RAR 3-1: IT Risk Impact and Likelihood Assessment

Note that the text in italics serves as supporting instructions for participants attending and attempting BCM Institute's Blended Learning assignment

Similar to threat identification and evaluation, if an organisation has business units operating in multiple sites, relevant business units shall perform risk impact and likelihood assessment for each site in which they operate in.

After identifying the possible treatment to the threats faced by the organisation, participants will then proceed to analyse and determine the threats that an organisation should prioritise and take the necessary actions.

RAR 3-1: Risk Impact and Likelihood Assessment

BL-B-5 Click to know more

Threat Name (Col 2)

The name of each threat identified in RAR 1-1: List of Threats. Organization DR Coordinator is to ensure that all threats that have been highlighted in the previous section are represented here under the threat column.

Impact Area (Col 3 to 9)

This is the potential effect, generally adverse, that the occurrence of the threat will have on the organisation. Impacts are categorized into the following areas and the descriptor is shown in Descriptor for Risk Impact and Impact Area.

Risk Impact or Impact Area analyzes the potential human impact on the organization such as the possibility of facilities being inaccessible, revenue being disrupted, personnel being killed, injured, or rendered ineffective and by each type of threat. Impact Area can be divided into 7 main categories:

• Finance
  • There will be financial or quantifiable impact due to loss of revenue, damages to property or equipment.
• Operations
  • The critical business processes or day-to-day operations of the organisation are impacted.
• Legal & Regulatory
  • Non-compliance with regulatory requirements, inability to fulfil contractual obligations leading to penalties and sanctions; or strategy changes, i.e. outsourcing a service or production line to vendor.
• Reputation & Image
  • The organisation’s reputation and the image is adversely impacted and may lead to adverse coverage on various media platforms due to delay or unavailability of key products and services.
• Social Responsibility
  • Public and/or community needs, expectations and interests are impacted by the specific threat.
• People
  • The threat that may cause adverse impacts on personnel, i.e. employees, part-time staff and agency staff.
• Assets/IT Systems/Information
  • Critical assets, technology, telecommunications and information are impacted by the specific threat. Assets refer to critical building, facilities, equipment, utilities or physical security of premises.

Highest Risk Impact (Col 10)

This is the highest risk impact out of the 7 impact areas. This will provide the maximum impact to the organisation due to the occurrence due to the threat.

Based on all 7 categories of Impact Area in the prior section, Highest-Impact Area takes the highest Impact Rating from all 7 categories.

• Should there be two or even 3 numeric inputs that are the same value, the numbers are appended initially to the column (10) and further deliberated to determine which will be the highest impact even though they are of the same value.

Risk Likelihood (Col 11)

The chance of the threat occurring. This is relative to the organisation’s operating environment and rated on a scale of 1 to 5. The detailed breakdown of likelihood is in Descriptor for Risk Likelihood.

Risk Likelihood is the probability/chance of a threat happening. The accurate rating and description for this table of risk likelihood can be obtained from your risk management team. It is preferred to be rated on a 1 to 5 level scale whereby 5 is the shortest duration of say, once in every 3 to 6 months.

Risk Rating (Col 12)

Risk Rating and Risk Level

Risk Rating is the product of Risk Likelihood (multiplied) with the Highest-Impact Rating. It represents the overall Risk Rating of a threat to the organisation taking into consideration the Risk Likelihood of the threat occurring and its Risk Impact. Refer to Sample Risk Ratings and Risk Levels.

Risk Rating is the result of the multiplication of the assigned value for Risk Likelihood against the assigned value of the Highest Risk Impact. The result is the Risk Rating of an individual threat.

Risk Level (Col 13)

This is the perceived level of risk to the business unit as assessed against each identified threat. A sample of risk ratings and their corresponding risk levels is attached in Sample Risk Ratings and Risk Levels. Enter the value as Very Low, Low, Medium, High, Very High.

Risk Level is the overall level of assessed risk for an individual threat to the organization

Expected Period of Disruption (Col 14)

This is an expected period of disruption (hours or days) resulting from the exposure of the (unmitigated) residual risk of the identified threat after taking into consideration the existing controls. In this time duration, the organisation’s operations are disrupted, or access to the primary location is denied.

• Expected Period of Disruption is the expected residual disruption resulting from each identified threat, taking into consideration existing controls.
• The period of disruption is an estimated duration during which the organization’s operations are disrupted (operationally), or access to the primary location is denied (infrastructure).
• For example, if the Expected Period of Disruption for any given threat is stated as 5 days, the organization will be disrupted for that amount of time.

Instruction to BL-DR-3/5 M2 Participant

• Transfer the threats from RAR 1-1 to RAR 3-1 to continue the next part of the assignment.
  • Refer to M2-S1 course instruction for related tables for referencing

• To complete this template, please refer to the additional note highlighted in italics and also the hyperlinks to related topics to better understand the objectives and your selected entries for the assignment. Each column in the template is explained on this page.

Click to know more about expert level training