1 minute read
Table 1: Risk likelihood guidance
GRADE DESCRIPTION SUMMARY
1 Improbable Has never happened before and there is no reason to think it is any more likely now 2 Unlikely There is a possibility that it could happen, but it probably won't 3 Likely On balance, the risk is more likely to happen than not 4 Very Likely It would be a surprise if the risk did not occur either based on past frequency or current circumstances 5 Almost certain Either already happens regularly or there is some reason to believe it is virtually imminent
Table 1: Risk likelihood guidance
The rationale for allocating the grade given should be recorded to aid understanding and allow repeatability in future assessments.
2.6.2 Assess the Impact
A formal method for conducting business impact assessments is set out in the BCMS document Business Impact Analysis Process which should be used to ensure that a full understanding is gained of the key business processes and what would happen if they were affected by a disruptive incident. This method is only summarized here.
An estimate of the impact that the risk being realized could have on the organization should be given. This should consider existing controls that lessen the impact, as long as these controls are seen to be effective.
Consideration should be given to the impact in the following areas:
• Impact on staff or public well-being • Impact of breaching legal or regulatory requirements • Damage to reputation • Impact on financial viability • Impact on product or service quality • Environmental damage
The impact of each risk should be graded on a numerical scale of 1 (low) to 5 (high). General guidance for the meaning of each grade is given in Table 2.
More detailed guidance may be defined for each grade of impact, depending on the subject of the risk assessment.
The rationale for allocating the grade given should be recorded to aid understanding and allow repeatability in future assessments.
