4 Steps to Conduct a Business Threat Assessment [+ Template]

“The best and most universal thing everybody can do is be informed,” says Sara Pratley, our Senior Vice President of Global Intelligence at AlertMedia. With threats escalating around the world, many of them impact businesses—if not directly, then indirectly. Can you name all of the threats potentially putting your employees and operations at risk?

Below, we’ll provide a framework for the threat assessment process and discuss how you can use this analysis to protect your employees, facilities, and critical infrastructure. We’ll also explore tools—like a fill-in-the-blank threat assessment template—and strategies for more effectively monitoring, identifying, and communicating about threats that may impact your organization.

Building Your Threat Assessment Team

Often spearheaded by an organization’s business continuity or risk management function, a threat assessment team should include representatives from departments across your organization that have a role in safety and security. At a minimum, it should include some executive, human resources, and facilities management team members.

The threat assessment team will convene to identify, evaluate, and develop prevention and mitigation strategies for various threats your business may face. It may also be necessary to include external stakeholders and partners who play a role in emergency response plans, such as local law enforcement officials and mental health professionals.

What Are the Four Steps of a Threat and Risk Assessment?

With your threat assessment team established, it’s time to get to work. Here are the four iterative steps to conducting a business threat assessment:

Step 1: Identify threats

The first question you need to ask is: What are the threats? Make sure you are aware of the broad array of hazards and threats in business that could impact your people and assets. We have listed some risk assessment examples related to both external and internal risks.

External threat examples

• Meteorological: Hurricanes, severe thunderstorms, blizzards, tropical storms
• Geological: Earthquakes, wildfires, tsunamis, landslides, floods
• Biological: Disease outbreaks, pandemics, illnesses
• Transportation & supply: Significant road closures, widespread flight delays, supply chain disruptions
• Communications: Cell coverage outages, power outages
• Violent acts: Active shooters, civil disturbances, bomb threats

Go through the types of threats listed above and ask yourself: How would this impact my organization?

Consider the nature of your business and work environments to answer this question. If you are a software company with just one office located in Texas, for example, your risks will look substantially different than those of a large manufacturing company with offices scattered around the Northeast.

Also, take into account remote workers and traveling employees. You have a duty of care to keep your employees safe, no matter where or how they work. Using a threat intelligence solution can help you proactively monitor and communicate about all external threats, including those that impact your remote and mobile employees.

Internal threat examples

• Information technology: Internet outages, systems downtime, corrupted data
• Utility outage: Electrical power, water, sewage, air conditioning/heating
• Accidents: Workplace accidents, structural collapse, mechanical breakdown
• Hazardous materials: Chemical spill, gas leak, radiological accident

Whereas external threats require you to monitor wider variables, internal threats are often more readily apparent. Some internal threats are universal (e.g., Wi-Fi outages), but most are company-specific. For example, you might look at your supply chain and ask yourself: Where could things go wrong? If your operations involve hazardous materials, you need to have a hazmat safety plan in place. If your office building has a set of stairs prone to accidents, put up a sign warning people to “watch your step.”

Assessing internal threats requires a comprehensive risk analysis of your business, from facilities to supply chain to personnel. Using the bulleted list above as a starting point, consider which threats impact your operations—and how.

Step 2: Assess threats

Once you have identified the threats to your business, you need a way to evaluate the impact and likelihood of those threats. These further assessments go hand in hand to determine the overall risk level.

A risk matrix—also called a probability matrix or impact matrix—can be useful for performing this threat assessment. The matrix helps assess each threat based on 1) the likelihood that the threat will occur and 2) the potential impact the threat will have on your business.

Likelihood

Certain factors increase the likelihood of a threat occurring. Location and past history are both important risk factors to consider when evaluating the probability of a threat. When completing a risk assessment matrix, the likelihood of the threat occurring is often ranked on a five-point scale from improbable to frequent.

A company in California, for example, has a far greater chance of being impacted by an earthquake or wildfire than a company based in New England. Similarly, a company in a major metropolitan city is more likely to be affected by civil disturbances than one in a sleepy suburban town, and may invest in a more thorough physical security assessment.

It’s common for large companies to have many office locations across the country, even across the world. Each of these locations has its own set of potential threats. With many employees now working remotely or even traveling on a work trip, employers must consider all locations employees work from—not just where the company’s facilities are located. Travel risk assessments can help you determine risks away from the office.

Impact

The impact of a potential threat is the amount of damage or harm the threat could create. On a risk assessment matrix, the severity of a threat is often ranked on a four-point scale from negligible to catastrophic.

When assessing threats, consider all the different types of impact. You can think of impact in three broad categories: people, locations, and assets. From employee safety to financial loss to reputation harm, a threat can negatively affect your business in a variety of ways.

Consider these two different threats as examples for assessment: 1) the threat of a winter storm and 2) the threat of your CEO dying. The first threat has a medium impact but a high likelihood. If you’re located in the northeast, winter storms are essentially guaranteed—but they shouldn’t derail your business. The second threat, on the other hand, has a high impact but a low likelihood. It is highly unlikely that your CEO will die suddenly—but it would have a huge impact. During this analysis, you might conclude that a winter storm is high-risk, whereas the CEO dying is medium risk.

Of course, risks will change over time. The likelihood of a winter storm is nil in July, so there is almost no risk to your business. An upcoming executive trip to a dangerous foreign city, on the other hand, might raise the likelihood (and risk level) of your CEO getting injured.

Document your analysis of each threat’s likelihood and impact in a methodical way. Our threat assessment template is a great place to start.

