The Importance of Risk Assessments for Businesses
FEMA defines resilience as "the capacity of individuals, communities, businesses, institutions, and governments to adapt to changing conditions and to prepare for, withstand, and rapidly recover from disruptions to everyday life, such as hazard events" (Source: FEMA, 2017). Resilience towards all hazards should be a primary focus in protecting your organization, employees, and assets from potential loss.
A few recent statistics help illustrate the risk landscape today:
In 2022, over $165 billion was spent relating to fires, floods, and hurricanes.
It may not be a surprise to some that 100% of businesses were impacted by the COVID-19 pandemic. The impacts of the pandemic include new employee work structures, vaccination requirements, and shifting work environments.
In 2022, there were over 300 active shooter events in the United States.
Based on research, by 2025, cybercrimes are expected to rise to $10.5 trillion.
The first step in protecting your employees and organization is preparedness. To plan for continuity response and recovery efforts, risk assessments are critical to understanding threats that your organization may and will face.
What Is a Risk Assessment?
A risk assessment is a method and tool that identifies all threats and hazards to help better understand what areas of the business are most likely to experience the most significant impact when a disaster occurs. These hazards are put into a ranking system based on the highest impact and probability to your organization. When conducting risk assessments, common questions that experts typically ask are:
What is the probability of this event happening to our organization?
If this event occurs, how much of an interruption will it cause?
What capabilities and mitigation measures do we have if this threat impacts our business?
Have we thought through all the types of threats (human-impacted, vendor, technological, supply chain, natural hazard)?
Why Should Your Organization Build a Risk Assessment Now?
It is critical for your organization to conduct a risk assessment annually. Preparing for hazards and potential interruptions by conducting risk assessments can help an organization avoid losing money or, worse, permanent business closure. When an organization experiences downtime due to a business interruption, the chances of higher losses may occur. These losses could include but are not limited to assets, employees, business income, and customers. It is also essential to improve the recovery time objectives (RTO) to combat the potential losses from the interruption.
Risk assessments are an excellent tool for finding gaps to assess the effectiveness of a continuity plan. Experts in the field want organizations to take an all-hazards approach by outlining the potential risks and avenues you may face, thus being proactive and preparing for recovery operations. The all-hazards approach is "an integrated approach to emergency preparedness planning that focuses on capacities and capabilities that are critical to preparedness for a full spectrum of emergencies or disasters, including internal emergencies and a man-made emergency (or both) or natural disaster." Source: U.S. Centers for Medicare & Medicaid Services, 2017
Additionally, annual updates to risk assessments help organizations avoid misconceptions. Common misconceptions include:
We don’t need a plan because our insurance covers losses.
Reality: It is important to research and speak with your insurance to understand exactly what your plan does and does not cover. More often than not, insurance companies will refuse to cover 100% of the loss from certain types of hazards.
I don't have time to develop a plan.
Reality: It is common for risk assessments and continuity plans to get cut from project timelines and budgets. When an incident and interruption occur, most organizations who do not have a continuity plan say they wish they had made it a priority.
How Should I Get Started in Building a Risk Assessment?
There are many different methodologies and ways to begin developing a risk assessment. The first rule of thumb is to conduct research about what threats your business may face. Research could include using tools such as geographical information systems (GIS) tools, hazard maps, statistic rates, infrastructure plans, and more.
Once research has been conducted, compile a list and rank the hazards on a scale based on the probability of this event occurring and the level of impact it would have on your business.
What Other Resources Can I Use?
Invest in software: There are many companies with software tools that will rank and structure threats and risks for your organization, such as Preparis Planner. These software tools are a great resource and take no time to use.
Hire an outside consultant: Experts in the field are trained and certified to conduct risk assessments for organizations and agencies. Using a professional in the field allows for an outside perspective to ensure threats and hazards are not missed. It also saves organizations time to complete a risk assessment and limits the amount of time taken away from other projects and priorities.
Conduct a manual risk assessment: There are multiple methods to conduct a risk assessment, such as a ranking priority system and heat maps. The ranking priority system ranks threats and hazards on a numeric system based on probability and impact. The heat map method plots the threat on a matrix based on probability and impact, which is categorized by colors (red = high; green = low).
Having the research and priority rankings of potential threats and hazards to your business will help strengthen your organization’s continuity plan. It is critical to train and educate employees and staff about the threats your organization may face to improve coordination and communication amongst your team.
At the end of the day, resilience is the goal that companies and organizations should be striving to achieve, and risk assessments are the first step on the road to resilience.