Getty Images/iStockphoto
How to assess pandemic risk in 2025
Businesses learned a lot about disaster recovery and risk from COVID-19. The challenge today is to not forget those lessons or become negligent with future pandemics.
A key lesson learned from the COVID-19 pandemic is that there is no such thing as too much preparation. This is especially important when it comes to business continuity and resilience.
Experience from the pandemic emphasized to many organizations that they were unprepared for the disruption caused by a widespread contagious illness. Workplaces were inaccessible for months, in-person meetings became unsafe and outside suppliers and contractors, as well as international supply chains, were deeply affected or delayed.
Many organizations have returned to the office, but while that indicates a return to business as usual, unfortunately, it also leaves them vulnerable to another contagious illness disrupting operations. So, what can businesses do to get ready?
This article discusses the risks associated with a pandemic event and suggests methods of conducting a risk assessment for potential future events.
Risks not limited to COVID-19
In addition to potential mutations of the COVID-19 virus, outbreaks of diseases such as measles and bird flu indicate that the likelihood of another pandemic appears to be growing.
In a 2024 report, "DISEASE X - What it is, and what it is not," prepared by the Coalition for Epidemic Preparedness Innovations, the authors discussed the potential for a new "Disease X" that could appear at virtually any time and could emerge from just about anywhere on the planet. COVID-19, according to the report, was the most recent Disease X, and the global lack of preparedness for the outbreak resulted in the pandemic.
Another report, published in the Proceedings of the National Academy of Sciences in 2021, "Intensity and Frequency of Extreme Novel Epidemics," suggested that the likelihood of a pandemic similar to COVID-19 occurring is 1 in 50 (2%) during a year, or 38% in a human lifetime, especially for people born after the year 2000.
Regardless of the source of any future pandemics, it is more critical than ever that organizations press the importance of proactive pandemic planning.
Importance of performing a pandemic risk assessment
When performing a risk assessment, especially for a unique situation like a pandemic, it is important to know the factors that might affect the detection of the pandemic, how it is managed, and how people and businesses are protected. Issues associated with a pandemic must be identified and examined before the assessment commences, as well as during the assessment and after its completion.
An important outcome of a risk assessment is the identification of ways to address the identified risks, threats and vulnerabilities. Mitigation of risks is important because it identifies what steps can be taken if specific risks occur.
Why use a risk assessment matrix?
The primary risk metrics to identify are the likelihood of an event occurring and the impact to an individual or business if the event occurs. Owing to the unique nature of pandemics and the fact that they occur infrequently, sources of risk data are available from various reports and possibly insurance risk tables and actuarial tables.
The example here depicts one way of establishing a rating system for evaluating risks by likelihood and impact.
Organizations must consider many factors when performing a pandemic risk assessment. The risk assesment matrix helps by organizing risk data and other factors so that an assessment can be performed.
A risk assessment matrix performs several critical functions, including the following:
- Defines the type of risk.
- Determines the criticality of the issues and strategies.
- Lists the risks, threats and vulnerabilities applicable to the issues.
- Validates the effectiveness of current risk controls and mitigation strategies.
- Determines the risk tolerance of the organization for identified risks.
- Identifies potential risk mitigation strategies, technologies and methods.
- Calculates overall risk values for the organization.
Preparing for a pandemic risk assessment
With any risk assessment, preparation is the key to obtaining useful results.
The following are potential steps to take when preparing for and conducting a pandemic risk assessment:
- Identify the business purpose and scope of the risk assessment.
- Review the proposed assessment with senior management and IT leadership to secure their approval and support.
- Prepare a project plan for the risk assessment, identifying the information the assessment plans to obtain and how it will be used.
- Establish a project team for the assessment.
- Identify and review relevant documentation, such as pandemic research data and data from government agencies, like the Centers for Disease Control and Prevention.
- Consider using a risk assessment tool with a focus on pandemic risks for conducting the assessment and preparing the reports.
How to use a risk assessment matrix
Many examples of risk assessment matrix templates exist, and severity can be graded in a variety of ways.
The risk assessment matrix template provided below is a simplified tool using assessment values ranging from 0.0 to 1.0. More detailed and complex values can be substituted, but this range is a common, consistent system for rating risk likelihood. With this system, 0.0 represents 0% likelihood of occurrence, and 1.0 represents 100% likelihood of occurrence.
Column B is used to indicate general severity and can be a standalone column. Column C denotes financial effects and is provided to show that additional factors can produce a more realistic calculated risk factor.
Following are steps to perform an assessment using the template:
- List the issues to be assessed in the first column.
- Insert the likelihood of an issue becoming important in Column A for each item being assessed.
- Insert the severity if the issue is not addressed or preparations are not made in Column B.
- Multiply AxBxC to arrive at the calculated risk factor.
Once the risk factors have been calculated, the organization can see which risks are the most critical to address early on, depending on where they fall in the following rating breakdown:
- 0.0 to 0.2 = Low to minimal risk impact.
- 0.2 to 0.4 = Moderate to high risk to people and business.
- 0.4 to 0.8 = Serious risk to people and business.
Pandemic risk assessment matrix
Use the following matrix as a starting point for assessing how a pandemic might impact individuals and organizations.
| Column A | Column B | Column C | AxBxC | |
| Risk event | Likelihood to become an issue | Severity if not addressed | Financial/business impact | Calculated risk factor |
| External issues | ||||
| Source of the pandemic virus | ||||
| How the virus spreads | ||||
| What happens when one is infected | ||||
| Impact to healthcare organizations | ||||
| Impact to government agencies | ||||
| Impact to businesses of all kinds | ||||
| Impact to educational institutions | ||||
| Impact to transportation | ||||
| Impact to communications | ||||
| Impact to the environment | ||||
| Impact of weather | ||||
| Impact to water supplies | ||||
| Impact to sanitation | ||||
| Impact to pharmaceutical firms | ||||
| Availability of medical devices | ||||
| Impact of fatalities from the virus | ||||
| Impact of social media | ||||
| Role and impact of the media | ||||
| Impact to supply chains | ||||
| Impact on socioeconomic issues | ||||
| Impact of new regulations | ||||
| Internal issues | ||||
| Loss of staff | ||||
| Remote working | ||||
| Technology outages | ||||
| Triage of symptoms | ||||
| Sanitation | ||||
| Personal protective equipment | ||||
| Screening of staff | ||||
| Personal hygiene | ||||
| Industrial hygiene | ||||
| Employee travel |
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.
