Risk Assessment Matrix

Managing & Reducing Your Business’s Disaster Risks

What exactly is a business disaster and what are the risks of a disaster striking your business operations? How can you manage and reduce risk? How can you mitigate risks?

Here in California, the word ‘disaster’ is mainly associated with large scale, destructive events such as fires, earthquakes and floods.

However, according to Oxford Dictionary, one of the secondary definitions of ‘disaster’ is, “an event or fact that has unfortunate consequences.”

When it comes to business operations, even a small event like an internet outage can have unfortunate consequences for your business’s ability to generate revenue or to properly service customers.

Because of this, the term ‘disaster’ has been adopted by technology providers and service companies to a wide variety of different types of events.

Events include:

  • Partial data loss
  • Complete data loss
  • Maliciously locked data (ransomware)
  • Computer equipment malfunction or failure
  • A disrupted internet connection
  • Any technical occurrence that impacts the productivity of one or more employees

Disaster recovery means getting some or all of your business operations back on track after an event. For a given type of disaster, your business should have a defined path to recovery.

One businessperson’s inconvenience is another businessperson’s calamity. This leads to the following question:

What constitutes a disaster for your business?

What you consider a disaster could be very different from other business owners or managers in your area.

It partly depends on the degree to which your business operations rely on data.

For example, a gravel quarry is less reliant on data than a CPA firm. The former is mainly concerned with the proper mechanical operation stripping, drilling, crushing and other equipment. A CPA firm is concerned with continuous access to client-provided data and to software programs like LaCerte and Excel.

Rock crushers and number crunchers have differing levels of reliance on data for ensuring continuous business operations. Where does your business fall on the reliance spectrum?

Quarry Business Rock Crusher


A company that does several large business transactions a year may be less concerned about a day’s worth of accounting data loss than a company that has a steady, daily stream of financial transactions.

A radiology practice has much larger data files to protect than, say, a marketing agency.

All this means is that your tolerance for different types of business risk is specific to you and your business.

Let’s look at how to define your tolerance for different risks.

Create a risk assessment matrix

An important exercise is to create a risk assessment matrix for your business.

This will help you to determine whether or not you have any gaps in your data backup processes or in your disaster recovery plans.

The information you pull together will let you fill in the blanks on this Disaster Risk Reduction Management Plan Template that we found on this SmartSheet landing page.

Catalog potential events

Start by cataloging five to ten potentially negative events that could occur in your business. These should be specific to you and your business.

Here are some examples:

  • The loss of one day’s worth of bookkeeping entries
  • No access by anyone to your accounting software for one day
  • The loss of one day’s worth of client tax data entries
  • No access by anyone to your accounting software for five days
  • The loss of five day’s worth of bookkeeping entries
  • Failure of a customer service representative’s hard drive
  • One day of no internet access for 10 people
  • A ransomware demand of under $10,000
  • A ransomware demand of $10,000 – $50,000
  • A ransomware demand of over $50,000

Determine event severity

Accounts ReceivableNext, let’s look at a four level event severity rating. These can be thought of as your tolerance level for different risks.

  • Acceptable
  • Tolerable
  • Undesirable
  • Intolerable

Example 1: You consider failure of a customer service representative’s hard drive to be acceptable. The CSR uses all cloud applications and their computer can be swapped out for a backup computer in minutes.

Example 2: You consider the loss of one day of accounting software entries to be tolerable. It would only take an hour or so to recreate those entries.

Example 3: You consider one day of no internet access for 10 people to be undesirable. People could use their mobile phones as a backup, but this would be slower and more inefficient than desktop email access.

Example 4: You consider a A ransomware demand of over $50,000 to be intolerable. Paying this amount or more, simply for the privilege of accessing your own data, would be a significant financial burden to your business.

Consider the likelihood of different events

When we consider buying optional types of insurance, such as earthquake insurance here in California, we take the likelihood of an earthquake damaging or destroying our home into consideration.

Here are the three likelihood levels:

  • Improbable
  • Possible
  • Probable

Keep in mind that there is also a time dimension to event likelihood. Even if you live near a major fault, a destructive earthquake in the next 24 hours is improbable. The same event occurring sometime in the next six months is possible.

Also, the fact that certain types of events have not happened in the past does not make them less likely to happen in the future.

Put it all together

If you download the above referenced spreadsheet from SmartSheet, you can assemble the risks you have gathered. Then, assign a risk rating of Low, Medium, High or Extreme to each. Here is an example:

Business Disaster Risk Matrix
The last step is to determine where you have holes in data backup and recovery—including the ability to regain access to inaccessible software programs. You will then be in a position to look into business continuity and disaster recovery options for your business.

Enjoyed the read?

Get more small business advice and technology tips