Risk Assessment in Business Continuity is the systematic process of identifying, analyzing, and evaluating threats that could disrupt an organization’s critical business functions. It takes the prioritized function list produced by the Business Impact Analysis and asks: what specific threats are most likely to disrupt these functions, and what is the probable severity of each? The output—a scored risk register—drives recovery strategy design, resource allocation, and exercise scenario selection.
The Relationship Between BIA and Risk Assessment
The Business Impact Analysis answers “what matters most and how badly does it hurt if we lose it.” The risk assessment answers “what is most likely to cause us to lose it.” Together they form the analytical foundation of the business continuity plan. Running a risk assessment without a completed BIA produces a list of threats disconnected from business priorities. Running a BIA without a risk assessment produces recovery targets disconnected from the actual threat landscape. Both are required, in sequence.
Threat Categories for Continuity Planning
Threats to business continuity fall into five broad categories, each with distinct characteristics that affect how recovery strategies must be designed.
Natural Hazards
Seismic events, hurricanes, tornadoes, flooding, wildfire, extreme heat, and winter storms. Natural hazards are characterized by wide-area impact (affecting facilities, infrastructure, and employee availability simultaneously), limited warning time (ranging from minutes for earthquakes to days for hurricanes), and increasing frequency driven by climate change. NOAA reported 28 separate billion-dollar weather and climate disaster events in the United States in 2023, and the trend line continues upward. The ISO 22301:2024 Amendment 1 specifically requires organizations to assess climate-related hazards as part of their continuity context.
Cyber Threats
Ransomware, data breaches, distributed denial-of-service attacks, supply chain compromises, and insider threats. Cyber threats now account for 52 percent of all business disruptions—the single largest category. The average ransomware attack cost $5.13 million in 2024, and nearly a third of procurement managers reported increased cyberattacks on their supply chains in 2025. Cyber threats are distinguished by their speed of onset (minutes to hours), their ability to affect geographically distributed operations simultaneously, and their potential to destroy data as well as disrupt access to it. Recovery strategies for cyber events require fundamentally different approaches than recovery from physical disruptions—particularly the need for clean, verified, air-gapped backups and forensic investigation before restoration.
Technology Failures
Infrastructure outages, cloud provider failures, network disruptions, power grid failures, and hardware failures. The July 2024 CrowdStrike incident—which crashed 8.5 million Windows devices globally due to a faulty software update—demonstrated that technology failures can be as sudden and widespread as natural disasters. Technology failures differ from cyberattacks in that they are unintentional, but their impact on business operations can be equally severe. Recovery strategies must account for cascading dependencies: a single cloud provider outage can simultaneously affect email, file storage, collaboration tools, customer-facing applications, and financial systems.
Human and Organizational Threats
Key-person dependency, labor disruptions, pandemic illness, workplace violence, and organizational change failures. The COVID-19 pandemic permanently demonstrated that human availability threats can persist for months or years, requiring continuity strategies that go far beyond temporary workarounds. Key-person dependency remains one of the most underassessed risks in continuity planning—organizations frequently discover during exercises that critical processes depend on institutional knowledge held by one or two individuals with no documented transfer plan.
Supply Chain and Third-Party Threats
Supplier failure, geopolitical disruption, logistics bottlenecks, regulatory changes affecting suppliers, and concentration risk. Seventy-six percent of European shipping companies experienced supply chain disruptions in 2025, and 65 percent of companies face at least one bottleneck in their supply chain at any given time. Global supply chain disruptions cost businesses $184 billion annually. Third-party risk assessment requires extending the BIA beyond organizational boundaries to evaluate the continuity posture of critical suppliers—a requirement that many organizations acknowledge in theory but few execute rigorously.
Risk Scoring Methodology
Risk scoring converts qualitative threat assessment into a structured, comparable framework. The standard approach uses a likelihood-by-impact matrix, but the sophistication of the scoring methodology matters significantly.
Basic scoring uses a simple 1–5 scale for both likelihood and impact, producing a risk score of 1–25. This works for initial assessments but lacks the granularity needed for mature programs. Advanced scoring differentiates impact across multiple dimensions—financial, operational, regulatory, reputational, and safety—and weights them according to organizational priorities. It also distinguishes between inherent risk (before controls) and residual risk (after existing controls are applied), which surfaces the actual value of current mitigation measures and identifies where additional investment is most needed.
The most rigorous approaches incorporate quantitative methods—Monte Carlo simulation, loss distribution analysis, and scenario-based probabilistic modeling—to produce dollar-denominated risk estimates. These methods require more data and analytical capability but produce outputs that directly inform investment decisions and insurance purchasing.
The Risk Register
The risk register is the master output document. For each identified risk, it records the threat description, affected critical functions (from the BIA), likelihood score, impact score, overall risk rating, existing controls and their effectiveness, residual risk after controls, risk owner, and recommended additional controls or recovery strategies. The register is a living document—reviewed quarterly, updated when new threats emerge or existing threats change in character, and validated annually through the exercise program.
Scenario Development
The risk assessment feeds directly into scenario development for recovery strategy design and exercise planning. Scenarios should represent realistic, plausible disruptions calibrated to the organization’s actual risk profile—not generic templates. A healthcare organization in a flood-prone region needs scenarios that combine facility damage with supply chain disruption and increased patient surge. A technology company with cloud-dependent operations needs scenarios that combine cloud provider outage with concurrent cyberattack. The scenarios that test the plan most effectively are the ones that combine multiple simultaneous stressors, because real-world disruptions rarely arrive one at a time.
Integrating Risk Assessment with Enterprise Risk Management
Business continuity risk assessment should not operate in isolation. ISO 31000 (Risk Management) and COSO ERM frameworks provide the enterprise-level context within which continuity risks sit. Integration means the continuity risk register feeds into the enterprise risk register, continuity risks are reported through the same governance structure as operational, financial, and strategic risks, and enterprise risk appetite statements inform the acceptable levels of continuity risk. Organizations that maintain separate, disconnected risk registers for continuity, cybersecurity, operational risk, and enterprise risk waste resources on redundant assessment activities and miss the interdependencies between risk categories.
Frequently Asked Questions
What is the most common threat to business continuity in 2026?
Cyberattacks—specifically ransomware—are the single most common cause of business disruption, accounting for 52 percent of all disruption events. This is followed by supply chain disruptions (affecting 66 percent of organizations), natural disasters (increasing in frequency due to climate change), and technology failures. Most organizations face a combination of these threats, which is why multi-hazard scenario planning is essential.
How often should a risk assessment be updated?
The risk register should be reviewed quarterly and fully refreshed annually. Additionally, it should be updated immediately when triggering events occur: new threat intelligence, significant organizational changes, near-miss incidents, regulatory changes, or material changes in the operating environment. The risk assessment should also be validated through the exercise program—post-exercise reviews frequently reveal threats or vulnerabilities that the formal assessment missed.
What is the difference between inherent risk and residual risk?
Inherent risk is the level of risk before any controls or mitigation measures are applied. Residual risk is the level of risk remaining after existing controls are factored in. The gap between them represents the effectiveness of current controls. If residual risk exceeds the organization’s risk tolerance, additional controls or recovery strategies are required. Both values should be tracked in the risk register.
Should the risk assessment include supply chain and third-party risks?
Yes. Supply chain disruptions affect 66 percent of organizations and cost $184 billion annually globally. The risk assessment must extend beyond organizational boundaries to evaluate the continuity posture of critical suppliers, logistics providers, cloud services, and other third parties. This includes reviewing suppliers’ own business continuity plans, assessing concentration risk (single-source dependencies), and identifying geopolitical factors that could disrupt supply chains.