Skip to content

Risk analysis (assessment)

Purpose🔗

In the Risk Analysis you assess the risks for each relevant object (e.g. asset, process, provider) based on likelihood and impact. This determines the risk class, which is used for prioritizing measures.

View Layout🔗

The risk analysis shows you:

  • the selected Scope at the top,
  • a list of your resources (e.g. assets such as "Adobe Creative Cloud"),
  • the assigned risks per resource,
  • the status per risk (e.g. not started, in progress, completed, not relevant).

Status indicators:

  • Hourglass: not started
  • Pencil / "In progress": assessment in progress
  • Checkmark: completed
  • Label "not relevant": risk was deliberately excluded

Usage🔗

Checking Relevance🔗

Before starting a risk analysis you can check whether a risk is relevant for a resource at all:

  1. Select the scope and the resource.
  2. Select the risk.
  3. If the risk does not apply, set it to "not relevant".

This ensures that you only assess risks that are important in the BCM context.

Starting a Risk Analysis🔗

To assess a risk for a resource for the first time:

  1. Select the scope.
  2. Select an object (e.g. asset or process) from the list.
  3. Select the desired risk.
  4. Click "Start new risk analysis".

The detail view for the risk opens.

Assessing Likelihood and Impact🔗

In the detail view you assess:

  • Likelihood (e.g. very low to very high — based on the BSI standard)
  • Impact (e.g. very low to very high)

The system automatically calculates:

  • the initial risk (gross risk before measures),
  • the gross acceptance level.

You can also provide a justification for your assessment, e.g. based on the criticality determined in the BIA on BCM or the existing technical/organizational safeguards.

Defining the Treatment Option🔗

For each risk you determine how it should be handled:

  • Avoid (e.g. change or discontinue a process)
  • Reduce (implement additional measures)
  • Transfer (e.g. insurance, outsourcing)
  • Accept (consciously accepted residual risk)

If you are unsure, the info icon next to the options explains their meaning in detail.

The selection affects how the risk is treated going forward and which measures become necessary.

Updating Risk Assessments🔗

When conditions change (e.g. new infrastructure), you can update an existing risk assessment:

  • Continue the risk assessment (carry on with the Risk Assessment) or
  • archive and restart.

When archiving:

  • the previous assessment is retained,
  • the status is reset to "in progress",
  • the treatment plan is not carried over (it should ideally have been implemented already).

This allows you to compare historical and current assessments in the overview.

Notes & Best Practices🔗

  • Where possible, use agreed assessment criteria (e.g. from policies) so that different departments assess risks in a comparable way.
  • For unusual assessments, briefly document in the comments why the "standard logic" was deliberately deviated from.