critical risk assessment business plan

Uncovering Hidden Risks: A Comprehensive Guide to Business Plan Risk Analysis

A modern business plan that will lead your business on the road to success must have another critical element. That element is a part where you will need to cover possible risks related to your small business. So, you need to focus on  managing risk  and use  risk management processes  if you want to succeed as an entrepreneur.

How can you manage risks?

You can always plan and  predict  future things in a certain way that will happen, but your impact is not always in your hands. There are many  external factors  when it comes to the business world. They will always influence the realization of your plans. Not only the realization but also the results you will achieve in implementing the specific plan. Because of that, you need to look at these factors through the prism of the risk if you want to implement an appropriate management process while implementing your business plan.

By conducting a thorough risk analysis, you can manage risks by identifying potential threats and uncertainties that could impact your business. From market fluctuations and regulatory changes to competitive pressures and technological disruptions, no risk will go unnoticed. With these insights, you can develop contingency plans and implement risk mitigation strategies to safeguard your business’s interests.

This guide will provide practical tips and real-life examples to illustrate the importance of proper risk analysis. Whether you’re a startup founder preparing a business plan or a seasoned entrepreneur looking to reassess your risk management approach, this guide will equip you with the knowledge and tools to navigate the complex landscape of business risks.

Why is Risk Analysis Important for Business Planning?

Risk analysis is essential to business planning as it allows you to proactively identify and assess potential risks that could impact your business objectives. When you conduct a comprehensive risk analysis, you can gain a deeper understanding of the threats your business may face and can take proactive measures to mitigate them.

One of the key benefits of risk analysis is that it enables you to prioritize risks based on their potential impact and likelihood of occurrence . This helps you allocate resources effectively and develop contingency plans that address the most critical risks.

Additionally, risk analysis allows you to identify opportunities that may arise from certain risks , enabling you to capitalize on them and gain a competitive advantage.

It is important to adopt a systematic approach to effectively analyze risks in your business plan. This involves identifying risks across various market, operational, financial, and legal areas. By considering risks from multiple perspectives, you can develop a holistic understanding of your business’s potential challenges.

What is a Risk for Your Small Business?

In dictionaries, the risk is usually defined as:

The possibility of dangerous or bad consequences becomes true .

When it comes to businesses,  entrepreneurs , or in this case, the business planning process, it is possible that some aspects of the business plan will not be implemented as planned. Such a situation could have dangerous or harmful consequences for your small business.

It is simple. If you don’t implement something you have in your business plan, there will be some negative consequences for your small business.

Here is how you can  write the business plan in 30 steps .

Types of Risks in Business Planning

When conducting a business risk assessment for your business plan, it is essential to consider various types of risks that could impact your venture. Here are some common types of risks to be aware of:

1. Market risks

These risks arise from fluctuations in the market, including changes in consumer preferences, economic conditions, and industry trends. Market risks can impact your business’s demand, pricing, and market share.

2. Operational risk

Operational risk is associated with internal processes, systems, and human resources. These risks include equipment failure, supply chain disruptions, employee errors, and regulatory compliance issues.

3. Financial risks

Financial risks pertain to managing financial resources and include factors such as cash flow volatility, debt levels, currency fluctuations, and interest rate changes.

4. Legal and regulatory risks

Legal and regulatory risks arise from changes in laws, regulations, and compliance requirements. Failure to comply with legal and regulatory obligations can result in penalties, lawsuits, and reputational damage.

5. Technological risks

Technological risks arise from rapid technological advancements and the potential disruptions they can cause your business. These risks include cybersecurity threats, data breaches, and outdated technology infrastructure.

Basic Characteristics of Risk

Before you start with the development of your small  business risk  management process, you will need to know and consider the essential characteristics of the possible risk for your company.

What are the basic characteristics of a possible risk?

The risk for your company is partially unknown.

Your  entrepreneurial work  will be too easy if it is easy to predict possible risks for your company. The biggest problem is that the risk is partially unknown. Here we are talking about the future, and we want to prepare for that future. So, the risk is partially unknown because it will possibly appear in the future, not now.

The risk to your business will change over time.

Because your businesses operate in a highly dynamic environment, you cannot expect it to be something like the default. You cannot expect the risk to always exist in the same shape, form, or consequence for your company.

You can predict the risk.

It is something that, if we want, we can predict through a  systematic process . You can easily predict the risk if you install an appropriate risk management process in your small business.

The risk can and should be managed.

You can always focus your resources on eliminating or reducing risk in the areas expected to appear.

Risk Management Process You Should Implement

The risk management process cannot be seen as static in your company. Instead of that, it must be seen as an interactive process in which information will continuously be updated and analyzed. You and your small business members will act on them, and you will review all risk elements in a specified period.

Adopting a systematic approach to identifying and assessing risks in your business plan is crucial. Here are some steps to consider:

1. Risk Identification

First, you must identify risk areas . Ask and respond to the following questions:

• What are my company’s most significant risks?
• What are the risk types I will need to follow?

In business, identifying risk areas is the process of pinpointing potential threats or hazards that could negatively impact your business’s ability to conduct operations, achieve business objectives, or fulfill strategic goals.

Just as meteorologists use data to predict potential storms and help us prepare, you can use risk identification to foresee possible challenges and create plans to deal with them.

Risk can arise from various sources, such as financial uncertainty, legal liabilities, strategic management errors, accidents, natural disasters, and even pandemic situations. Natural disasters can not be predicted or avoided, but you can prepare if they appear.

For example, a retail business might identify risks like fluctuating market trends, supply chain disruptions, cybersecurity threats, or changes in consumer behavior. As you can see, the main risk areas are related to types of risk: market, financial, operational, legal and regulatory, and technological risks.

You can also use business model elements to start with something concrete:

• Value proposition,
• Customers ,
• Customers relationships ,
• Distribution channels,
• Key resources and
• Key partners.

It is not necessarily that there will be risk in all areas and that the risk will be with the same intensity for all areas. So, based on your business environment, the industry in which your business operates, and the business model, you will need to determine in which of these areas there is a possible risk.

Also, you must stay informed about external factors impacting your business, such as industry trends, economic conditions, and regulatory changes. This will help you identify emerging risks and adapt your risk management strategies accordingly.

The idea for this step is to create a table where you will have identified potential risks in each important area of your business.

2. Risk Profiling

Conduct a detailed analysis of each identified risk, including its potential impact on your business objectives and the likelihood of occurrence. This will help you develop a comprehensive understanding of the risks you face.

Qualitative Risk Analysis

The qualitative risk analysis process involves assessing and prioritizing risks based on ranking or scoring systems to classify risks into low, medium, or high categories. For this analysis, you can use customer surveys or interviews.

Qualitative risk analysis is quick, straightforward, and doesn’t require specialized statistical knowledge to conduct a business risk assessment. The main negative side is its subjectivity, as it relies heavily on thinking about something or expert judgment.

This method is best suited for initial risk assessments or when there is insufficient quantitative analysis data .

For example, if we consider the previously identified risk of a sudden shift in consumer preferences, a qualitative analysis might rate its likelihood as 7 out of 10 and its impact as 8 out of 10, placing it in the high-priority quadrant of our risk matrix. But, qualitative analysis can also use surveys and interviews where you can ask open questions and use the qualitative research process to make this scaling. This is much better because you want to lower the subjectivism level when doing business risk assessment.

Quantitative Risk Analysis

On the other side, the quantitative risk analysis method involves numerical and statistical techniques to estimate the probability and potential impact of risks. It provides more objective and detailed information about risks.

Quantitative risk analysis can provide specific, data-driven insights, making it easier to make informed decisions and allocate resources effectively. The negative side of this method is that it can be time-consuming, complex, and requires sufficient data.

You can use this approachfor more complex projects or when you need precise data to inform decisions, especially after a qualitative analysis has identified high-priority risks.

For example , for the risk of currency exchange rate fluctuations, a quantitative analysis might involve analyzing historical exchange rate data to calculate the probability of a significant fluctuation and then using your financial data to estimate the potential monetary impact.

Both methods play crucial roles in effectively managing risks. Qualitative risk analysis helps to identify and prioritize risks quickly, while quantitative analysis provides detailed insights for informed decision-making.

3. Business Risk Assessment Matrix

Once you have identified potential risks and analyzed their likelihood and potential impact, you can create a business risk assessment matrix to evaluate each risk’s likelihood and impact. This matrix will help you prioritize risks and allocate resources accordingly.

A business risk assessment matrix, sometimes called a probability and impact matrix, is a tool you can use to assess and prioritize different types of risks based on their likelihood (probability) and potential damage (impact). Here’s a step-by-step process to create one:

• Step 1: Begin by listing out your risks . For our example, let’s consider four of the risks we identified earlier: a sudden shift in consumer preferences (Market Risk), currency exchange rate fluctuations (Financial Risk), an increase in the minimum wage (Legal), and cybersecurity threats (Technological Risk).
• Step 2: Determine the likelihood of each risk occurring . In the process of risk profiling, we’ve determined that a sudden shift in consumer preferences is highly likely, currency exchange rate fluctuations are moderately likely, an increase in the minimum wage, and cybersecurity threats are less likely but still possible.
• Step 3: Assess the potential impact of each risk on your business if it were to occur . In our example, we might find that a sudden shift in consumer preferences could have a high impact, currency exchange rate fluctuations a moderate impact, an increase in minimum wage minor impact, and cybersecurity threats a high impact.
• Step 4: Plot these risks on your risk matrix . The vertical axis represents the likelihood (high to low), and the horizontal axis represents the consequences (high to low).

