Welcome to Rothstein Publishing!

The Manager’s Guide to Risk Assessment: Getting It Right

Risk assessment is required for just about all business plans or decisions. As a responsible manager, you need to consider threats to your organization’s resilience. But to determine probability and impact – and reduce your risk – can be a daunting task. Guided by Douglas M. Henderson’s The Manager’s Guide to Risk Assessment: Getting It Right, you will confidently follow a clearly explained, step-by-step process to conduct a risk assessment.



As you embark on the risk assessment process, you could not find a better and more uniquely qualified guide than Douglas M. Henderson. His 20+ years of experience with major consulting firms includes certification as a professional actuary and business continuity planner. His actuarial knowledge makes him an expert in applying mathematical and statistical methods in understandable terms to help organizations to assess and manage risks. He has applied this real-world knowledge of risk to helping businesses prepare for emergencies and business interruptions of all types.

Henderson offers samples and checklists, including case studies using a fictional company in which he conducts a complete qualitative risk assessment and then a complete quantitative risk assessment, then arrives at a set of comparable actions. His explanations and sample problems will help you to:

  • Define risk management terms, such as threat, event, and risk control.
  • Identify threats and determine the worst-case situation your organization could face.
  • Collect information on probability for natural and non-natural threats.
  • Understand the difference between qualitative and quantitative risk assessment.
  • Describe probability and impact levels.
  • Identify exposures and examine specific risk controls.
  • Estimate a financial value for implementing a risk control.
  • Determine when outside professional help is needed.

As an added bonus, Henderson explores the topic of risk controls with you, helping you to evaluate what risk controls will best reduce the probability of disruptive events and reduce their impact should they occur. To insure the best investment of time and money, you will know how to perform a cost-benefit analysis for each possible risk control to make the best choice for your organization.