Step 3: Develop controls

Once you have identified the potential threats and you have a way to quantify the impact, you need to plan your response. This means implementing controls that mitigate the threats you’ve identified.

You will want to look at your overall risks and decide which actions your business can take to reduce each risk. For most risks, this means both:

• “How do we decrease the likelihood this will happen?”
• “How do we decrease the impact if this does happen?”

If you’re a business in Chicago, for example, you are basically guaranteed to face a winter storm. While there is not much you can do to prevent a storm from happening, you can minimize the disruption that a winter storm will have on business operations—the impact. On the other hand, if employees must work or travel in a region with high crime rates, you may want to focus on reducing both the likelihood and the impact of safety threats to your people.

Regardless of the risk, here are a few specific controls you can implement:

Train employees

The first and most basic control in business risk management is employee threat assessment training. Risk mitigation can’t just exist in one department or one person. Although it may start in your business continuity and disaster recovery (BC/DR) division, it can’t end there.

Ensure your entire organization knows and understands what threats may occur. Individuals should be trained on how these threats may impact their role and the business as a whole. This training will help them better understand the response plan and how they should act during an emergency—especially for high-likelihood threats. Often, the most effective employee training involves active participation. Most companies conduct fire drills—but don’t stop there. Also, consider the wide range of tabletop exercises your company can implement to offer practice for various threats.

Create policies

In addition to training employees, create threat assessment procedures and guidelines to mitigate the identified threats. For example, in the event of a severe winter storm, you need a policy for how you will notify employees of delays or closures. And to keep traveling employees safe from the variety of threats they may encounter, develop a comprehensive corporate travel policy.

Your threat assessment procedures should indicate when third parties—such as law enforcement or mental health services—need to be involved. For example, when threats of violence arise, it is necessary to report them to and involve local law enforcement officials.

Document emergency response plans

As every emergency management professional will tell you, the best time to prepare for an emergency is well before it occurs. By creating an emergency response plan—a documented series of steps your organization will take during an emergency—you can help ensure employee safety and minimize the impact on critical operations.

Emergency response plans help organizations address various threats, such as hurricanes, wildfires, winter weather, chemical spills, disease outbreaks, and other hazards. The goal is to reduce or prevent human injury and property damage during threatening situations by documenting the steps for a timely response tailored to each scenario.

Step 4: Evaluate your response

The final step in a business threat assessment is what makes the process iterative. Once you have identified a threat, assessed its impact, and responded, you need to assess your response.

Here are the questions you need to be asking:

• Was this a threat our organization had identified?
• Did we properly assess the likelihood of this threat?
• Did we properly assess the impact of this threat?
• Was this threat avoidable?
• What controls did we have in place for this threat?
• How effective were our controls?
• How quickly were we able to respond?
• Was our communication effective?
• Did we have the proper resources to address the threat?

Once you have answered these questions, it’s time to turn to the big question: What can we do better? You will never have the perfect response to a given threat. Even when you execute your plan down to the letter, look for ways to improve your plan based on how it worked. Don’t let good be the enemy of great.

Talk to employees—especially those directly impacted by the threat. By soliciting employee feedback, you can uncover weaknesses in your plan that you may not have recognized otherwise. One effective way to conduct this follow-up is to send out an employee survey. Your employees will likely have ideas for ways you can prepare them to respond more effectively to the threat.

Once you have evaluated your response and how it could be improved, go back to Step 1. Repeat the process, integrating the new relevant information and feedback you have received.

Taking Advantage of Threat Intelligence Technology

A proper business threat assessment requires modern technology to support it. You can’t expect to monitor the expanse of potential threats manually—especially when you have remote workers, multiple office locations, and traveling employees. Today’s workforce requires the newest technology for threat monitoring and emergency communication.

Using a modern emergency communication solution with integrated threat intelligence will take organizational resilience to the next level. Your business threat assessment is incomplete without it.

With AlertMedia’s unified threat intelligence and emergency communication software, you can easily monitor and notify employees about emerging threats that may impact them. Using comprehensive threat data from analysts, social media, and news outlets worldwide, AlertMedia performs over 100 million calculations daily to cross-reference the location of each global threat against employee and asset locations. This analysis allows companies to easily see the threats that impact their business.

For a threat assessment example, let’s say a hurricane is in the forecast for the Gulf Coast. Quality threat assessment engines quantify the impact of the threat (identifying which employees and offices are in the path of the storm)—and automatically update this impact assessment as the storm changes. Perhaps you have offices and remote employees in multiple locations near the Gulf Coast. As the path of the hurricane changes, real-time threat intelligence and impact assessments help you rapidly identify those in harm’s way to ensure they are informed and prepared.

If a situation requires personalized attention from experts, solutions that allow you to communicate directly with intelligence analysts can give you and your team a responsive, real-time resource when things get hectic. They can answer your specific questions and proactively keep an eye out for additional information, ensuring you can act on details that are accurate, up-to-date, and relevant.

Combined with powerful emergency communication capabilities—such as survey notifications, event pages, and multichannel messaging—systems such as AlertMedia enable organizations to proactively identify, mitigate, and respond to any threatening situations that may arise.

Strengthening Your Risk Management Approach

While nobody likes to think about facing a threat that could jeopardize their people and business, threat assessments play a vital role in protecting your employees and operations. Conducting a business risk assessment will put your organization in the best position to respond to whatever threats come your way.

In a word, your company will be resilient. You will have an answer to even the most uncertain scenarios because you will have a plan in place ahead of time. With a comprehensive organizational threat assessment—backed by modern emergency communication and threat intelligence technology—you can strengthen your risk management and emergency preparedness capabilities to be ready for any emergency that may arise.