By visualizing these risks in a risk assessment matrix format, you can more easily identify which risks require immediate attention and which ones might need long-term strategies.

4. Develop Risk Indicators for Each Risk You Have Identified

The question is, how will you measure the business risks for your company?

Risk indicators are metrics used to measure and predict potential threats to your business. Simply, a risk indicator is a measure that should tell you whether the risk appears or not in a particular area you have defined previously. They act like a business’s early warning system. When these indicators change, it’s a signal that the risk level may be increasing.

For example, for distribution channels, an indicator can be a delay in delivery for a minimum of three days. This indicator will tell you something is wrong with that channel, and you must respond appropriately.

Now, let’s consider some risk indicators for the risks we have already identified and analyzed:

If you conduct all the steps until now, you can have a similar table with risk indicators in your business plan. You should monitor these indicators regularly, and if you notice a significant change, such as a drop in sales or an increase in attempted breaches, it’s time to investigate and take some action steps. This might involve updating your product line, hedging against currency risk, budgeting for higher wages, or improving your cybersecurity measures.

Remember, risk indicators can’t predict the future with certainty. But they can give you valuable insights that can help you prepare for potential threats.

5. Define Possible Action Steps

The question is, what can you do regarding the risk if the risk indicator tells you that there is a potential risk?

Once the risk has appeared and is located, it is time to take concrete action steps. The goals of this step are not only to reduce or eliminate the impact of the risk for your company but also to prevent them in the future and reduce or eliminate their influence on the business operations or the execution of your business plan.

For example, for distribution channels with delivery delayed more than three days, possible activities can be the following:

• Apologizing to the customers for the delay,
• Determining the reasons for the delay,
• Analysis of the reasons,
• Removing the reasons,
• Consideration of alternative distribution channels, etc.

In this part of the business plan for each risk area and indicator, try to standardize all possible actions. You can not expect that they will be final. But, you can cover some basic guidelines that must be implemented if the risk appears. Here is an example of how this part will look in your business plan related to risks we have already identified through the risk assessment process.

6. Monitoring

Because this risk management process is dynamic , you must apply the monitoring process. In such a way, you can ensure the elimination of a specific kind of risk in the future, and you will allocate your resources to new possible risks.

After implementing the actions, you need to ask yourself the following questions:

• Are the actions taken regarding the risk the proper measures?
• Can you improve something regarding the risk management process? Is there a need for new risk indicators?

Techniques and Tools for Business Plan Risk Assessment

Various risk analysis methods, techniques, and tools are available to conduct an effective risk analysis for your business plan. Here are some commonly used ones:

1. SWOT analysis

A SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis can help you identify internal strengths and weaknesses and external opportunities and threats. This analysis provides valuable insights into possible business risks and opportunities.

2. PESTEL analysis

A PESTEL (Political, Economic, Sociocultural, Technological, Environmental, Legal) analysis assesses the external factors that could impact your business. This analysis will help you identify risks and opportunities arising from these factors.

3. Scenario analysis

Consider different scenarios that could impact your business, such as best-case, worst-case, and most likely scenarios, as a part of your risk assessment process. You can anticipate potential risks and develop appropriate response strategies by analyzing these scenarios.

4. Monte Carlo simulation

Monte Carlo simulation uses random sampling and probability distributions to model various scenarios and assess their potential impact on your business. This technique provides you with a more accurate understanding of risk exposure.

5. Risk register

A risk register is a risk analysis tool that helps you record and track identified risks and their relevant details, such as impact, likelihood, mitigation strategies, and responsible parties. This tool ensures that risks are appropriately managed and monitored.

6. Business Impact Analysis (BIA)

Business impact analysis helps you understand the potential effects of various disruptions on your business operations and objectives. It’s about identifying what could go wrong and understanding how it could impact your bottom line. So, you can conduct business impact analysis as a part of your risk assessment inside your business plan.

7. Failure Mode and Effects Analysis (FMEA)

Using FMEA in your risk assessment process, you can proactively address potential problems, ensuring your business operations run as smoothly as you planned. It’s all about preparing for the worst while striving for the best.

8. Risk-Benefit Analysis (RBA)

The risk-benefit analysis allows you to make informed decisions, balancing the potential for gain against the potential for loss. It helps you choose the best path, even when the way forward isn’t entirely clear. This tool is a systematic approach to understanding the specific business risk and benefits associated with a decision, process, or project.

9. Cost-Benefit Analysis

By conducting a cost-benefit analysis as a part of your risk assessments, you can make data-driven decisions that consider both the possible risks (costs) and rewards (benefits). This approach provides a clear picture of the potential return on investment, enabling more effective and confident decision-making.

These techniques and tools allow you to conduct a comprehensive risk analysis for your business plan.

Mitigating and Managing Risks in a Business Plan

Identifying risks in your business plan is only the first step. To ensure the success of your venture, it is crucial to develop effective risk mitigation and management strategies. Here are some critical steps to consider:

• Risk avoidance : Some risks may be too high to justify taking. In such cases, consider avoiding these risks altogether by adjusting your business plan or exploring alternative strategies.
• Risk transfer : Transferring risks to third parties, such as insurance companies or outsourcing partners, can help mitigate their impact on your business. Evaluate opportunities for risk transfer and consider appropriate insurance coverage.
• Risk reduction : Implement measures to reduce the likelihood and impact of identified risks. This may involve improving internal processes, implementing safety protocols, or diversifying your supplier base .
• Risk acceptance : Some risks may be unavoidable or negatively impact your business. In such cases, accepting the risks and developing contingency plans can help minimize their impact.

In conclusion, a comprehensive risk analysis is essential for identifying, assessing, and managing different types of risk that could impact your success.

Conducting a thorough risk analysis can safeguard your business’s interests, capitalize on opportunities, and increase your chances of long-term success.

Related Posts

Risk Management Guide: Everything You Need to Know About Business Risk

Why Prioritizing Risk Management is Crucial for Healthcare Businesses

Start typing and press enter to search.

Business Plan Risk Analysis - What You Need to Know

The business plan risk analysis is a crucial and often overlooked part of a robust business plan. In the ever-changing world of business knowing potential pitfalls and how to mitigate them could be the difference between success and failure.  A well-crafted business plan acts as a guiding star for every venture, be it a startup finding its footing or a multinational corporation planning an expansion. However, amidst financial forecasts, marketing strategies, and operational logistics, the element of risk analysis frequently gets relegated to the back burner. In this blog, we will dissect the anatomy of the risk analysis section, show you exactly why it is important and provide you with guidelines and tips. We will also delve into real-life case studies to bring to life your learning your learning.

Table of Contents

• Risk Analysis - What is it?
• Types of Risks
• Components of Risk Analysis
• Real-Life Case Studies
• Tips & Best Practices
• Final Thoughts

Business Plan Risk Analysis - What Exactly Is It?

Risk analysis is like the radar system of a ship, scanning the unseen waters ahead for potential obstacles. It can forecast possible challenges that may occur in the business landscape and plan for their eventuality. Ignoring this can be equivalent to sailing blind into a storm. The business plan risk analysis section is a strategic tool used in business planning to identify and assess potential threats that could negatively impact the organisation's operations or assets. Taking the time to properly think about the risks your business faces or may face in the future will enable you to identify strategies to mitigate these issues.

Types of Business Risks

There are various types of risks that a business may face, which can be categorised into some broader groups:

• Operational Risks: These risks involve loss due to inadequate or failed internal processes, people, or systems. Examples could include equipment failure, theft, or employee misconduct.
• Financial Risks: These risks are associated with the financial structure of the company, transactions the company makes, and the company's ability to meet its financial obligations. For instance, currency fluctuations, increase in costs, or a decline in cash flow.
• Market Risks: These risks are external to the company and involve changes in the market. For example, new competitors entering the market changes in customer preferences, or regulatory changes.
• Strategic Risks: These risks relate to the strategic decisions made by the management team. Examples include the entry into a new market, the launch of a new product, or mergers and acquisitions.
• Compliance Risks: These risks occur when a company must comply with laws and regulations to stay in operation. They could involve changes in laws and regulations or non-compliance with existing ones.

The business risk analysis section is not a crystal ball predicting the future with absolute certainty, but it provides a foresighted approach that enables businesses to navigate a world full of uncertainties with informed confidence. In the next section, we will dissect the integral components of risk analysis in a business plan.

Components of a Risk Analysis Section

Risk analysis, while a critical component of a business plan, is not a one-size-fits-all approach. Each business has unique risks tied to its operations, industry, market, and even geographical location. A thorough risk analysis process, however, typically involves four main steps:

• Identification of Potential Risks: The first step in risk analysis is to identify potential risks that your business may face. This process should be exhaustive, including risks from various categories mentioned in the section above. You might use brainstorming sessions, expert consultations, industry research, or tools like a SWOT analysis to help identify these risks.
• Risk Assessment: Once you've identified potential risks, the next step is to assess them. This involves evaluating the likelihood of each risk occurring and the potential impact it could have on your business. Some risks might be unlikely but would have a significant impact if they did occur, while others might be likely but with a minor impact. Tools like a risk matrix can be helpful here to visualise and prioritise your risks.
• Risk Mitigation Strategies: After assessing the risks, you need to develop strategies to manage them. This could involve preventing the risk, reducing the impact or likelihood of the risk, transferring the risk, or accepting the risk and developing a contingency plan. Your strategies will be highly dependent on the nature of the risk and your business's ability to absorb or mitigate it.
• Monitoring and Review: Risk analysis is not a one-time task, but an ongoing process. The business landscape is dynamic, and new risks can emerge while old ones can change or even disappear. Regular monitoring and review of your risks and the effectiveness of your mitigation strategies is crucial. This should be an integral part of your business planning process.

