step 9: Review and analyze the highest hazards

The final step is to review the hazards with the highest hazard ratings. It’s important to determine if any of the risks for these hazards can be minimized or if any vulnerabilities can be amended to reduce the likelihood of hazard occurrence or to reduce the impact it would have on the business. This is the most important step to ensuring that the business not only is aware of the potential hazards but also prepared with a plan to mitigate or reduce these risks.

Have Questions?

Want to find out more about how Resilience3™ security, risk, and compliance solutions will improve your business resiliency?