–
Download the Threat and Risk Assessment template here.
Price: FREE Download
About this template
- A threat and risk assessment template is used to record the internal and external threats to your organization so you can assess the risk of disruption to your prioritized processes and activities.
- The template also helps you better understand how much a control has reduced the likelihood and impact of a risk.
- This template can be used to support a consistent approach towards risk assessment across your organization.
–
What is in the threat and risk assessment template
There are three tabs in the threat and risk assessment template. The Threat Profile tab is used to record the known and anticipated internal and external threats to your organization. You can prioritize the threats based on a score.
The Risk Assessment tab is used to record, analyse, evaluate and treat your risks to the threats. If you prioritize your risks, you can focus on reducing the high risks first.
The Risk Matrix tab allows you to define the thresholds for likelihood and impact so risk is consistently assessed across your organization. You can determine whether the risk is acceptable to your organization and guide the level of controls required to mitigate the risk.
Threat and risk intelligence
If you need support with identifying threats or risks, or to better evaluate a known threat, then we highly recommend Horus Security Consultancy. Al has used their services on a number of occasions and their work has always been exceptional. Horus Security Consultancy offer a range of innovative, tailored and intelligence-led solutions to enable businesses to make decisions based on reliable information collected and analysed by their subject-expert team members.
Horus are vastly experienced with backgrounds in the military and law enforcement, providing intelligence and other security insight through a huge range of sectors, including pharmaceuticals, higher education, construction and transport. With over 15 years providing security services, Horus have developed a diverse and impressive portfolio of global clients who trust them implicitly to deliver end-to-end security through timely, accurate and ethical information sourcing.
–
Other relevant templates available to download
–
Please find below a list of Frequently Asked Questions for the business impact analysis
What is the difference between a risk and a threat?
ISO 31000 describes risk as the “effect of uncertainty on objectives”. This can be positive or negative. I found a great journal about how to write good risk statements on ISACA so I recommend checking that out.
ISO 22300 describes a threat as a “potential cause of an unwanted incident, which could result in harm to individuals, assets, a system or organization, the environment or the community”. Threats can be internal or external; I’ve included some examples of external threats in my threat and risk assessment template which is freely available to download on this page.
What is the difference between a risk assessment and threat assessment?
A threat assessment seeks to identify relevant internal and external threats that may result in harm to individuals, assets, a system or organization. A risk assessment (in the context of business continuity) identifies, analyses and evaluates the risk of disruption to resources and activities that may result from the threat should it occur. This allows you to establish appropriate controls to reduce the likelihood and/or impact of risks occurring as a result of the threat. In some cases, it might be that an organization chooses to accept the risk because the cost of mitigation outweighs the benefit. After a risk assessment has been completed, threats can be prioritized based on the risk of disruption to the organization. This can help to focus mitigation planning as it might be there is a particular concentration of risk from a specific threat.
What is a threat and risk assessment?
A threat and risk assessment, in the context of business continuity, is used to list the relevant internal and external threats to an organization and the risks associated with those threats, that if they occur, may disrupt an organization’s activities and resources. Controls can then be put in place to mitigate the impact and/or likelihood of those risks occurring.
How do I identify threats?
There are many resources available to help you identify relevant internal and external threats to an organization. You could:
- Read horizon scan reports
- Become a member of a collaborative network in the same business sector
- Join a local business resilience forum
- Use a specialist third-party (such as HORUS) to provide bespoke threat assessments
- Check out the national risk register
- Refer to existing internal risk registers, incident databases or discuss with staff
- View natural hazard maps and travel risk tools for insight
- Even the world news and national news can help you identify threats at an early stage and social media can be helpful too.
It’s worth trying some of the above and doing your own research to see what is most helpful to you.
Supporting Information
PURPOSE
A threat and risk assessment is used to reduce the likelihood and impact of disruptive risks to the prioritized processes and activities that support your products and services.
–
TOP TIPS
After you have gathered threat intelligence, you could schedule a risk workshop with your employees that understand how the relevant processes and activities could be impacted.
For more information on Business Continuity, we very much recommend looking at the Business Continuity Institute’s Good Practice Guidelines.
FACT
We would advise you not to evaluate risk in isolation because this may lead to gaps in knowledge and inaccuracies. For example, what is considered moderate impact to one person may be critical to another (if that second person is aware of additional information).