How do risk assessment costs vary and why?
Risk assessments help identify and, more importantly, prioritize activities an organization needs to address its most serious threats and vulnerabilities. However, costs may vary.
Two critical activities performed by business continuity, disaster recovery and resilience professionals are risk assessments and business impact analyses. Although risk assessment costs vary, there are low-cost and higher-cost options available for organizations looking to conduct them.
A risk assessment helps identify where risks, threats and vulnerabilities exist internally and externally to an organization. It can also help identify the likelihood and effects to organizations if specific risks and threats occur and, if identified, vulnerabilities are not remediated. These effects may be operational, financial or reputational. Organizations typically use this data to identify the most important issues to address for business continuity and disaster recovery (BCDR) and resilience activities.
For example, if the greatest risk and threat to an organization is the likelihood of a tornado or other natural disasters, it can focus its efforts on preparation for such events. The business can harden its physical facilities, ensure it backs up all critical systems and data to alternate facilities that are sufficiently distant and secure, and provide resources for employees to work remotely if the offices are damaged. An additional focal point from the risk assessment is the protection of employees and their families following an event.
A risk assessment can range from a relatively simple activity, such as the use of a risk map to rate specific risks and their likelihood, to complex mathematics-based projects. These more complex activities examine risks and related metrics in deep detail, using a variety of mathematical formulas and algorithms to fine-tune the risk findings. The former can cost virtually nothing, whereas the latter could cost many thousands of dollars, especially if the assessment is performed by outside parties, such as a risk consultant.
Resources can help cut assessment costs
Sources of risk data are very important. Federal and state government agencies often provide extensive resources of risk-related data, such as for infrastructure failures, severe storm damage and environmental hazards. One example is the National Risk Index (NRI) for Natural Hazards from the Federal Emergency Management Agency. The NRI is an online mapping application that identifies communities most at risk to 18 natural hazards. The service visualizes natural hazard risk metrics and includes data about expected annual losses, social vulnerabilities and community resilience.
Additional sources of risk data include insurance companies, actuarial tables and weather data from the National Oceanic and Atmospheric Administration, National Weather Service and National Hurricane Center, as well as seismological data from the U.S. Geological Survey. In most cases, there is no charge for research data from government agencies via their websites, but as more detailed data is needed, nominal research charges by the agency may occur.
DIY risk assessment costs can add up to virtually nothing, other than the individual or organization's time. By contrast, using a third party can introduce hourly costs that may range from $150 to $400, depending on the organization. The challenge is to determine how important a risk assessment will be to the organization and, more specifically, to a BCDR or resilience professional's work.
Get management on board
Ideally, an emphasis on risk analysis comes from senior management, because external investments in detailed risk assessments will need authorization and funding. Several thousand dollars may need to be invested in a suitably extensive risk assessment that includes risk tables and recommendations to mitigate the identified risks, threats and vulnerabilities. External firms should be able to demonstrate their expertise and relevant credentials in risk analyses and related activities. Internal risk departments will likewise need to have experienced team members.
While BCDR and resilience professionals know the value of risk assessments, it is essential to ensure the organization and its leaders are equally interested in the results of such initiatives. Organizations with a history of disruptive incidents from various sources are far more likely to encourage risk assessments than others with little to no history of such events.