Through these four steps, you can create a risk analysis section in your business plan that not only identifies and assesses potential threats but also outlines clear strategies to manage and mitigate these risks. This will demonstrate to stakeholders that your business is prepared and resilient, able to handle whatever challenges come its way.

Business Plan Risk Analysis - Real-Life Examples

To fully grasp the importance of risk analysis, it can be beneficial to examine some real-life scenarios. The following are two contrasting case studies - one demonstrating a successful risk analysis and another highlighting the repercussions when risk analysis fails.

Case Study 1: Google's Strategic Risk Mitigation

Consider Google's entry into the mobile operating system market with Android. Google identified a strategic risk : the growth of mobile internet use might outpace traditional desktop use, and if they didn't have a presence in the mobile market, they risked losing out on search traffic. They also recognised the risk of being too dependent on another company's (Apple's) platform for mobile traffic. Google mitigated this risk by developing and distributing its mobile operating system, Android. They offered it as an open-source platform, which encouraged adoption by various smartphone manufacturers and quickly expanded their mobile presence. This risk mitigation strategy helped Google maintain its dominance in the search market as internet usage shifted towards mobile.

Case Study 2: The Fallout of Lehman Brothers

On the flip side, Lehman Brothers, a global financial services firm, failed to adequately analyse and manage its risks, leading to its downfall during the 2008 financial crisis. The company had significant exposure to subprime mortgages and had failed to recognise the potential risk these risky loans posed. When the housing market collapsed, the value of these subprime mortgages plummeted, leading to significant financial losses. The company's failure to conduct a robust risk analysis and develop appropriate risk mitigation strategies eventually led to its bankruptcy. The takeaway from these case studies is clear - effective risk analysis can serve as an essential tool to navigate through uncertainty and secure a competitive advantage, while failure to analyse and mitigate potential risks can have dire consequences. As we move forward, we'll share some valuable tips and best practices to ensure your risk analysis is comprehensive and effective.

Business Plan Risk Analysis Tips and Best Practices

While the concept of risk analysis can seem overwhelming, following these tips and best practices can streamline the process and ensure that your risk management plan is both comprehensive and effective.

• Be Thorough: When identifying potential risks, aim to be as thorough as possible. It’s crucial not to ignore risk because it seems minor or unlikely; even small risks can have significant impacts if not managed properly.
• Involve the Right People: Diverse perspectives can help identify potential risks that might otherwise be overlooked. Include people from different departments or areas of expertise in your risk identification and assessment process. They will bring different perspectives and insights, leading to a more comprehensive risk analysis.
• Keep it Dynamic: The business environment is continually changing, and so are the risks. Hence, risk analysis should be an ongoing process, not a one-time event. Regularly review and update your risk analysis to account for new risks and changes in previously identified risks.
• Be Proactive, Not Reactive: Use your risk analysis to develop mitigation strategies in advance, rather than reacting to crises as they occur. Proactive risk management can help prevent crises, reduce their impact, and ensure that you're prepared when they do occur.
• Quantify When Possible: Wherever possible, use statistical analysis and financial projections to evaluate the potential impact of a risk. While not all risks can be quantified, putting numbers to the potential costs can provide a clearer picture of the risk and help prioritise your mitigation efforts.

Implementing these tips and best practices will strengthen your risk analysis, providing a more accurate picture of the potential risks and more effective strategies to manage them. Remember, the goal of risk analysis isn't to eliminate all risks—that's impossible—but to understand them better so you can manage them effectively and build a more resilient business.

In the ever-changing landscape of business, where uncertainty is a constant companion, the risk analysis section of a business plan serves as a guiding compass, illuminating potential threats and charting a course toward success. Throughout this blog, we have explored the critical role of risk analysis and the key components involved in its implementation. We learned that risk analysis is not just about identifying risks but also about assessing their potential impact and likelihood. It involves developing proactive strategies to manage and mitigate those risks, thereby safeguarding the business against potential pitfalls. In conclusion, a well-crafted business plan risk analysis section is not just a formality but a strategic asset that empowers your business to thrive in an unpredictable world. As you finalise your business plan, keep in mind that risk analysis is not a one-time task but an ongoing practice. Revisit and update your risk analysis regularly to stay ahead of changing business conditions. By embracing risk with a thoughtful and proactive approach, you will position your business for growth, resilience, and success in an increasingly dynamic and competitive landscape. Want more help with your business plan? Check out our Learning Zone for more in-depth guides on each specific section of your plan.

Unpacking Risk Assessment: Business Continuity Plan Risk Assessment

February 6, 2024

Business continuity planning is a critical aspect of modern business operations. With the increasing frequency and severity of natural disasters, cyberattacks, and other unexpected events, organizations need to develop and implement robust plans to ensure that they can continue to operate in the face of disruptions.

Risk assessment is a crucial component of business continuity planning , as it helps organizations identify potential risks , evaluate their likelihood and potential impact, and develop strategies to prevent or mitigate them.

This article aims to provide a comprehensive overview of the importance of risk assessment in business continuity planning. It will explore common mistakes to avoid, the risk assessment process, the significance of business impact analysis , and cybersecurity policies.

In providing insights into best practices for conducting risk assessments , this article aims to help organizations ensure business continuity in the face of any unforeseen circumstances.

Understanding the process of evaluating potential hazards and prioritizing risks is fundamental to creating a comprehensive plan for ensuring the continuity of business operations in the face of unexpected disruptions.

Risk assessment is an essential step in Business Continuity Planning (BCP) as it systematically identifies potential threats and vulnerabilities that could disrupt operations.

It involves assessing the likelihood of an event occurring and the impact it would have on the organization. Risk assessment should be carried out before undertaking a Business Impact Analysis (BIA) as it helps identify potential threats that could impact critical business functions. 

The BIA then evaluates the impact of these threats on business operations, allowing organizations to prioritize their response strategies.

A comprehensive risk assessment should identify potential threats, evaluate the likelihood of those threats occurring, and determine the potential impact on the organization. The ongoing risk assessment process should be reviewed and updated regularly to ensure it remains relevant and reflects the organization’s current risk posture .

To be effective, a risk assessment should be conducted by trained professionals who can identify potential threats and vulnerabilities and evaluate their potential impact on the organization.

A thorough Business Continuity Plan Risk Assessment should also consider the potential impact of large-scale natural disasters , such as hurricanes, floods, or earthquakes. While these events may be rare, their potential to cause large-scale disruption and damage is significant. 

Businesses should analyze the likelihood of these events occurring in their region, the potential severity of the impacts, and the potential costs associated with any damages. Further, businesses should consider the impact of any potential disruption to their supply chain and the potential costs associated with lost or damaged inventory.

Finally, businesses should review their insurance policies to ensure they are adequately covered in the event of a large-scale natural disaster . 

In addition to natural disasters, businesses should assess the risks posed by cyber-attacks, terrorism, and other criminal activities. Companies should review the security measures they have in place and consider any additional measures that may be necessary to protect their assets and operations.

Businesses should also consider the potential impacts of a cyber attack, such as lost or compromised data, stolen funds, and disruption to their operations. Furthermore, businesses should consider the potential costs of any losses or damages resulting from a cyber attack .

Common Mistakes

These mistakes include not accounting for the loss of critical people, not planning for staff stress and trauma, and not having alternative recovery sites.

The mistakes can lead to a lack of preparedness during unexpected events, which can have severe consequences for the business. For example , not accounting for the loss of critical people can result in a lack of expertise and knowledge, which can be detrimental to the smooth functioning of the organization.

Another common mistake in business continuity planning is not making emergency plans accessible . Emergency plans should be accessible to all employees, including those who work remotely. This can help ensure that everyone is on the same page and knows what to do when an unexpected event occurs.

Not communicating plans and processes transparently is also a mistake. Communication is essential during a crisis, and transparent communication can help build employee trust and confidence.

Not having alternative recovery sites is another mistake that can have severe consequences. If the primary recovery site is unavailable, the organization should have an alternative site ready to ensure continuity of business operations . Failure to plan for alternative recovery sites can lead to prolonged downtime, which can be costly for the business.

Overall, it is essential to avoid these common mistakes to ensure that the business is prepared to navigate unexpected events and maintain continuity of operations.

Risk Assessment Process

The process involves identifying and describing risks , prioritizing risks associated with essential recovery processes, and evaluating risks to compare results with the organization’s risk tolerance.

It is important to venture outside the scope of risk assessment to find information that supports evaluation and have workshops with the enterprise risk team to test the articulation of risks.

The risk assessment process should focus on risks that have the potential to disrupt the business recovery process during a disaster . Risks associated with processes essential to the organization’s recovery process should be identified, and unforeseeable risks should not be anticipated.

The identified risks should be closely related to overall business continuity, and mitigation controls should justify the investment to mitigate.

The findings from the risk assessment process will be valuable input in designing a business recovery strategy , which will be the next step in the program.

Overall, the risk assessment process is integral to business continuity planning . It helps organizations prepare for and mitigate risks , prevent injuries or illnesses, meet legal requirements, create awareness about hazards and risks, create an accurate inventory of available assets

 Justify the cost of managing risks, determine the budget to remediate risks , and understand the return on investment. A specialized compliance specialist can help with the risk assessment process, and risk assessment plans should be reviewed and updated regularly to stay on top of new hazards .

