Four Steps to Conduct a Business Threat Assessment
Here are the four steps to conducting a business threat assessment so you can reduce risk to a level that is acceptable to your organization.
If there’s one thing that is certain in business, it’s uncertainty. No matter how foolproof your project plan is, or how airtight your corporate strategy is, you will be forced to confront uncertain situations. To put it simply: you need to be ready for the wide array of threats that can impact operations and employee safety.
This is where business threat assessment comes in. Although you cannot predict which threats will impact your locations and assets, a business threat assessment ensures that you will be prepared for whichever threats do arise.
You can never completely eliminate risks and threats, but you can bring them to a level that is acceptable to your organization.
The Four-Step Business Threat Assessment Process
Step 1: Identify the threats
The first question you need to ask is: what are the threats? Make sure you are aware of the broad array of different hazards that could impact your people and assets.
- Meteorological: Hurricanes, severe thunderstorms, blizzards, tropical storms
- Geological: Earthquakes, tsunamis, landslides
- Biological: Disease outbreaks
- Transportation: Significant road closures, widespread flight delays
- Communications: Cell coverage outages, power outages
- Acts of Violence: Active shooters, civil disturbances (riots), bomb threats
For external threats, it’s important to monitor the outside world so that you are aware when one of these threats emerges. Go through each of the threat types listed above, and ask yourself: how would this impact my organization?
Answering this question requires you to consider the nature of your business and your environment. If you are, say, a small software company with just one office located in Texas—your threats will look substantially different than a large manufacturing company with offices scattered around the northeast.
But make sure you also take into account traveling employees. You have a duty of care to keep your business travelers safe. Using a business travel safety app can help you monitor external threats that could impact your traveling employees.
- Information Technology: Internet outages, systems downtime, corrupted data
- Utility Outage: Electrical power, water, sewage, air conditioning
- Chain Interruption: Supplier failure, transportation interruption
- Accidents: Workplace accidents, structural collapse, mechanical breakdown
- Hazardous Materials: Hazardous materials spill, gas leak, radiological accident
Internal threats have the benefit of being easier to identify immediately. Whereas external threats require you to monitor the environment, internal threats are typically apparent immediately.
Internal threats are also more company-specific. While some internal threats are universal (e.g. wi-fi outages), most are not. Look at your supply chain—and ask yourself, where could things go wrong? If your operations involve using hazardous materials, make sure you have a hazmat safety plan in place. If your office building has a set of stairs particularly prone to accidents, put up a sign warning people to “watch their step.”
Assessing internal threats requires a comprehensive analysis of your business: from facilities to supply chain to personnel. Use the bulleted list above as a starting point, considering which threats impact your operations—and how.
Step 2: Assess the threats
Once you have identified the threats to your business, you need a way to assess the impact and likelihood of those threats. These two assessments have to go hand-in-hand to determine the overall risk level.
For example, consider two different threats: 1) the threat of a winter storm, and 2) the threat of your CEO dying. The first threat has a medium impact but high likelihood. If you’re located in the northeast, winter storms are essentially guaranteed—but they shouldn’t derail your business. The second threat, on the other hand, has a high impact but a low likelihood. It is highly unlikely that your CEO will die suddenly—but it would have a huge impact.
During this analysis, you might conclude then that winter storm is a high risk level, whereas the CEO dying is medium risk.
Obviously, risks will change over time. The likelihood of a winter storm is nil in July, so there is almost no risk to your business. An upcoming executive trip to a dangerous foreign city, on the other hand, might raise the likelihood (and risk level) of your CEO getting injured.
It’s also important when assessing threats to make sure that you are considering all the different types of impact. You can think of impact in three broad categories:
The first and most important impact category is your employees. When a threat emerges, you need a way to quickly assess which of your people is in the vicinity of the threat. If the threat is large-scale (like, say, a large winter storm), then it may be all your employees.
But many threats are hyper-local. Let’s say there is a bomb threat in downtown Chicago. Your office is not downtown—so the vast majority of your employees are unaffected. But are you sure that you don’t have any employees downtown? You have a duty of care to all your employees—not just those in your main office.
In this type of situation, many companies would default to a manual process: either a phone tree, or just asking around (“Hey, do you know where Paul is?”). But the fact is, those manual responses are not nearly fast enough for most hyperlocal threats—certainly not for a bomb threat.
The solution to this is implementing an emergency notification app (ideally with a threat monitoring system). These solutions use real-time GPS data to assess your employees’ locations in real-time. When a threat emerges, the system will also alert you to which of your people are impacted—by cross-referencing their real-time location with the threat radius. This is crucial for keeping traveling employees safe.
The next impact category you need to have in mind is office locations. It’s common nowadays for large companies to have many office locations across the country, even across the world. Each of these locations has its own set of employees and its own set of potential threats.
If you are in charge of employee safety for a large company like this, it’s simply not possible to manually monitor threats for all of your individual office locations. It would be more than a full-time job.
A local threat monitoring system helps account for this problem as well. You can upload each of your office locations into the system, which will then monitor for threats for all of them, 24/7/365. When a threat emerges which could impact one of your locations, the system will alert you what the threat is and which of your office locations is impacted.
The final impact category, assets, is the most company-specific. This could include manufacturing plants, storage facilities, data centers—or a myriad of other types of assets.
The most common threat to assets like these is severe weather, but depending on the type of asset, other threat types may apply. Make a list of all the assets that your company needs to protect, and consider for each one the different threat types that would apply.
Many threat monitoring systems allow you to specify the relevant threat types for your assets. For example, you may want alerts for every threat type when it comes to your home office. But for your data center, you only want alerts for severe weather and power outages. This will keep you from being overwhelmed with irrelevant threat warnings.
