Part 3: Risk Assessment CRA3 v2
CRA 3-1: Risk Impact and Likelihood Assessment
Note that the text in italics serves as supporting instructions for participants attending and attempting BCM Institute's Blended Learning assignment
Similar to threat identification and evaluation, if an organisation has business units operating in multiple sites, relevant business units shall perform risk impact and likelihood assessment for each site in which they operate in.
After identifying the possible treatment to the threats and crisis scenarios faced by the organisation, participants will then proceed to analyse and determine the threats that an organisation should prioritise and take the necessary actions.
Threat or Crisis Scenario Name
- The name of each threat identified in List of Threats. Organisation BCM Coordinator and Crisis Management Team Coordinator are to ensure that all threats and crisis scenarios, that have been highlighted in the previous section are represented here under the threat column.
Risk Impact Area (Col 3 to 9)
This is the potential effect, generally adverse, that the occurrence of the threat will have on the organisation. Impacts are categorized into the following areas and the descriptor is shown in Descriptor for Risk Impact and Impact Area.
Risk Impact or Risk Impact Area analyzes the potential human impact on the organization such as the possibility of facilities being inaccessible, revenue being disrupted, personnel being killed, injured, or rendered ineffective and by each type of threat.
Risk Impact Area can be divided into 7 main categories:
- Finance
- There will be financial or quantifiable impact due to loss of revenue, damages to property or equipment.
- Operations
- The critical business processes or day-to-day operations of the organisation are impacted.
- Legal & Regulatory
- Non-compliance with regulatory requirements, inability to fulfil contractual obligations leading to penalties and sanctions; or strategy changes, i.e. outsourcing a service or production line to vendor.
- Reputation & Image
- The organisation’s reputation and the image is adversely impacted and may lead to adverse coverage on various media platforms due to delay or unavailability of key products and services.
- Social Responsibility
- Public and/or community needs, expectations and interests are impacted by the specific threat.
- People
- The threat that may cause adverse impacts on personnel, i.e. employees, part-time staff and agency staff.
- Assets/IT Systems/Information
- Critical assets, technology, telecommunications and information are impacted by the specific threat. Assets refer to critical building, facilities, equipment, utilities or physical security of premises.
Risk Impact Area (Highest Numeric Score) (Col 10)
This is the highest risk impact out of the 7 impact areas. This will provide the maximum impact to the organisation due to the occurrence due to the threat.
Based on all 7 categories of Impact Area in the prior section, Highest-Impact Area takes the highest Impact Rating from all 7 categories.
- Should there be two or even 3 numeric inputs that are the same value, the numbers are appended initially to the column (10) and further deliberated to determine which will be the highest impact even though they are of the same value.
Risk Likelihood (Col 11)
The chance of the threat occurring. This is relative to the organisation’s operating environment and rated on a scale of 1 to 5. The detailed breakdown of likelihood is in Descriptor for Risk Likelihood.
Risk Likelihood is the probability/chance of a threat happening. The accurate rating and description for this table of risk likelihood can be obtained from your risk management team. It is preferred to be rated on a 1 to 5 level scale whereby 5 is the shortest duration of say, once in every 3 to 6 months.
Risk Rating (Col 12)
Risk Rating is the product of Risk Likelihood (multiplied) with the Highest-Impact Rating. It represents the overall Risk Rating of a threat to the organisation taking into consideration the Risk Likelihood of the threat occurring and its Risk Impact. Refer to Sample Risk Ratings and Risk Levels.
Risk Rating is the result of the multiplication of the assigned value for Risk Likelihood against the assigned value of the Highest Risk Impact. The result is the Risk Rating of an individual threat.
Risk Level (Col 13)
This is the perceived level of risk to the business unit as assessed against each identified threat. A sample of risk ratings and their corresponding risk levels is attached in Sample Risk Ratings and Risk Levels. Enter the value as Very Low, Low, Medium, High, Very High.
Risk Level is the overall level of assessed risk for an individual threat to the organization
Expected Period of Disruption (Col 14)
This is an expected period of disruption (hours or days) resulting from the exposure of the (unmitigated) residual risk of the identified threat after taking into consideration the existing controls. In this time duration, the organisation’s operations are disrupted, or access to the primary location is denied.
- Expected Period of Disruption is the expected residual disruption resulting from each identified threat, taking into consideration existing controls.
- The period of disruption is an estimated duration during which the organization’s operations are disrupted (operationally), or access to the primary location is denied (infrastructure).
- For example, if the Expected Period of Disruption for any given threat is stated as 5 days, the organization will be disrupted for that amount of time.
Instruction to BL-CM or BL-CC Participant
The section is for participants attending the BL-CM or CC Module 2 Session 1 facilitated workshop, this is the additional instruction to complete your Crisis Risk Assessment assignment.
- Transfer the threats/ crisis scenarios from Part 2 to Part 3 to continue the next part of the assignment.
- Refer to M2-S1 course instruction for related tables for referencing
- Refer to CRA 3-1 for Risk Impact Descriptor to complete the "Risk Impact Area".
- Insert the risk rating of "1" to "5" into one of the seven "Risk Impact Area."
- If you have selected the maximum of say "4" twice in two of the seven "Risk Impact Area", select the risk impact area you are most to weigh higher than the other.
- Proceed to insert the name chosen e.g. "Financial" from one of the "Risk Impact Areas" as the "Highest Numeric Score" entry.
- Refer to CRA 3-2 Risk Level Descriptor for:
- Risk Likelihood: Select "1" to "5" based on the frequency and input as an entry into the column "Risk Likelihood."
- Risk Rating is "Risk Impact" taking the "Highest Numeric Score" multiplied by the "Risk Likelihood" score.** Refer to the Risk Rating and Risk Level table.
- This is where you will insert the threat into this table for management presentation.