Part 3: Risk Assessment CRA3 v2
After identifying the list of threats and crisis scenarios faced by the organisation in the previous section, participants will then proceed to the Treatment and Control section
Part 3: Crisis Treatment and Control
Each item below is a detailed explanation of the column that you are required to complete in the template provided.
Threat Name or Crisis Scenario
- The name of each threat identified in List of Threats. Organisation BCM Coordinator and Crisis Management Team Coordinator are to ensure that all threats and crisis scenarios, that have been highlighted in the previous section are represented here under the threat column.
- Risk Impact or Impact Area analyzes the potential human impact on the organization such as the possibility of facilities being inaccessible, revenue being disrupted, personnel being killed, injured, or rendered ineffective and by each type of threat. Impact Area can be divided into 7 main categories:
- Legal & Regulatory
- Reputation & Image
- Social Responsibility
- Assets/IT Systems/Information
Highest Risk Impact (Area)
Based on all 7 categories of Impact Area in the prior section, Highest-Impact Area takes the highest Impact Rating from all 7 categories
Risk Likelihood is the probability/chance of a threat happening
Risk Rating is the result of the multiplication of the assigned value for Risk Likelihood against the assigned value of the Highest Risk Impact. The result is the Risk Rating of an individual threat.
[Risk Level]] is the overall level of assessed risk for an individual threat to the organization
Expected Period of Disruption
Expected Period of Disruption is the expected residual disruption resulting from each identified threats, taking into consideration existing controls. In the case of a crisis scenario, this period is estimated as it is very difficult to estimate the period. The period of disruption is an estimated duration during which the organization’s operations are disrupted (operationally), or access to the primary location is denied (infrastructure). For example, if the Expected Period of Disruption for any given threat is stated as 5 days, the organization will be disrupted for that amount of time.