Table of Contents


Title Page



Chapter 1: Overview of Risk Management

1.1 What Are Threats, Events, and Disruptive Events – and How Are They Linked?

1.2 What Are Risk, Risk Assessment, and Risk Analysis?

1.2.1 Risk

1.2.2 Risk Assessment

1.2.3 Risk Analysis

1.3 The Big Picture

1.4 Risk Assessment Within BCM

1.4.1 Three Analysis Components in BCM

1.5 Risk Treatment Procedures

1.5.1 Risk Avoidance: Why Not Eliminate Risk Entirely?

1.5.2 Risk Transfer: The Easy Way Out? Insurance Subcontracting

1.5.3 Risk Reduction Physical Risk Controls Procedural Risk Controls Identify Vulnerabilities

1.5.4 Risk Acceptance

1.6 Conducting a Risk Assessment

1.6.1 Assemble a Team

1.6.2 Consider a Consultant

1.6.3 Consider Purchasing Software

1.6.4 Consultant and Software Summary

1.6.5 Develop an Action Plan

1.6.6 Report to Management

Questions for Thought, Review, and Discussion References

Chapter 2: Threat Identification

2.1 Identifying Threats

2.2 Grouping Threats

2.3 Why Not Cover Just the Most Extreme (Worst Case) Threat?

2.4 Natural Threats

2.4.1 Weather Threats

2.4.2 Seismic

2.4.3 Other Natural Threats

2.5 Man-Made Threats

2.5.1 Internal (Likely Intentional/Security Related)

2.5.2 Internal (Likely Non-Intentional)

2.5.3 External (Likely Intentional)

2.5.4 External (Likely Non-Intentional)

2.5.5 External (Likely Non-Intentional Medical)

2.5.6 External (Likely Non-Intentional Transportation)

2.5.7 External (Likely Non-Intentional Utility)

2.6 Technology Threats

2.6.1 Alternate Site

2.6.2 Communication (External or Internal)

2.6.3 Data Center

2.6.4 Information Management

2.6.5 Information or Cyber Security Management

2.7 Other Threats

2.7.1 Internal

2.7.2 External

Questions for Thought, Review, and Discussion References

Chapter 3: Determining Probability and Impact for Risk Assessment

3.1 Risk Determination

3.2 Determining Probability

3.2.1 Natural Threats

3.2.2 Non-Natural Threats

3.3 Determining Impact

3.3.1 Disruption of Operations

3.3.2 How Does a Risk Cause Downtime?

3.3.3 When Does a Disruption of Operations Cause a High Impact?

3.3.4 Importance of Risk Controls

3.3.5 Additional Considerations Example #1: Ice Storm Example #2: Hurricane Example #3: Flood Example #4: Oil Spill

3.4. Does the High Probability and High Impact Risk Category Exist?

3.5 Qualitative and Quantitative Risk Assessment

3.5.1 Which Approach Is Better?

Questions for Thought, Review, and Discussion


Further Reading

Chapter 4: Qualitative Risk Assessment

            4.1 Qualitative Risk Assessment

            4.2 How to Use a Risk Matrix for EveryChem, a Sample Organization

                        4.2.1 Probability for Seven Sample Threats

                        4.2.2 Impact for Seven Sample Threats

                        4.2.3 Risk Assessment Using 2X2 Risk Matrix

                        4.2.4 Recommended Management Action from Risk Assessment

            4.3 Limitations of the 2X2 Risk Matrix

            4.4 A Second Approach: Using a 3X3 Risk Matrix

                        4.4.1 Moderate Probability and Impact

            4.5 An Example 3X3 Risk Matrix for EveryChem, the Sample Company

                        4.5.1 Expanded Probability for Seven Sample Threats

                        4.5.2 Expanded Impact for Seven Sample Threats

                        4.5.3 Risk Assessment Using 3X3 Risk Matrix

              4.5.4 Recommended Management Action from Expanded Risk Assessment

                        4.5.5 Advantages of 3X3 Risk Mat

            4.6 Can the 3X3 Risk Matrix Be Expanded?

            Questions for Thought, Review, and Discussion


Chapter 5: Quantitative Risk Assessment

            5.1 Quantitative Risk Assessment

            5.2 Improving the Simple Formula by Squaring Impact

                  5.3 How to Use Quantitative Risk Assessment for EveryChem, a Sample Organization

                        5.3.1 Probability for Seven Sample Threats

                        5.3.2 Impact for Seven Sample Threats

                        5.3.3 Basic Quantitative Risk Assessment

                        5.3.4 Recommended Management Action from Risk Assessment

           5.4 Limitations of the Basic Quantitative Risk Assessment

            5.5. A Second Approach: Introducing a Moderate Probability and Impact

           5.6 An Expanded Quantitative Risk Assessment for EveryChem, the Sample Organization

                        5.6.1 Probability for Seven Sample Threats

                        5.6.2 Impact for Seven Sample Threats

                        5.6.3 Expanded Quantitative Risk Assessment

                        5.6.4 Recommended Management Action from Expanded Risk Assessment

                        5.6.5 Advantages of the Expanded Quantitative Risk Assessment

            5.7 Can Quantitative Risk Assessment Be Improved Further?

            Questions for Thought, Review, and Discussion


Chapter 6: Risk Controls:Improving Organization Resiliency

             6.1 Determine the Goals and Objectives

             6.2 Evaluate Existing Risk Controls

             6.3 Determine the Value of New Risk Controls

                         6.3.1 Nonfinancial Factors to Be Considered for Your Organization

                         6.3.2 Cost Justifying Risk Controls

                  6.3.3 How Much Time to Allow for a Risk Control to Produce a Positive Return?

                         6.3.4 When Does It Make Sense to Use an Outside Professional?

             6.4 Existing Risk Controls

                         6.4.1 Building Fortification Controls




                            Other Natural Hazards

                         6.4.2 Building Systems, Procedures, and Safety Risk Controls

                            Backup Electrical Power Systems*

                            Emergency Communication Systems

                            Fire Safety and Building Evacuation

                            General Building Systems

                            Hazardous Materials Control


                            Medical Planning and Safety

                                 Research Laboratory/“Clean Room”/Special Room Controls

                            Shelter-in-Place Safety

                         6.4.3 Security Risk Controls

                            Building Interior

                            Building Perimeter

                        Grounds and Parking Lot Security (“Outer Perimeter”)

