Risk analysis is a process that helps identify and manage potential problems that can have a negative impact on a business’s operations and goals. In order to carry out a risk analysis, you must first identify the possible threats your business faces and estimate the likelihood that these threats will materialize.
Our team discussed risk analysis on one of our recent live streams:
We only scratched the surface during the stream, though, and I want to continue the discussion with a practical example and a downloadable spreadsheet to help you perform a risk analysis for your business.
The starting point for any initiative around risk is the BIA or Business Impact Analysis. BIA is a review of all systems, processes, and personnel that support operations – and what happens when they become unavailable. Unavailability may be as simple as an inability to use an office space for 30 days due to occupancy issues or as complex as supply chain interruptions caused by a global pandemic preventing you from delivering goods or services to your customers.
The vast difference between our examples of unavailability alone can make the idea of performing risk analysis feel like a daunting task – but it doesn’t need to be. At the end of the day, the goal of a BIA is to identify all potential points of failure and exposure; the potential outcome of not performing one is often much worse.
Let’s break BIA down into basic sections and activities that will help you get started. We’re mixing a few systems here, as business continuity and risk management are separate disciplines, but within the context of the modern SMB, it makes sense to combine them into a single, simplified model.
The best way to begin is to break your business down into separate operational units. In our example, we’ll use Sales and Marketing, Business Services (HR, Finance, and Operations,) and Executive-level team members as distinct operational units. Once each operational unit has been identified, determine the unit’s owner and any key personnel involved in maintaining operations within the unit. With key personnel identified, ask the following:
- What systems do they need access to?
- Where are the systems located?
- How are systems accessed if communications are down?
You’ll have a lot of information to track once you’ve performed the above steps, and I like to arrange everything collected in a spreadsheet. Organizing the information and assigning priorities to each identified system, process, and personnel member (Low-high/1-3) will help determine areas for improvement.
We’ve created a sample risk analysis spreadsheet, using the examples in this blog post, to get you started:
Once you’ve identified your business’s systems, processes, and personnel we can get to the fun part: risk analysis. One type of risk analysis is not inherently better than the other, and balanced risk models will include both qualitative and quantitative methodologies:
Qualitative Risk Analysis
A qualitative risk analysis subjectively assigns values based on a role within a business.
Team members work through a series of questions to identify critical systems, processes, and personnel to determine critical areas that impose risks to business operations. The process of weighing priority is largely based on how a business is organized and will vary greatly from one to the next.
Performing a qualitative risk analysis is definitely a right-brain exercise, and a quantitative risk analysis takes a much more objective look at your business and related risks.
Quantitative Risk Analysis
A quantitative risk analysis assigns dollar values based on calculations and is often much more difficult than qualitative analysis. Classic examples include asking:
- What would happen if your main systems were offline for a day?
- How much revenue will you lose if there was a flood in your primary warehouse, and what is the cost of replacement stock?
This rapidly becomes a complex model with amortization and deductions, but let’s balance what’s going on between the left and right side of our brains and put some calculations together to make sense of it all.
First, we need to define some terms and associated formulas:
The dollar value of an asset i.e. $100,000
The potential percentage of loss of an asset value i.e. 25%
Single Loss Expectancy:
The estimated cost for a one-time event i.e. EF * AV ($100,000 * .25 = $25,000)
Annualized Rate of Occurrence:
The potential for an event to take place over a specified period of time i.e. 10 years (this can be any duration of time but must be consistent across calculations.)
Annual Loss Expectancy:
The potential monetary loss over the course of a determined period of time i.e. SLE*ARO ($25,000 * .1 = $2,500 over a 10-year period.)
These calculations can become dizzyingly complex in our fast-paced and dynamic world; Insurance companies spend a large amount of time and resources on this. The key is to determine the dollar amount of identified risks, providing you with a sense of what a reasonable amount of resources to mitigate these risks should be.
Risk Analysis is a Collaborative Effort
Performing a risk analysis exercise shouldn’t fall upon a single staff member within a business, nor should it take place only once. Risk is everywhere, and proper analysis is the responsibility of both a business’s management team and IT department (or provider) and must be performed at least once per fiscal year.
I hope that you take the time to perform a BIA for your business. It’s a key piece in an overall strategy to protect your data and the ability to operate and respond to an incident. Please reach out if you have any questions – don’t be part of 40% of SMBs don’t have a response plan and goes out of business!