Business Impact Analysis

A thorough Business Impact Analysis is critical for organizations to gauge the impact of specific risks on their business operations and financial implications, ultimately leading to a more effective and resilient Business Continuity Plan .

The analysis involves identifying and assessing the potential consequences of disruptive events on critical business functions, assets, and stakeholders. It considers the time required for recovery, the cost of recovery, and the impact on revenue, reputation, and customer satisfaction.

The Business Impact Analysis enables organizations to prioritize recovery efforts and allocate resources effectively. It also helps them identify areas for improvement in their Business Continuity Plan.

Business Impact Analysis is an essential step in the risk assessment process for Business Continuity Planning. It helps organizations understand the potential impact of disruptive events on their operations, finances, and reputation.

Reporting and Review

Reporting and Review is a crucial step in the Business Impact Analysis process as it allows organizations to present their findings to stakeholders and obtain feedback. This feedback is important as it helps organizations to improve their Business Continuity Plan .

Reporting and Review also enable organizations to identify any gaps in their plan and make the necessary changes to better prepare for the risks identified during the risk assessment .

During the Reporting and Review process, it is important to use templates that are familiar to the enterprise risk team to report findings. These templates help to ensure consistency in reporting and make it easier for stakeholders to understand the findings.

It is also important to provide a high-level update to the steering committee and review the report with the GRC or enterprise risk management team. This review process helps to ensure that the findings are accurate and that the Business Continuity Plan is aligned with the enterprise risk management practices.

Reporting and Review is an essential step in the Business Impact Analysis process . The feedback obtained during this process is crucial in improving the Business Continuity Plan and ensuring that the organization is better prepared for the risks identified during the risk assessment process.

Risk assessment is a crucial component of business continuity planning that involves identifying and analyzing potential risks to an organization’s operations. It allows businesses to evaluate the likelihood and potential impact of various risks and develop strategies to prevent or mitigate them.

To ensure the success of a risk assessment process, organizations must avoid common mistakes, such as failing to involve key stakeholders or neglecting to update the assessment regularly.

Business impact analysis is also a critical aspect of risk assessment that helps organizations understand the potential consequences of a disruption and prioritize recovery efforts accordingly.

Additionally, cybersecurity policies must be integrated into the risk assessment process to address the increasing cyber-attack threat.

Implementing a comprehensive cybersecurity program that includes employee training and education, regular system and software updates, and up-to-date antivirus protection is important. Also, organizations should have a process in place to regularly review their policies and procedures to ensure they are up-to-date and in line with industry best practices.

Regular network activity monitoring should also be conducted to identify any suspicious activity and respond to potential threats quickly and effectively. Finally, organizations should develop a communication plan to ensure all staff and stakeholders are aware of the cybersecurity policies and related procedures.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.

Third-party Risk Management Lifecycle: An Essential Blueprint for Businesses

Understanding The Essential Role Of An Enterprise Risk Management System In Modern Business

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

Reach out to understand more about Enterprise Risk Management, Project Management and Business Continuity.

© 2024 Risk Management

Value and resilience through better risk management

Today’s corporate leaders navigate a complex environment that is changing at an ever-accelerating pace. Digital technology underlies much of the change. Business models are being transformed by new waves of automation, based on robotics and artificial intelligence. Producers and consumers are making faster decisions, with preferences shifting under the influence of social media and trending news. New types of digital companies are exploiting the changes, disrupting traditional market leaders and business models. And as companies digitize more parts of their organization, the danger of cyberattacks and breaches of all kinds grows.

Stay current on your favorite topics

Beyond cyberspace, the risk environment is equally challenging. Regulation enjoys broad popular support in many sectors and regions; where it is tightening, it is putting stresses on profitability. Climate change is affecting operations and consumers and regulators are also making demands for better business conduct in relation to the natural environment. Geopolitical uncertainties alter business conditions and challenge the footprints of multinationals. Corporate reputations are vulnerable to single events, as risks once thought to have a limited probability of occurrence are actually materializing.

The role of the board and senior executives

Risk management at nonfinancial companies has not kept pace with this evolution. For many nonfinancial corporates, risk management remains an underdeveloped and siloed capability in the organization, receiving limited attention from the most senior leaders. From over 1,100 respondents to McKinsey’s Global Board Survey for 2017 , we discovered that risk management remains a relatively low-priority topic at board meetings (exhibit).

A long way to go

Boards spend only 9 percent of their time on risk—slightly less than they did in 2015. Other questions in the survey revealed that only 6 percent of respondents believe that they are effective in managing risk (again, less than in 2015). Some individual risk areas are relatively neglected, and even cybersecurity, a core risk area with increasing importance, is addressed by only 36 percent of boards. While many senior executives stay focused on strategy and performance management, they often fail to challenge capabilities or strategic decisions from a risk perspective (see sidebar, “A long way to go”). A reactive approach to risks remains too common, with action taken only after things go wrong. The result is that boards and senior executives needlessly put their companies at risk, while personally taking on higher legal and reputational liabilities.

Boards have a critical role to play in developing risk-management capabilities at the companies they oversee. First, boards need to ensure that a robust risk-management operating model is in place. Such a model allows companies to understand and prioritize risks, set their risk appetite, and measure their performance against these risks. The model should enable the board and senior executives to work with businesses to eliminate exposures outside the company’s appetite statement, reducing the risk profile where warranted, through such means as quality controls and other operational processes. On strategic opportunities and risk trade-offs, boards should foster explicit discussions and decision making among top management and the businesses. This will enable the efficient deployment of scarce risk resources and the active, coordinated management of risks across the organization. Companies will then be prepared to address and manage emerging crises when risks do materialize.

A sectoral view of risks

Most companies operate in a complex, industry-specific risk environment. They must navigate macroeconomic and geopolitical uncertainties and face risks arising in the areas of strategy, finance, products, operations, and compliance and conduct. In some sectors, companies have developed advanced approaches to managing risks that are specific to their business models. These approaches can sustain significant value. At the same time companies are challenged by emerging types of risks for which they need to develop effective mitigation plans; in their absence, the losses from serious risk events can be crippling.

• Automotive companies are controlling supply-chain risks with sophisticated monitoring models that allow OEMs to identify potential risks upfront across the supply chain. At the same time, auto companies must address the strategic challenge of shifting toward electric-powered and autonomous vehicles.
• Pharma companies seek to manage the downside risk of large investments in their product portfolio and pipeline, while addressing product quality and patient safety to comply with relevant regulatory requirements.
• Oil and gas, steel, and energy companies apply advanced approaches to manage the negative effects of financial markets and commodity-price volatility. As social and political demands for cleaner energy are increasing, these companies are actively pursuing growth opportunities to shift their portfolios in anticipation of an energy transition and a low-carbon future.
• Consumer-goods companies protect their reputation and brand value through sound practices to manage product quality as well as labor conditions in their production facilities. Yet they are constantly challenged to meet consumers’ ever-changing tastes and needs, as well as consumer-protection regulations.

Toward proactive risk management

An approach based on adherence to minimum regulatory standards and avoidance of financial loss creates risk in itself. In a passive stance, companies cannot shape an optimal risk profile according to their business models nor adequately manage a fast-moving crisis. Eschewing a risk approach comprised of short-term performance initiatives focused on revenue and costs, top performers deem risk management as a strategic asset, which can sustain significant value over the long term. Inherent in the proactive approach are several essential components.

Strategic decision making

More rigorous, debiased strategic decision making can enhance the longer-term resilience of a company’s business model, particularly in volatile markets or externally challenged industries. Research shows that the active, regular reevaluation of resource allocation, based on sound assessments of risk and return trade-offs (such as entering markets where the business model is superior to the competition), creates more value and better shareholder returns. 1 See, for example, Yuval Atsmon, “ How nimble resource allocation can double your company’s value ,” August 2016; William N. Thorndike, Jr., The Outsiders: Eight Unconventional CEOs and Their Radically Rational Blueprint for Success , Boston, MA: Harvard Business Review Press, 2012; Rebecca Darr and Tim Koller, “ How to build an alliance against corporate short-termism ,” January 2017. Flexibility is empowering in a dynamic marketplace. Many companies use hedging strategies to insure against market uncertainties. Airlines, for example, have been known to hedge future exposures to fuel-price fluctuations, a move that can help maintain profitability when prices climb. Likewise, strategic investing, based on a longer-term perspective and a deep understanding of a company’s core proposition, generates more value than opportunistic moves aiming at a short-term bump in the share price.

Debiasing and stress-testing

Approaches that include debiasing and stress-testing help senior executives consider previously overlooked sources of uncertainty to judge whether the company’s risk-bearing capacity can absorb their potential impact. A utility in Germany, for example, improved decision making by taking action to mitigate behavioral biases. As a result, it separated its renewables business from its conventional power-generation operations. In the aftermath of the Fukushima disaster, which sharply raised interest in environmentally friendly power generation, the utility’s move led to a significant positive effect on its share price (15 percent above the industry index).

Higher-quality products and safety standards

Investments in product quality and safety standards can bring significant returns. One form this takes in the energy sector is reduced damage and maintenance costs. At one international energy company, improved safety standards led to a 30 percent reduction in the frequency of hazardous incidents. Auto companies with reputations built on safety can command higher prices for their vehicles, while the better reputation created by higher quality standards in pharma creates obvious advantages. As well as the boost in demand that comes from a reputation for quality, companies can significantly reduce their remediation costs—McKinsey research suggests that pharma companies suffering from quality issues lose annual revenue equal to 4 to 5 percent of cost of goods sold.

