Calculated Risk: The Two Kinds of Risk Assessment

There are two kinds of risk assessment. In today’s blog we’ll look at what they are and why your company would benefit from performing one of each type, once every year.

Related on BCMMETRICS: Driving Blind: The Problem with Skipping the Threat and Risk Assessment

The Two Types of Risk Assessment

A lot of people who come to the blog are looking for basic information on risk assessment as it relates to business continuity management (BCM) and organizational resiliency.

To help those readers, I want to break down the two types of risk assessment that are commonly performed by enterprise risk teams and BCM offices and consultants.

The two types of risk assessment are the Threat and Risk Assessment (TRA) and the Corporate Risk Assessment (CRA).

Each type focuses on a different kind of potential danger to the organization. One thing they have in common is, each is a tool that protects the company. They do this by structuring and systematizing the process of identifying, assessing, and managing the threats in the environment.

The TRA is most closely associated with the practice of business continuity management. The CRA is more closely linked with the enterprise risk group.

This difference explains the contrasting but complementary emphasis of the two types of assessment.

The Threat and Risk Assessment

The Threat and Risk Assessment is a foundational BCM tool. It is a survey of the operational environment that lists potential threats to the organization’s ability to carry out its mission critical functions. It assesses each threat in terms of how likely it is to occur and how damaging it would be.

The TRA looks at natural, human, and technological events. It focuses on activities that society at large would tend consider to be emergencies.

Many involve visits by first responders.

The kinds of threats looked at in a TRA include tornados, earthquakes, fires, active shooters, cyberbreaches, power outages, civil unrest, chemical leaks, and reputational impacts caused by employee misconduct.

These all have the capability of preventing the organization from carrying out its core operations, thus causing harm to stakeholders.

After identifying and assessing the risks, the TRA looks at what controls are in place to mitigate each risk and how much residual risk remains after these are taken into account.

We conduct the TRA after we perform the Business Impact Analysis (BIA).

Once the BIA identifies which operations are most critical, the TRA can focus in on those operations—and the threats to them.

The Corporate Risk Assessment

The Corporate Risk Assessment is a horse of a different color.

Like the TRA, the CRA identifies and assesses significant threats to the company’s well-being. Also like the TRA, it promotes the conscious and rational mitigation of those threats.

However, the type of threat the CRA looks at is different.

Most of the threats considered by the CRA are not emergencies in the view of society at large. Rather, they result from the normal ebb and flow of business and of societal change.

Examples of threats looked at in a CRA include disruption of the company’s supply chain, an economic downturn, a work stoppage, a rise in government regulations, the entry into the market of a competitor, a rise in the cost of capital, and a shift in customer preference.

Few if any of these events are likely to result in the arrival at the company’s facility of first responders driving up with their sirens on and lights flashing.

However, all have the potential to harm the organization and it’s stakeholders. For this reason, you should identify, assess, and manage all of the main threats of this type facing the company, just like the threats covered in the TRA.

One of Each, Once a Year

So those are two kinds of risk assessments: The TRA looks at threats to the company’s ability to carry out its mission critical operations. The CRA considers threats to the organization’s competitive position.

Because they focus on different risks, I recommend every organization conduct both kinds of risk assessment.

And because the risk landscape is always changing, I recommend that each assessment be conducted or updated once a year. (Organizations in sectors where the pace of change is slow can sometimes get away with performing risk assessments once every two years.)

By systematically identifying, assessing, and managing the risks to their operations and competitive position, organizations of all types can better protect themselves and their stakeholders.

Further Reading

For more information on managing risk and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:

• Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
• Don’t Just Hope: Choosing Strategies to Mitigate Risk
• Every Single Day: Make Risk Management Part of Your Company’s Culture
• Driving Blind: The Problem with Skipping the Threat and Risk Assessment
• The Risk Management Process: Manage Uncertainty, Then Repeat
• The 5 Most Important Risk Mitigation Controls
• Checking It Twice: The Corporate Risk Mitigation Checklist