<Organization>
Risk assessment report
<Version>
<Date of approval and publishing>
In the course of its business, <organization> encounters different threats that affect its assets, services, assets, and work environment. Being part of the BCM life cycle, the goal of risk assessment is to identify, analyze, weigh, and prioritize potential risks and hazards that affect critical aspects where they exist in internal and external environments. By identifying these threats and hazards, <organization> can concentrate on developing and implementing strategies, plans, and tactics to mitigate and reduce their probabilities and/or related impacts.
The objectives of the risk assessment phase in the BCM life cycle are to:
The risk assessment was performed through the following activity streams:
The ratings (low/medium/high) given to risks are based on probability and impact. The probability identifies the chance of the realization of the risk in the current environment. The impact identifies the consequences and effects when these risks materialize. The risk rating is calculated as follows:
risk = probability x impact
When calculated, the risks are then qualified into three categories: low, medium, and high. The following table illustrates the qualification scheme.
Probability x impact |
Explanation |
|
Low |
Low x low |
A low risk rating indicates that the probability of its occurrence is low and the potential impact of the threat is insignificant. |
Medium |
Medium x low |
A medium risk rating indicates that the probability of its occurrence is moderate and the potential impact of the threat may result in a disaster if it is not adequately controlled or addressed. |
High |
Medium x high |
A high risk rating indicates that the probability of its occurrence is high and the potential impact is so significant that it may result in a disaster. |
Risk management options fall into four categories: accept or take, monitor and avoid, monitor and transfer, and mitigate. Below is an explanation of each of these management techniques:
Technique |
Explanation |
Accept |
The risk is accepted when the probability and impact are reasonably low or the cost of treating the risk is unreasonably high. |
Monitor and avoid |
This option is selected when the probability of occurrence is relatively high but the impacts are low or insignificant. As these risks need to be closely monitored for impact increases, their causes are avoided as much as possible in order to eliminate or reduce a high probability. |
Monitor and transfer |
Risks that are low in probability and high in impact are managed through the transfer of risk and responsibility. Insurance is a clear example of this option. These risks need to be closely monitored for probability increases. |
Mitigate |
Mitigation of a risk involves actions to reduce its probability and/or impact. These actions may be physical through hardware and resources or logical through policies and controls. |
<List information collected from questionnaires>.
ID |
Risk |
Treatment actions |
Review date |
Targeted risk rating |
RSK001 |
|
|
|
|
RSK002 |
|
|
|
|
RSK003 |
|
|
|
|
RSK004 |
|
|
|
|
RSK005 |
|
|
|
|
|
|
|
|
|
RSK007 |
|
|
|
|
RSK008 |
|
|
|
|
RSK009 |
|
|
|
|
RSK010 |
|
|
|
|
RSK011 |
|
|
|
|
RSK012 |
|
|
|
|
RSK013 |
|
|
|
|
RSK014 |
|
|
|
|
RSK015 |
|
|
|
|
|
|
|
|
|
RSK017 |
|
|
|
|
RSK018 |
|
|
|
|
RSK019 |
|
|
|
|
RSK020 |
|
|
|
|
RSK021 |
|
|
|
|
RSK022 |
|
|
|
|
RSK023 |
|
|
|
|
RSK024 |
|
|
|
|
RSK025 |
|
|
|
|
|
|
|
|
|
RSK027 |
|
|
|
|
3.128.201.36