Comprehensive operative controls

These can lead to more efficient and effective processes that are less prone to disruption when risks materialize. In the auto sector, companies can ensure stable production and sales by mitigating the risk of supply-chain disruption. Following the 2011 earthquake and tsunami, a leading automaker probed potential supply bottlenecks and took appropriate action. After an earthquake in 2016, the company quickly redirected production of affected parts to other locations, avoiding costly disruptions. In high-tech, companies applying superior supply-chain risk management can achieve lasting cost savings and higher margins. One global computer company addressed these risks with a dedicated program that saved $500 million during its first six years. The program used risk-informed contracts, enabling suppliers to lower the costs and risks of doing business with the company. The measures achieved supply assurance for key components, particularly during market shortages, improved cost predictability for components that have volatile costs, and optimized inventory levels internally and at suppliers.

Stronger ethical and societal standards

To achieve standing among customers, employees, business partners, and the public, companies can apply ethical controls on corporate practices end to end. If appropriately publicized and linked to corporate social responsibility, a program of better ethical standards can achieve significant returns in the form of heightened reputation and brand recognition. Customers, for example, are increasingly willing to pay a premium for products of companies that adhere to tighter standards. Employees too appreciate being associated with more ethical companies, offering a better working environment and contributing to society.

The three dimensions of effective risk management

Ideally, risk management and compliance are addressed as strategic priorities by corporate leadership and day-to-day management. More often the reality is that these areas are delegated to a few people at the corporate center working in isolation from the rest of the business. By contrast, revenue growth or cost savings are deeply embedded in corporate culture, linked explicitly to profit-and-loss (P&L) performance at the company level. Somewhere in the middle are specific control capabilities regarding, for example, product safety, secure IT development and deployment, or financial auditing.

Would you like to learn more about our Risk Practice ?

To change this picture, leadership must commit to building robust, effective risk management. The project is three-dimensional: 1) the risk operating model, consisting of the main risk management processes; 2) a governance and accountability structure around these processes, leading from the business up to the board level; and 3) best-practice crisis preparedness, including a well-articulated response playbook if the worst case materializes.

1. Developing an effective risk operating model

The operating model consists of two layers, an enterprise risk management (ERM) framework and individual frameworks for each type of risk. The ERM framework is used to identify risks across the organization, define the overall risk appetite, and implement the appropriate controls to ensure that the risk appetite is respected. Finally, the overarching framework puts in place a system of timely reporting and corresponding actions on risk to the board and senior management. The risk-specific frameworks address all risks that are being managed. These can be grouped in categories, such as financial, nonfinancial, and strategic. Financial risks, such as liquidity, market, and credit risks, are managed by adhering to appropriate limit structures; nonfinancial risks, by implementing adequate process controls; strategic risks, by challenging key decisions with formalized approaches such as debiasing, scenario analyses, and stress testing. While financial and strategic risks are typically managed according to the risk-return trade-off, for nonfinancial risks, the potential downside is often the key consideration.

Finding the right level of risk appetite

Companies need to find the right level of risk appetite, which helps ensure long-term resilience and performance. Risk appetite that is too relaxed or too restrictive can have severe consequences on company financials, as the following two examples indicate:

Too relaxed. One nuclear energy company set its standards for steel equipment in the 1980s and did not review them even when the regulations changed. When the new higher standards were applied to the manufacture of equipment for nuclear power plants, the company fell short of compliance. An earlier adaptation of its risk appetite and tolerance levels would have been significantly less costly.

Too restrictive. A pharma company set quality tolerances to produce a drug to a significantly stricter level than what was required by regulation. At the beginning of production, tolerance intervals could be fulfilled, but over time, quality could no longer be assured at the initial level. The company was unable to lower standards, as these had been communicated to the regulators. Ultimately, production processes had to be upgraded at a significant cost to maintain the original tolerances.

As well as assessing risk based on likelihood and impact, companies must also assess their ability to respond to emerging risks. Capabilities and capacities needed to manage these risks should be evaluated and gaps filled accordingly. Of particular importance in crisis management is the timeliness of an effective response when things go awry. The highly likely, high-impact risk events on which risk management focuses most of its attention often emerge with disarming velocity, taking many companies unawares. To be effective, the enterprise risk management framework must ensure that the two layers are seamlessly integrated. It does this by providing clarity on risk definitions and appetite as well as controls and reporting.

• Taxonomy. A company-wide risk taxonomy should clearly and comprehensively define risks; the taxonomy should be strictly respected in the definition of risk appetite, in the development of risk policy and strategy, and in risk reporting. Taxonomies are usually industry-specific, covering strategic, regulatory, and product risks relevant to the industry. They are also determined by company characteristics, including the business model and geographical footprint (to incorporate specific country and legal risks). Proven risk-assessment tools need to be adopted and enhanced continuously with new techniques, so that newer risks (such as cyberrisk) are addressed as well as more familiar risks.
• Risk appetite. A clear definition of risk appetite will translate risk-return trade-offs into explicit thresholds and limits for financial and strategic risks, such as economic capital, cash-flow at risk, or stressed metrics. In the case of nonfinancial risks like operational and compliance risks, the risk appetite will be based on overall loss limits, categorized into inherent and residual risks (see sidebar, “Finding the right level of risk appetite”).
• Risk control processes. Effective risk control processes ensure that risk thresholds for the specified risk appetite are upheld at all levels of the organization. Leading companies are increasingly building their control processes around big data and advanced analytics. These powerful new capabilities can greatly increase the effectiveness and efficiency of risk monitoring processes. Machine-learning tools, for example, can be very effective in monitoring fraud and prioritizing investigations; automated natural language processing within complaints management can be used to monitor conduct risk.
• Risk reporting. Decision making should be informed with risk reporting. Companies can regularly provide boards and senior executives with insights on risk, identifying the most relevant strategic risks. The objective is to ensure that an independent risk view, encompassing all levels of the organization, is embedded into the planning process. In this way, the risk profile can be upheld in the management of business initiatives and decisions affecting the quality of processes and products. Techniques like debiasing and the use of scenarios can help overcome biases toward fulfilment of short-term goals. A North American oil producer developed a strategic hypothesis given uncertainties in global and regional oil markets. The company used risk modelling to test assumptions about cash flow under different scenarios and embedded these analyses into the reports reviewed by senior management and the board. Weak points in the strategy were thereby identified and mitigating actions taken.

2. Toward robust risk governance, organization, and culture

The risk operating model must be managed through an effective governance structure and organization with clear accountabilities. The governance model maintains a risk culture that strongly reinforces better risk and compliance management across the three lines of defense—business and operations, the compliance and risk functions, and audit. The approach recognizes the inherent contradiction in the first line between performance (revenue and costs) and risk (losses). The role of the second line is to review and challenge the first line on the effectiveness of its risk processes and controls, while the third line, audit, ensures that the lines one and two are functioning as intended.

• Three lines of defense. Effective implementation of the three lines involves the sharp definition of lines one and two at all levels, from the group level through the lines of business, to the regional and legal entity levels. Accountabilities regarding risk and control management must be clear. Risk governance may differ by risk type: financial risks are usually managed centrally, while operational risks are deeply embedded into company processes. The operational risk of any line of business is managed by the business owning the product-development, production, and sales processes. This usually translates into forms of quality control, but the business must also balance the broader impact of risk and P&L. In the development of new diesel engines, automakers lost sight of the balance between compliance risk and the additional cost to meet emission standards, with disastrous results. Risk or compliance functions can only complement these activities by independently reviewing the adequacy of operational risk management, such as through technical standards and controls.
• Reviewing the risk appetite and risk profile. Of central importance within the governance structure are the committees that define the risk appetite, including the parameters for doing business. These committees also make specific decisions on top risks and review the control environment for enhancements as the company’s risk profile changes. Good governance in this case means that risk decisions are considered within the existing divisional, regional, and senior-management governance structure of a company, supported by risk, compliance, and audit committees.
• Integrated risk and compliance governance setup. A robust and adequately staffed risk and compliance organization supports all risk processes. The integrated risk and compliance organization provides for single ownership of the group-wide ERM framework and standards, appropriate clustering of second-line functions, a clear matrix between divisions and control functions, and centralized or local control as needed. A clear trend is observable whereby the ERM layer responsible for group-wide standards, risk processes, and reporting becomes consolidated, whereas the expert teams setting and monitoring specific control standards for the business (including standards for commercial, technical compliance, IT or cyberrisks) become specialized teams covering both regulatory compliance as well as risk aspects.
• Resources. Appropriate resources are a critical factor in successful risk governance. The size of the compliance, risk, audit, and legal functions of nonfinancial companies (0.5 for every 100 employees, on average), are usually much smaller than those of banks (6.9 for every 100 employees). The disparity is partly a natural outcome of financial regulation, but some part of it reflects a capability gap in nonfinancial corporates. These companies usually devote most of their risk and control resources in sector-specific areas, such as health and safety for airlines and nuclear power companies or quality assurance for pharmaceutical companies. The same companies can, however, neglect to provide sufficient resources to monitor highly significant risks, such as cyberrisk or large investments.
• Risk culture. An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models. Especially important are capability-building programs on risk as well as formal mechanisms to assess and reinforce sound risk management practices.

An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models.

