A Risk and Threat Assessment is an optional, but complementary initiative to a Disaster Recovery Program. Some organizations will enlist a third party to size up all the potential dangers they face, while others “short cut” the process.
It is certainly never a bad idea to have professionals conduct an assessment, but companies with a mature Disaster Recovery Program and a well-provisioned recovery site can pass it up with limited consequence. Likewise, organizations with the internal capacity and experience to effectively monitor their risk profile and recognize emerging threats – with the knowhow of how to deal with them – may also skip a third party Risk and Threat Assessment without heightening their probability of encountering a hazard.
Still, even businesses with a sound Disaster Recovery Program or the internal capacity to conduct an assessment on their own, often enlist the aid of a third party to ensure nothing has been overlooked. A facility-based risk and threat assessment will focus on the risks and vulnerabilities that impact critical business functions, employee health and safety and security of capital assets, including IT infrastructure and systems.
Risk and Threat Assessments are even more valuable to businesses lacking the internal capacity to appraise the evolving landscape of hazards threatening their operations. After current vulnerabilities are addressed, residual, secondary and new risks may emerge over time, necessitating an updated assessment. Some such organizations will eagerly enlist help, understanding the value of an objective, third party, expert view of their situation.
Often, a skeptical company must be faced with a tangible, pressing issue before they concede that a Risk and Threat Assessment is necessary. Sometimes news of a disaster striking a peer is enough to do the trick. And sometimes the only way a company will contract an assessment is after they have suffered a catastrophic loss or a near miss.
It is no stretch to say that any company will benefit from a periodic Risk and Threat Assessment. Now there are choices of tools, standards (e.g. ISO 31000:2009) and skilled practitioners (e.g. ASIS certified), that can help you proactively manage your vulnerabilities. Whether the result is the discovery of an imminent disaster, the identification of potential problems down the road, or confirmation that your internal team has not overlooked anything, having the assessment completed, by a team of professionals, is an effective way to bolster an organization’s peace of mind.