                         6.4.4 Technology Risk Controls

                            General Information

                            Alternate Site Plan

                            Communication Systems

                            Data Center Protection

                            Data Center Recovery

                            Information Management

                            Information or Cyber Security Management

                         6.4.5 Supply Chain and Process Flow Analysis

                            Raw Materials


                            Product Distribution/Shipping

             Questions for Thought, Review, and Discussion

Appendix A: Case Study: Sample Organization

             A.1 Overview of LMI

             A.2 Executive Management Objectives

             A.3 General Environment

             A.4 Risk Controls

              A.5 Threats

Appendix B: Case Study: Sample Qualitative Risk Assessment

             B.1 Probability and Impact

                         B.1.1 Probability

                         B.1.2 Impact Level

             B.2 Risk Analysis

                         B.2.1 Black Swan Event

                         B.2.2 Fire

                         B.2.3 Hazardous Release

                         B.2.4 Mid-Latitude Storm

                         B.2.5 Pandemic Outbreak

                         B.2.6 Security Breach (Physical)

                         B.2.7 Supply Chain Disruption

                         B.2.8 Technology Disaster

                         B.2.9 Thunderstorm

                         B.2.10 Utility Disruption

                         B.2.11 Winter Storm

             B.3 Risk Assessment

Appendix C: Case Study: Sample Quantitative Risk Assessment

             C.1 Probability and Impact

                         C.1.1 Probability Level (P)

                         C.1.2 Impact Level (I)

             C.2 Risk Analysis

                         C.2.1 Black Swan Event

                         C.2.2 Fire

                         C.2.3 Hazardous Release

                         C.2.4 Mid-Latitude Storm

                         C.2.5 Pandemic Outbreak

                         C.2.6 Security Breach (Physical)

                         C.2.7 Supply Chain Disruption

                         C.2.8 Technology Disaster

                         C.2.9 Thunderstorm

                         C.2.10 Utility Disruption

                         C.2.11 Winter Storm

             C.3 Risk Assessment

About the Author



Douglas M. Henderson, President of Disaster Management, Inc., has 20 years of experience in management with major consulting firms. In August of 1992, Doug was the key associate of the Emergency Response Team for a consulting firm located in South Miami-Dade County. Inspired by his real-life business experience with Hurricane Andrew and concerned about the lack of preparation within the business community, Doug founded Disaster Management, Inc. in 1993.

Doug has a Degree in Mathematics from the University of Arizona. His professional credentials include FSA – Fellow, Society of Actuaries and CBCP – Certified Business Continuity Professional. Doug is the author of the book Is Your Business Ready for the Next Disaster? and is the author of the Business Continuity Template for Manufacturing and Distribution, the Template for Comprehensive Business Continuity Management, the Continuity of Operations Plan for Colleges and Universities and several other planning templates. Doug is also the co-author of the college textbook Business Continuity and Risk Management: Essentials of Organizational Resilience.

My primary purpose in this book is to give you an understanding of the practical procedures required to conduct a risk assessment. Your initial goal in a risk assessment is to focus resources to respond to the threats that are most important to your organization. After this is accomplished, you will be able to develop specific procedures to improve organizational resiliency.

Why? What? How? This book begins by explaining why you should spend the time and energy involved with developing a risk assessment and why a basic understanding of risk management is beneficial to an organization. Next, you will explore what a risk assessment entails and the practical application to an individual organization, and then you will be introduced to two alternative approaches to performing a risk assessment. Finally, you will examine various methods to reduce risk.

Chapter 1: Overview of Risk Management

First, you will examine the progression by which ordinary threats become disruptive events to your organization. You will explore risk, risk management, and risk assessment principles and their importance to any well managed organization.

Chapter 2: Threat Identification

After examining threats from multiple perspectives, you will then learn how to determine the most likely specific threats to be analyzed. Essentially, you will be “identifying the enemy,” which is the first step in dealing with the problem.

Chapter 3: Determining Probability and Impact for Risk Assessment

You will see how to determine the probability of an event materializing and its possible impact upon your organization. Once probability and impact are established, you can determine risk.The chapter also introduces two methods of conducting a risk assessment – a qualitative approach and a quantitative approach. Both approaches are based on the same principles and, when used correctly, both approaches will produce accurate results. The quantitative approach will produce results with more precision than the qualitative approach, but will require some additional effort.