3. Crisis preparedness and response

A high-performing, effective risk operating model and governance structure, with a well-developed risk culture minimize the probability of corporate crises , without, of course, completely eliminating them. When unexpected crises strike at high velocity, multinational companies can lose billions in value in the first days and soon find themselves struggling to keep their market position. A best-in-class risk management environment provides the ideal conditions for preparation and response.

• Ensure board leadership. The most important action companies can take to prepare for crises is to ensure that the effort is led by the board and senior management. Top leadership must define the main expected threats, the worst-case scenarios, and the actions and communications that will be accordingly rolled out. For each threat, hypothetical scenarios should be developed for how a crisis will unfold, based on previous crises within and beyond the company’s industry and region.
• Strengthen resilience. By mapping patterns that arose in previous crises, companies can test their own resilience, challenging key areas across the organization for potential weaknesses. Targeted countermeasures can then be developed in advance to strengthen resilience. This crucial aspect of crisis preparedness can involve reviewing and revising the terms and conditions for key suppliers, shoring up financials to ensure short-term availability of cash, or investing in advanced cybersecurity measures to protect essential data and software in the event of failures and breaches.
• Develop action plans and communications. Once these assessments are complete and resilience-building countermeasures are in place, the company can then develop action plans for each threat. The plans must be well articulated, founded on past crises, and address operational and technical planning, financial planning, third-party management, and legal planning. Care should be taken to develop an optimally responsive communications strategy as well. The correct strategy will enable frontline responders to keep pace with or stay ahead of unfolding crises. Communications failures can turn manageable crises into irredeemable catastrophes. Companies need to have appropriate scripts and process logic in place detailing the response to crisis situations, communicated to all levels of the organization and well anchored there. Airlines provide an example of the well-articulated response, in their preparedness for an accident or crash. Not only are detailed scripts in place, but regular simulations are held to train employees at all levels of the company.
• Train managers at all levels. The company should train key managers at multiple levels on what to expect and enable them to feel the pressures and emotions in a simulated environment. Doing this repeatedly and in a richer way each time will significantly improve the company’s response capabilities in a real crisis situation, even though the crisis may not be precisely the one for which managers have been trained. They will also be valuable learning exercises in their own right.
• Put in place a detailed crisis-response playbook. While each crisis can unfold in unique and unpredictable ways, companies can follow a few fundamental principles of crisis response in all situations. First, establish control immediately after the crisis hits, by closely determining the level of exposure to the threat and identifying a crisis-response leader, not necessarily the CEO, who will direct appropriate actions accordingly. Second, involved parties—such as customers, employees, shareholders, suppliers, government agencies, the media, and the wider public—must be effectively engaged with a dynamic communications strategy. Third, an operational and technical “war room” should be set up, to stabilize primary threats and determine which activities to sustain and which to suspend (identifying and reaching out to critical suppliers). Finally, a deliberate effort must be made to address and neutralize the root cause of the crisis and so bring it to an end as soon as possible.

In a digitized, networked world, with globalized supply chains and complex financial interdependencies, the risk environment has grown more perilous and costly. A holistic approach to risk management, based on the lessons, good and bad, of leading companies and financial institutions, can derive value from that environment. The path to risk resilience that is emerging is an effort, led by the board and senior management, to establish the right risk profile and appetite. Success depends on the support of a thriving risk culture and state-of-the-art crisis preparedness and response. Far from minimal regulatory adherence and loss avoidance, the optimal approach to risk management consists of fundamentally strategic capabilities, deeply embedded across the organization.

Daniela Gius is a senior expert in McKinsey’s Hamburg office, Jean-Christophe Mieszala is a senior partner in the Paris office, Ernestos Panayiotou is a partner in the Athens office, and Thomas Poppensieker is a senior partner in the Munich office.

Explore a career with us

Related articles.

The business logic in debiasing

Are you prepared for a corporate crisis?

Nonfinancial risk today: Getting risk and the business aligned

Risk & Compliance Matters

4 steps to start a business continuity plan.

Most risk and compliance professionals already grasp the importance of business continuity planning. Pandemics, climate disasters, cybersecurity attacks, and supply chain instability tend to have that effect on this crowd.

But there’s a big difference between understanding the need for business continuity and developing an actual business continuity plan. Bridging this gap involves risk assessments, internal control remediation, and testing — with plenty of input from all parts of the enterprise along the way.

How can you start building a business continuity plan? Which steps are most important, and which ones hardest to get right? Read on to see the necessary steps in this process - after all, catastrophe is going to strike sooner or later.

1. Do a Risk Assessment Using a Business Continuity Framework

Like other risk-management efforts, business continuity planning begins with a risk assessment . The details of that assessment, however, might be more intricate than most risk and compliance professionals are used to; that’s why most organizations use a business continuity framework , such as ISO, or a NIST cybersecurity framework , to work through the risk assessment methodically.

The goal of a business continuity risk assessment is 1.) to map the organization’s business objectives to processes that support those objectives; then 2.) match those processes to the assets that support the processes. Once you understand how processes and assets support business objectives, the question becomes: “How could those assets be put at risk?”

For example, say a business objective is the timely delivery of goods and services to customers. The processes would include accepting customer orders, assuring sufficient inventory, and shipping goods from loading dock to customer. The assets would include IT systems to place orders, goods in the warehouse, and a reliable third-party shipping service.

We could identify 100 different ways those processes and assets could fail and disrupt the business. The above example is only one of many objectives and processes a business continuity plan should address. Without a framework to guide that analysis, the odds of overlooking a critical threat increase dramatically.

Download:  Business Continuity Toolkit

2. Do a Business Impact Analysis

The results of the risk assessment will inform the business impact analysis (BIA). A business impact analysis takes the assets you identified that support your most critical business processes, and asks: “What would happen to those processes, and our ability to achieve our objectives, if the assets were suddenly unavailable?”

The BIA should tell you which goods, IT services, or employees are crucial to mission-critical business processes; and which risk events (power failures, hurricanes, IT system outages, pandemics, etc.) would cause the most disruption if those risks aren’t remediated.

Many companies prioritize risks to business continuity by using the risk assessments and BIA to generate a business impact score for each continuity risk; the higher the score, the more dangerous a risk is to business continuity. (Software is often used to assess risk and generate that score automatically .) Then you can develop a business continuity plan that addresses mission-critical risks first, the rest later.

3. Develop the Business Continuity Plan

The business continuity plan (BCP) can address risk in several ways. Here are a few examples:

• To avoid a shortage of critical components, for example, you might adopt a policy that specifies “When we’re down to our last 100 widgets, we order a fresh batch.”
• To avoid failures of critical IT systems, you might decide to establish backup data centers with all transactions archived to those sites every 12 hours.
• To avoid failures with critical third parties , you might maintain lists of alternative providers and have a policy to test the resiliency of those critical third parties every 60 days.

The business continuity plan should be documented and shared with senior executives and operations teams, so that everyone understands their responsibilities in the event of a disruption.

The plan also demonstrates responsible risk management to business partners, regulators, investors, and other stakeholders. The BC plan indicates that the organization has identified risks to business operations and put steps in place to keep those risks in check.

4. Communicate, Practice, and Monitor

Business continuity plans are living documents – you can’t leave it in a desk drawer to gather dust until disaster arrives. Risk managers need to put their business continuity plans to work in multiple ways.

Communicate: Circulate drafts of the plan among senior management and operations executives so all stakeholders know what it includes. Ask for feedback: What might the plan overlook, or which proposed mitigation steps aren’t practical? When the plan is finalized, share it with everyone in key roles to helping the organization endure a disaster.

Practice: Hold table-top exercises or drills of possible disasters at regular intervals. You might even hold table-top exercises for each draft of the plan, so risk managers can see what ideas will or won’t work in practice. The goal in stepping through the plan and response is to train key employees on their roles during a crisis, and to test the plan for weaknesses.

Monitor: Risks to business continuity will evolve. Resources may become more or less scarce, service providers may merge or go out of business, reorganizations send key employees into new roles, etc. Just like any other risk management, third-party and other risks should be assessed on an ongoing basis , and the BC plan should be updated as necessary.

Mike Tyson once said, “Everybody has a plan until they get punched in the mouth.” This doesn’t need to be the case in business. Business continuity plans take time, effort, and collaboration, but they can guide your organization through disaster — and they’re far better than the alternative of having no plan at all.

Put your BC plan into action with the Business Continuity Toolkit!

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

2021 Brings Risk and Compliance Together Under One Roof

2020 opened the pandora's box of risks: cybersecurity, supply chain, health and safety, financial fraud, and regulatory compliance as well. If the experiences of 2020 taught us anything, it’s that a federated approach to risk is not enough. Compliance and integrated risk management need to come together under one roof.

A Year of Uncertainty Spurs Integrated Risk Management Adoption

In the last five years, integrated risk management has gone from buzzword to practice. The primary driver of IRM across industries is uncertainty. After a year of uncertainty, organizations will direct GRC-related resources from compliance to a risk-oriented approach.

Business risk assessment: what it is & why you need it

Updated 12 January 2024 • 6 min read

What is a business risk assessment? 

A business risk assessment helps you identify, analyse and prioritise risks. Businesses use risk assessments to:

minimise or eliminate risks

protect against potential threats

improve decision-making.

Risk assessment for business plan

When you’re putting together a business plan , it’s important to include a business risk assessment. Completing this section helps business owners to: 

understand what risks they face

develop strategies for minimising or eliminating those risks

allocate resources effectively to manage risks

monitor and review risks on an ongoing basis.

This means that the business owner has a documented strategy in place to handle when things can — and do — go wrong. This gives them better control over the business and its trajectory, while also giving potential investors assurance that the business is well managed and their investment is sound.  

