How to conduct a Business Threat Assessment
by Neil Conchie, on Feb 17, 2021 9:15:00 AM
Often referred to as a risk assessment, conducting a business threat assessment can allow you to identify any potential threats to your business and understand the effect they can have can help you to make plans both to mitigate them and deal with them if they happen.
There are lots of things to consider in a business threat assessment, and it goes without saying that you never know what is just around the corner. You can prepare for every eventuality, and it is likely that you will still come up against a situation which is uncertain which can impact both employee safety and business operations.
It is impossible to predict what threats your business will face, and even if you identify them it isn’t always going to be possible to eliminate them entirely, but by having a business threat assessment in place you can be sure that you are at least prepared for a potential threat.
There are 4 steps to conducting a business threat assessment
Step 1 – Identify the threats
Without identifying the threats it is impossible to plan for them or try to mitigate them. There are a variety of different threats to consider at part of this process, but put simply they fall into two main categories.
External threats are threats which are outside of your business such as weather events, geological events such as earthquakes, biological events such as an outbreak of disease, transportation events such as closure of main transport routes, communications events such as a radio tower failure and acts of violence such as civil disturbances.
Whilst you have no control over many of these external factors, you can monitor them by keeping an eye on the local and national news and reacting where necessary.
Internal threats are the things within your own business or organisation such as information technology including internet outages or system downtime, utilities outages such as water or power cuts, breaks in the chain such as supplier failures, workplace accidents such as mechanical breakdowns and hazardous materials incidents such as a gas leak.
These internal threats are often easier to identify as your business has a degree of control over them, but they also tend to be much more company-specific. As an example, a radiological accident is not likely to happen in the offices of a law firm as they are not in contact with any radioactive materials, but at a laboratory or a power station this would be a legitimate concern.
The best way to conduct an audit of your internal threats is to complete a comprehensive analysis of your business in every aspect right through from supply chain to delivery of your product and service and to make sure that every aspect of the process is accounted for.
Step 2 – Assess the threats
Now that you have a list of potential threats both internal and external, it is wise to spend some time assessing them, and this is done with two things in mind. What would be the impact of the threat if it were to affect your business and how likely is it to happen? By looking at these things together you will be able to decide which threats require the most thought and planning to ensure their effects are mitigated as much as possible.
You should also consider that some of the threats will not be applicable all of the time. If one of your threats is the threat of flooding, it is unlikely that flooding is going to happen in the height of summer, so although it would have a huge impact on your business, the likelihood changes throughout the year.
As well as looking at these two areas when assessing risks, you also need to consider that there are three broad categories of the different types of impact to your company.
The biggest asset in any company is arguably its employees, so the first area we’re going to look at is the impact to the people who work for or with you with regards to each threat. In the example used above, it may be that flooding tends to effect a whole vicinity so the risk is to more of your employees that if there was an act of violence in the office block where only five of your employees work regularly. A key consideration here is how are you going to find out how many of your employees are effected?
Do you have multiple locations? It’s not unusual for large organisations to have offices or employees in different cities or even countries. As part of identifying and assessing your threats, it is useful to also map out which locations each threat is likely to effect. In the flooding example it may be that you have an office in one area which is prone to flooding and another in an area that has never flooded. If you have multiple locations it can be impossible to ensure you are monitoring all of the threats for all of your locations, so you may have to designate a threat manager in each location to ensure they are keeping an eye on any threats which are pertinent to their location.
Impact on Assets
This area is arguably the most company-specific, as it can include specific locations and types of locations such as a storage or distribution centre, or even a data centre. Some threats may affect some, but not all, of these facilities, so it is important to ensure that you have the right type of alert set up for each area.
For example, a data centre will arguably be more worried about fluctuations or outages in the electricity supply and a distribution centre may be more focussed on an internal IT system that provides them with the information on what asset to dispatch and to where. By identifying these differences in interest you can ensure that each area of your business only receives data and updates on the threats which matter to them which can help to alleviate overwhelm and alert fatigue.
Step 3 – Develop Controls
So now that you know your threats and you’ve put a value against how likely and impactful they are, what’s next? Planning your response! To do this there are two very important questions to ask.
How do we decrease the impact of this threat?
How do we decrease the likelihood that this threat can happen?
For some of the threats, it will be almost impossible to decrease the likelihood of the threat happening such as weather events where you live in an area prone to flooding. In this case, all you can do is try to take steps to decrease the impact. You could order sand bags, set your team up for remote working or look at other systems such as a dashboard that notifies your employees when a flood warning is declared so that they can make a decision ahead of time to work remotely therefore removing them from the danger of travelling and allowing you to plan effectively with the workforce you know you will have available.
For other threats you will be able to decrease the likelihood and the impact, such as in the data centre we mentioned previously. You would ensure that back-up power was always available in the case of the mains grid going down which not only reduces the likelihood of your data centre losing power, it also reduces the impact to your business if the main power grid was to go down as the data centre will always have power.
In some businesses where threats are specific (such as the use of biohazardous materials) it may be that further training for your staff can help to reduce the likelihood and the risk of a threat as they are both less likely to have the threat happen and more skilled at dealing with a threat when it does happen to minimise impact.
By working through the list and looking at ways you can decrease the likelihood and minimise the impact you can then decide whether the residual risk is still too high and decide what other measures you can take until you reach a level that is acceptable for your business or organisation.
Step 4 – Evaluate your response
Now that you know your threats, you know how they’ll effect you and you know how to control them the only thing left to do is to test the responses and measures you’ve put into place.
There are a lot of questions to ask yourself about your response, but here’s a few of them.
Had we identified this threat?
Did we accurately assess how likely it was?
Did we accurately assess the impact of the threat?
Could we have avoided the threat?
What control measures did we have in place?
Were our control measures effective?
How effective were the control measures?
Did we respond in a timely manner?
How effective was the communication we sent out?
Did we have the right resources to deal with the threat effectively?
Ultimately these all lead to one questions, ‘how can we improve?’
No plan is ever perfect, and there are always going to be things you can tweak and improve on to make sure that the next time you are faced with a threat you are even better prepared to deal with it effectively to minimise the impact on your people and business.
It is also important to ensure that you review your business threat assessment regularly, and as a general rule of thumb we would suggest at least yearly.
When was the last time you conducted a business threat assessment?
Want to know how our communication platform can help you to improve your response to a potential threat? Book a demo now to find out more!