Chapter 4: Qualitative Risk Assessment

You will learn the basic process to conduct a qualitative risk assessment that classifies risks by using little or no mathematics.

Chapter 5: Quantitative Risk Assessment

You will learn the basic process to conduct a quantitative risk assessment that classifies risks by using mathematics.

Chapter 6: Risk Controls: Improving Organization Resiliency

Finally, you will see how to identify and implement risk controls to improve organizational resiliency. Once you have reviewed these principles of risk reduction, you will be ready to select and analyze possible risk reduction measures from a comprehensive list of risk controls.


In the appendices, you will find two sample risk assessments; one qualitative risk assessment and one quantitative risk assessment.

Each risk assessment is for a sample fictitious company that will provide you with a working example of how a risk assessment is conducted. Essentially, this allows you to apply the principles that you have learned in this book to a realistic situation. It will be a useful guideline when you decide to conduct a risk assessment for your organization.

While this book is directed primarily to managers and executives, you will find it useful if you are a business continuity (or organizational resilience) professional or participating in a professional training course. I am confident that when you complete your readings, you will be sufficiently versed to undertake a risk assessment.

Douglas M. Henderson
Port St Lucie, Florida
February 2017

You will rarely be able to predict the exact timing or exact cause of the next disaster to strike your organization. However, knowing the most likely threats and preparing to respond to those threats will help to minimize the impact to your organization or perhaps even prevent the event from occurring.

This chapter will help you to:

  • Know how to identify threats to your organization.
  • Group threats into logical categories for examination.
  • Determine the worst-case situation your organization could face.
  • Select specific threats for examination.

2.1 Identifying Threats

The term threat includes many types of events and disruptions, including:

  • • Natural threats (e.g., blizzard, earthquake, or flood).
  • Accidental man-made threats (e.g., electrical outage, equipment failure, loss of data).
  • Intentional man-made threats (e.g., fight, strike, loss of buyers).

Threats can be very significant disruptive events or relatively minor disruptive events. Sometimes minor disruptive events can become much more serious disruptive events. For example, assume that a water pipe bursts in a common bathroom within your organization’s building (a minor event), but nobody knows where the water shutoff valve is located. While everyone is searching, water now damages the entire building including your work area – the minor event has manifested into a significant disruptive event! The lesson here is that when you examine threats, it is wise not to restrict your focus to significant disruptive events.

As you work to identify all threats, I recommend that you view threats on a geographical basis. You should consider and list the common (and not so common) threats that are located within the following:

  • The organization (e.g., equipment failure, workplace violence).
  • The building or immediate area (e.g., hazardous release, fire).
  • The community (e.g., civil disturbance or riot, electrical outage).
  • The geographical region (e.g., earthquake, flood, transportation disruption resulting in a supply chain disruption).

2.2 Grouping Threats

As you begin to narrow down individual threats to a manageable number, I recommend grouping individual threats into specific categories. For many organizations, a preponderance of threats relates to physical security (e.g., bomb threat, civil disturbance, hostile intruder, internal criminal acts, external criminal acts, workplace violence). Typically, such threats are examined under the security category grouping. Many security risk controls such as a perimeter security system or security cameras will protect against a wide variety of criminal events.

Another example of threat grouping is technology threats. Typically, you will examine technology threats for the major functional areas of technology (such as alternate site plans, communications, data center protection and recovery plans, information or data management, and  information security). It is important to examine all areas of technology. I have seen instances where planning for the data center and alternate site is very good but information management or information security plans are inadequate. Such inconsistent planning can arise when different people with different skill levels are assigned to the different functional areas. I have also observed this problem in smaller  data centers where one person covers everything. Every individual (myself included) has different skill levels and, frankly, different levels of interest within the different functional areas.

You will also find logic in grouping medical threats. Many medical risk controls such as personal protective equipment and social distancing policies are effective in limiting contamination of healthy individuals by infected individuals. Whether the threat comes from a pandemic outbreak, respiratory infection, or common cold, practices such as not touching your face with your hands and using speaker phones will reduce the likelihood of contamination. In other words, a pandemic plan will be at least partially effective in combating other general medical emergencies, and with minor modifications can be made more effective…