The different types of risks businesses face

While it may be difficult to catalogue every risk a business may face, you can do a risk assessment based on types of risk. These categories may include:  

Hazard-based

These are risks from dangerous workplace situations that could cause harm to people, property or the environment. Examples include fires, floods and chemical spills.

Opportunity-based

This risk comes from choosing one opportunity over another. When you dedicate your resources to one opportunity, there’s always the chance that a better one will come along or the current one won’t go as planned. Examples include investing in a new product line or moving to a new location.

Uncertainty-based

This risk is present when the outcome of a situation is uncertain. Examples of business risks include legal action, damage from natural disasters, and the loss of important customers or suppliers.

Operational 

This type of risk comes from the day-to-day running of your business. Examples of operational risk may include equipment failure, employee error or theft.

Reputational

A risk to your business' reputation can include negative media coverage, product recalls and data breaches. 

Cyber security

Cyber security is a risk for all businesses, including small and medium-sized organisations. Any data loss, leak or compromise can cost a business severely — both financially and in reputational damage. 

How to do a business risk assessment (plus template and example)

1. identify the different types of risks for your business..

To identify the risks to your business, consider what could go wrong and why that might happen. Consider holding brainstorming sessions with your employees or reviewing past incidents to get started.

2. Assess the likelihood and potential impact of each type of risk.

You’ll want to decide the likelihood and potential impact of each type of risk. For example, the risk may be unlikely to occur through to very likely to occur. Likewise, the impact of the risk may be negligible through to severe. Doing this assessment will help you decide what to prioritise and where to allocate resources.   

3. Prioritise the risks and develop strategies for mitigating them.

Once you’ve identified and assessed your risks, you’ll need to develop strategies to mitigate them and lessen their potential negative impact. This could involve taking out adequate business insurance or putting business continuity plans in place. 

Business risk assessment template

The Australian Taxation Office (ATO) has developed a business risk assessment template that you can use for your risk assessment.

The template includes questions to help you identify and assess risks.

Business risk assessment example

If you own a small business, you might not think you need to worry about conducting risk assessments. But all businesses can face risks that could significantly affect their operations. Consider the following example:

You own a small retail business with one store. Your primary source of income is from selling products online, but you also have a small number of customers who visit your store in person.

A customer tells you they see a mouse in your store. This is a reputational risk, as it could damage your business’ reputation if word gets out. It’s also an operational risk if it leads to damaged inventory.

In this case, you'd need to assess the likelihood of that risk and the potential damage it could do to your business reputation or operations. Based on this assessment, you can decide how best to deal with the risk.

This is just one example of the innumerable risks businesses can face. Conducting a thorough business risk assessment prepares you for just about anything that comes your way.

Tips for mitigating risk in your business

Risk is part of life — it can’t always be avoided, but there are strategies you can put in place to mitigate its impacts. Consider the following: 

Have adequate insurance coverage to help mitigate the financial impact of risks such as fire, theft or liability.

Develop contingency plans so that you can continue operating if an incident, such as a natural disaster or power outage, occurs.

Implement risk management processes and procedures. This could involve anything from regular risk assessments to employee training on identifying and dealing with potential risks.

Regularly monitor and review risks and make sure you have effective mitigation strategies in place.

Maintain good relationships with suppliers and customers. This can help to minimise the impact of risks such as supply chain disruptions. Also, ask for feedback on their experience with your products or services, so you can identify potential risks before they become major problems.

Have strong internal financial controls and IT security measures.

Stay up to date on changes in laws and regulations. This will help you avoid compliance-related issues, including risks specific to your industry and general risks all businesses face.

Disclaimer: This is general advice not meant to replace professional guidance. When seeking out someone to help advise you on business decisions, find somebody with the accreditations to assist you.

Minimise your IT risk with MYOB

With MYOB’s business management platform , you can look after your finances, invoices , payroll and more, while maintaining compliance and data security at all times. Our cloud-based software is scalable and affordable, catering for sole traders through to mid-sized enterprises . With MYOB, your IT is future fit — so you have one less thing to worry about.

Sign up today and try FREE for 30 days .

Disclaimer:  Information provided in this article is of a general nature and does not consider your personal situation. It does not constitute legal, financial, or other professional advice and should not be relied upon as a statement of law, policy or advice. You should consider whether this information is appropriate to your needs and, if necessary, seek independent advice. This information is only accurate at the time of publication. Although every effort has been made to verify the accuracy of the information contained on this webpage, MYOB disclaims, to the extent permitted by law, all liability for the information contained on this webpage or any loss or damage suffered by any person directly or indirectly through relying on this information.

Related Guides

How to define key performance indicators (kpis) for employees arrow right, how to perform a business gap analysis arrow right, business expenses guide for smbs arrow right.

• Search Search Please fill out this field.

Identifying Risks

Physical risks, location risks, human risks, technology risks, strategic risks, making a risk assessment, insuring against risks, risk prevention, the bottom line.

• Business Essentials

Identifying and Managing Business Risks

Yarilet Perez is an experienced multimedia journalist and fact-checker with a Master of Science in Journalism. She has worked in multiple cities covering breaking news, politics, education, and more. Her expertise is in personal finance and investing, and real estate.

Running a business comes with many types of risk. Some of these potential hazards can destroy a business, while others can cause serious damage that is costly and time-consuming to repair. Despite the risks implicit in doing business, CEOs and risk management officers can anticipate and prepare, regardless of the size of their business.

Key Takeaways

• Some risks have the potential to destroy a business or at least cause serious damage that can be costly to repair.
• Organizations should identify which risks pose a threat to their operations.
• Potential threats include location hazards such as fires and storm damage, a l cohol and drug abuse among personnel, technology risks such as power outages, and strategic risks such as investment in research and development.
• A risk management consultant can recommend a strategy including staff training, safety checks, equipment and space maintenance, and necessary insurance policies.

If and when a risk becomes a reality, a well-prepared business can minimize the impact on earnings, lost time and productivity, and negative impact on customers. For startups and established businesses, the ability to identify risks is a key part of strategic business planning . Risks are identified through a number of ways. Strategies to identify these risks rely on comprehensively analyzing a company's specific business activities. Most organizations face preventable, strategic and external threats that can be managed through acceptance, transfer, reduction, or elimination.

A risk management consultant can help a business determine which risks should be covered by insurance.

Below are the main types of risks that companies face:

Building risks are the most common type of physical risk. Think fires or explosions. To manage building risk, and the risk to employees, it is important that organizations do the following:

• Make sure all employees know the exact street address of the building to give to a 911 operator in case of emergency.
• Make sure all employees know the location of all exits.
• Install fire alarms and smoke detectors.
• Install a sprinkler system to provide additional protection to the physical plant, equipment, documents and, of course, personnel.
• Inform all employees that in the event of emergency their personal safety takes priority over everything else. Employees should be instructed to leave the building and abandon all work-associated documents, equipment and/or products.

Hazardous material risk is present where spills or accidents are possible. The risk from hazardous materials can include:

• Toxic fumes
• Toxic dust or filings
• Poisonous liquids or waste

Fire department hazardous material units are prepared to handle these types of disasters. People who work with these materials, however, should be properly equipped and trained to handle them safely.

Organizations should create a plan to handle the immediate effects of these risks. Government agencies and local fire departments provide information to prevent these accidents. Such agencies can also provide advice on how to control them and minimize their damage if they occur.

Among the location hazards facing a business are nearby fires, storm damage, floods, hurricanes or tornados, earthquakes, and other natural disasters. Employees should be familiar with the streets leading in and out of the neighborhood on all sides of the place of business. Individuals should keep sufficient fuel in their vehicles to drive out of and away from the area. Liability or property and casualty insurance are often used to transfer the financial burden of location risks to a third-party or a business insurance company.

There are other business risks associated with location that are not directly related to hazards, such as city planning. For example, a gas station exists on a major road, and as a result of its location, it receives plenty of business. City planning can eventually restructure the area around the gas station. The city may close the road the gas station is on, build other infrastructure that would make the gas station inaccessible, or overall just not take the gas station into consideration with any redevelopment. This would leave the gas station with no traffic to serve.

Alcohol and drug abuse are major risks to personnel in the workforce. Employees suffering from alcohol or drug abuse should be urged to seek treatment, counseling, and rehabilitation if necessary. Some insurance policies may provide partial coverage for the cost of treatment.

Protection against embezzlement , theft and fraud may be difficult, but these are common crimes in the workplace. A system of double-signature requirements for checks, invoices, and payables verification can help prevent embezzlement and fraud. Stringent accounting procedures may discover embezzlement or fraud. A thorough background check before hiring personnel can uncover previous offenses in an applicant's past. While this may not be grounds for refusing to hire an applicant, it would help HR to avoid placing a new hire in a critical position where the employee is open to temptation.

Illness or injury among the workforce is a potential problem. To prevent loss of productivity, assign and train backup personnel to handle the work of critical employees when they are absent due to a health-related concern. Other human-related risks under public attention could be associated with their behaviors and values. Misbehavior of management related to bias, racism, sexism, harassment, corruption, discrimination, pollutive actions, and carelessness about the environment are all actions that represent risk for the companies where these managers work.

A power outage is perhaps the most common technology risk. Auxiliary gas-driven power generators are a reliable back-up system to provide electricity for lighting and other functions. Manufacturing plants use several large auxiliary generators to keep a factory operational until utility power is restored.

