Part 3: RAR - Risk Analysis v2
Part 3: Risk Analysis
After identifying the possible treatment to the threats faced by the organisation, participants will then proceed to analyse and determine the threats that an organisation should prioritise and take the necessary actions.
Threat Name (Col 2)
The name of each threat identified in List of Threats. BCM Coordinators are to ensure that all threats that have been highlighted in the previous section are represented here under the threat column.
Impact Area (Col 3 to 9)
Risk Impact or Impact Area analyzes the potential human impact on the organization such as the possibility of facilities being inaccessible, revenue being disrupted, personnel being killed, injured, or rendered ineffective and by each type of threat. Impact Area can be divided into 7 main categories:
- Legal & Regulatory
- Reputation & Image
- Social Responsibility
- Assets/IT Systems/Information
Highest Risk Impact (Col 10)
Based on all 7 categories of Impact Area in the prior section, Highest-Impact Area takes the highest Impact Rating from all 7 categories.
- Should there be two or even 3 numeric input that are the same value, the numbers are appended initially to the column (10) and further deliberated to determine which will be the highest impact even though they are of the same value.
Risk Likelihood (Col 11)
Risk Likelihood is the probability/chance of a threat happening
Risk Rating (Col 12)
Risk Rating is the result of the multiplication of the assigned value for Risk Likelihood against the assigned value of the Highest Risk Impact. The result is the Risk Rating of an individual threat.
Risk Level (Col 13)
Risk Level is the overall level of assessed risk for an individual threat to the organization
Expected Period of Disruption (Col 14)
- Expected Period of Disruption is the expected residual disruption resulting from each identified threats, taking into consideration existing controls.
- The period of disruption is an estimated duration during which the organization’s operations are disrupted (operationally), or access to the primary location is denied (infrastructure).
- For example, if the Expected Period of Disruption for any given threat is stated as 5 days, the organization will be disrupted for that amount of time.