Step 3: Develop controls
Once you have identified the potential threats and you have a way to quantify the impact, you need to plan your response. This means implementing controls that mitigate the threats you’ve identified.
You will want to look at your overall risks and decide which actions you and your business can take to reduce each overall risk. For most risks, this means both:
- “How do we decrease the likelihood this will happen?”
- “How do we decrease the impact if this does happen?”
Continuing with the examples above, if you’re a business in Chicago, you are basically guaranteed to face a winter storm, and there is not much you can do to prevent a storm from happening. But you can minimize the disruption that a winter storm will have on business operations when it does come.
On the other hand, if you believe your business has a high risk of having your CEO harmed, you may want to focus on reducing both the likelihood and the impact.
To reduce the likelihood of your CEO being harmed you may:
- Ensure all immunizations are up-to-date
- Order close protection
- Provide an emergency hotline to all travelers
To reduce the impact, you may:
- Update your succession plan
- Ensure executives take separate flights to and from the destination
Once you implement these controls, you may determine that the overall risk to your business has been reduced from high risk to medium risk. If that risk level is still too high for your organization, you may want to implement more serious controls, such as canceling the business trip altogether or have the meeting via video teleconference instead.
Regardless of the risk, here are a few specific controls you should plan on implementing:
The first and most basic control in a business threat assessment is employee training. Risk mitigation can’t just exist in one department or one person. Although it may start in your BC/DR division, it can’t end there.
Make sure that your entire organization knows what your plan is—especially for high likelihood threats. Your employees should know what to expect when a winter storm is approaching.
Oftentimes the most effective employee training involves active participation. Most companies conduct fire drills, which is good. But it shouldn’t stop there. Consider the broad array of tabletop exercises that your company can implement for various threats.
Once you’ve become aware of a threat, it’s critical to notify the impacted employees immediately. As part of your business threat assessment, you should prepare templates for the most likely threat types that you’ve identified. Templates will help you get the message out as quickly as possible once a threat emerges.
To get you started, here are some notification templates for common threat types:
- Hurricane Templates
- Workplace Fire Templates
- Active Shooter Templates
- Winter Weather Templates
- Wildfire Templates
Templates mean you won’t have to worry about crafting the perfect wording in the moment when you have a million other things to worry about.
You should also plan to communicate through multiple channels. Depending on the type of threat, you may want to send a message over text, email, even voice.
While email may be best when the threat is some time away (e.g. an approaching hurricane), it isn’t the most direct or immediate communication channel. For most time-sensitive threats you will want to rely on more direct communication channels—like SMS. Texts have been shown to have an average response time of 90 seconds—versus 90 minutes for email.
Another important control is setting up an event page for the threat. Event pages are webpages that your employees can go to for up-to-the-minute information on the threat. You can upload photographs, news reports, and resources that your employees could find helpful.
By updating this page periodically, you can limit the number of notifications that you have to send. You can reserve sending a notification for the most important updates, which will prevent notification fatigue. This will help satisfy your most information-hungry employees—plus those who only want the bare minimum in terms of updates.
Perhaps the most important control is implementing a like AlertMedia’s. Threat monitoring is the best way to facilitate a quick and decisive response to a wide array of threats.
A threat monitoring system will tie together the different steps of a business threat assessment into one system. First, the system uses threat data from trusted sources and analysts from around the globe to identify relevant threats to your organization. Second, it will notify system admins (or your employees directly) with information about the threat and which of your people/locations/assets are impacted. Finally, it integrates with AlertMedia’s industry-leading mass notification system so that you can immediately communicate with at-risk employees over multiple channels.
By automating otherwise manual processes, you can respond to threats in an immediate and targeted manner—which isn’t possible otherwise.
Step 4: Evaluate your response
The final step in a business threat assessment is what makes the process iterative. Once you have identified a threat, assessed its impact, and responded, you need to assess your response.
Here are the questions you need to be asking:
- Was this a threat our organization had identified?
- Did we properly assess the likelihood of this threat?
- Did we properly assess the impact of this threat?
- Was this threat avoidable?
- What controls did we have in place for this threat?
- How effective were our controls?
- How quickly were we able to respond?
- Was our communication effective?
- Did we have the proper resources to address the threat?
Once you have answered these questions, it’s time to turn to the big question: what can we do better? You will never have the perfect response to a given threat. Even when you execute your plan down to the letter, look for ways you can improve your plan based on how it worked. Don’t let good be the enemy of great.
Talk to employees—especially those directly impacted by the threat. One effective way to facilitate this communication is to send out a poll using your emergency communication system. Your employees will likely have lots of ideas for ways you can better prepare them for the threat, or better respond. A poll will help structure their ideas in a way that’s more easily interpretable and actionable.
Once you have evaluated your response and how it could be improved, go back to Step One. Repeat the process, integrating the new information and feedback you have received.
Take Advantage of Modern Technology
Completing all four steps of a business threat assessment will put your organization in the best position to respond to whatever threats come your way. In a word, your company will be resilient. You will have an answer to even the most uncertain scenarios—because you will have a plan in place ahead of time.
A proper business threat assessment, though, requires modern technology to support it. As discussed above, you can’t expect to monitor the wide array of potential threats manually—especially when you consider other office locations and traveling employees. The most effective controls today require using the newest technology when it comes to threat monitoring and emergency communication.
Implement a modern system like AlertMedia, which ties next-level threat monitoring to industry-leading emergency communication—it will take your organizational resilience to the next level. Your business threat assessment is incomplete without it.