Computers may be kept up and running with high-performance back-up batteries. Power surges may occur during a lightning storm (or randomly), so organizations should furnish critical business systems with surge-protection devices to avoid the loss of documents and the destruction of equipment.

Cloud storage is another source of risks nowadays. The process involves backing up data with Amazon Web Services, for example, using Azure, IBM, and Oracle, for instance. This is a huge undertaking that should be considered given the reliance on cloud-based data to run most businesses now. It is important to establish both offline and online data backup systems to protect critical documents.

Although telephone and communications failure are relatively uncommon, risk managers may consider providing emergency-use company cell phones to personnel whose use of the phone or internet is critical to their business.

Strategy risks are not altogether undesirable. Financial institutions such as banks or credit unions take on strategy risk when lending to consumers, while pharmaceutical companies are exposed to strategy risk through  research and development  for a new drug. Each of these strategy-related risks is inherent in an organization's business objectives. When structured efficiently, the acceptance of strategy risks can create highly profitable operations.

Companies exposed to substantial strategy risk can mitigate the potential for negative consequences by creating and maintaining infrastructures that support high-risk projects. A system established to control the financial hardship that occurs when a risky venture fails often includes diversification of current projects, healthy cash flow, or the ability to finance new projects in an affordable way, and a comprehensive process to review and analyze potential ventures based on future return on investment .

After the risks have been identified , they must be prioritized in accordance with an assessment of their probability. The first step is to establish a probability scale for the purposes of risk assessment .

For example, risks may:

• Be very likely to occur
• Have some chance of occurring
• Have a small chance of occurring
• Have very little chance of occurring

Other risks must be prioritized and managed in accordance with their likelihood of occurring. Actuarial tables —statistical analysis of the probability of any risk occurring and the potential financial damage ensuing from the occurrence of those risks—may be accessed online and can provide guidance in prioritizing risk.

Insurance is a principle safeguard in managing risk, and many risks are insurable. Fire insurance is a necessity for any business that occupies a physical space, whether owned outright or rented, and should be a top priority. Product liability insurance, as an obvious example, is not necessary for a service business.

Some risks are an inarguably high priority, for example, the risk of fraud or embezzlement where employees handle money or perform accounting duties in accounts payable and receivable. Specialized insurance companies will underwrite a cash bond to provide financial coverage in the event of embezzlement, theft or fraud.

When insuring against potential risks, never assume a best-case scenario. Even if employees have worked for years with no problems and their service has been exemplary, insurance against employee error may be a necessity. The extent of insurance coverage against injury will depend on the nature of your business. A heavy manufacturing plant will, of course, require more extensive coverage for employees. Product liability insurance is also a necessity in this context.

If a business relies heavily on computerized data—customer lists and accounting data, for example—exterior backup and insurance coverage is necessary. Finally, hiring a risk management consultant may be a prudent step in the prevention and management of risks.

The best risk insurance is prevention. Preventing the many risks from occurring in your business is best achieved through employee training, background checks, safety checks, equipment maintenance and maintenance of the physical premises. A single, accountable staff member with managerial authority should be appointed to handle risk management responsibilities. A risk management committee may also be formed with members assigned specific tasks with a requirement to report to the risk manager.

The risk manager, in conjunction with a committee, should formulate plans for emergency situations such as:

• Hazardous materials accidents or the occurrence of other emergencies

Employees must know what to do and where to exit the building or office space in an emergency. A plan for the safety inspection of the physical premises and equipment should be developed and implemented regularly including the training and education of personnel when necessary. A periodic, stringent review of all potential risks should be conducted. Any problems should be immediately addressed. Insurance coverage should also be periodically reviewed and upgraded or downgraded as needed.

Prevention is the best insurance against risk. Employee training, background checks, safety checks, equipment maintenance, and maintenance of physical premises are all crucial risk management strategies for any business.

While business risks abound and their consequences can be destructive, there are ways and means to ensure against them, to prevent them, and to minimize their damage, if and when they occur. Finally, hiring a risk management consultant may be a worthwhile step in the prevention and management of risks.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

• GLOBAL SEARCH
• WEB SUPPORT

16 Entrepreneurs Explain What Work Means to Them

25 Entrepreneurs Share Essential Skills One Needs to be a CEO

22 Entrepreneurs Share How They Incorporate Health and Fitness into Their Day

8 Entrepreneurs Reveal How Much They Work In a Week

11 Entrepreneurs Reveal Their Why/Motivation

12 Entrepreneurs Share Views on Whether Entrepreneurs are Born or Made

7 Entrepreneurs Share Essential Skills One Needs to be a CEO

30 Entrepreneurs Share Essential Skills One Needs to be a CEO

15 Entrepreneurs Explain The Misconceptions Around Entrepreneurship & Business

• Wordpress 4 CEOs

How to Create a Google Business Profile / Tips to Optimize Google Business Profile

How to Get Your Product Into Walmart- {Infographic}

Make Money using Facebook – Make Great Posts

2 Interesting Updates from WordPress 4.8 Evans

How To Know If Your Business Idea Will Succeed

This is How to Write a Converting Email Autoresponder Series

15 Entrepreneurs Explain What They Love And/Or Hate About WordPress

6 Updates That I’m Paying Attention to with WordPress 4.7 – Vaughan

Download Our Free Guide

5 Entrepreneurs Share Their Favorite Business Books

18 Entrepreneurs and Business Owners Reveal Their Best Leadership Tips

30 Entrepreneurs Share Their Thoughts On the Role of Middle Management Within Organizations

30 Entrepreneurs Reveal The Future Trends They Anticipate in Entrepreneurship

27 Entrepreneurs Reveal The Future Trends They Anticipate in Entrepreneurship

12 Entrepreneurs Explain What Hustle Means To Them

7 Entrepreneurs Reveal Their Business Goals for 2024

27 Entrepreneurs List Their Favorite Business Books

14 Entrepreneurs Describe Their Leadership Style

30 Entrepreneurs Define The Term Disruption

25 Entrepreneurs Define Innovation And Disruption

16 Entrepreneurs Define The Term Disruption

15 Entrepreneurs Define Innovation And Disruption

• GUEST POSTS
• WEBSITE SUPPORT SERVICES
• FREE CBNation Buzz Newsletter
• Premium CEO Hack Buzz Newsletter

Business Plan 101: Critical Risks and Problems

When starting a business, it is understood that there are risks and problems associated with development. The business plan should contain some assumptions about these factors. If your investors discover some unstated negative factors associated with your company or its product, then this can cause some serious questions about the credibility of your company and question the monetary investment. If you are up front about identifying and discussing the risks that the company is undertaking, then this demonstrates the experience and skill of the management team and increase the credibility that you have with your investors.  It is never a good idea to try to hide any information that you have in terms of risks and problems.

Identifying the problems and risks that must be dealt with during the development and growth of the company is expected in the business plan. These risks may include any risk related to the industry, risk related to the company, and risk related to its employees. The company should also take into consideration the market appeal of the company, the timing of the product or development, and how the financing of the initial operations is going to occur. Some things that you may want to discuss in your plan includes: how cutting costs can affect you, any unfavorable industry trends, sales projections that do not meet the target, costs exceeding estimates, and other potential risks and problems.  The list should be tailored to your company and product. It is a good idea to include an idea of how you will react to these problems so your investors see that you have a plan.

Related Posts

Business Plan 101: Overall Schedule

Business plan 101: personal financial statement.

This Teach a CEO focuses on Google Business Profile formerly Google My Business. List your business on Google with a...

How can you get your products into Walmart? Many entrepreneurs struggle with the lack of ideas on where exactly they...

As we know that ‘Content is the King’, therefore, you must have an ability to write and share good quality...

WordPress 4.8 is named "Evans" in honor of jazz pianist and composer William John “Bill” Evans. There's not a log of...

Business Plan 101: Financial History

Leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Privacy Policy Agreement * I agree to the Terms & Conditions and Privacy Policy .

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Join CBNation Buzz

Our Latest CBNation Content:

• IAM2068 – Marketing Expert Helps Authors Translate their Personal Stories into Bestsellers
• IAM2067 – Founder and Author Shares the Advantages of Robo Investing and How it has Evolved
• IAM2066 – Social Entrepreneur Owner of Insurance Agency Helps Families, Women and Girls Realize Their Dreams
• IAM2065 – Consultant, AR Man Journalist Helps Support Heavy Metal Artists
• Innovator and Author Enhances Cognitive Function through Neuroplasticity
• CEO Helps in Scaling Small Businesses with Personalized Communication

Our Sponsors

Join thousands of subscribers & be the first to get new freebies.

What is CBNation?

We're like a global business chamber but with content... lots of it.

CBNation includes a library of blogs, podcasts, videos and more helping CEOs, entrepreneurs and business owners level up

CBNation is a community of niche sites for CEOs, entrepreneurs and business owners through blogs, podcasts and video content. Started in much the same way as most small businesses, CBNation captures the essence of entrepreneurship by allowing entrepreneurs and business owners to have a voice.

CBNation curates content and provides news, information, events and even startup business tips for entrepreneurs, startups and business owners to succeed.

+ Mission: Increasing the success rate of CEOs, entrepreneurs and business owners.

+ Vision: The media of choice for CEOs, entrepreneurs and business owners.

+ Philosophy: We love CEOs, entrepreneurs and business owners and everything we do is driven by that. We highlight, capture and support entrepreneurship and start-ups through our niche blog sites.

Our Latest Content:

• IAM2064 – Award-Winning Speaker Helps Individuals Unlock their Greatness
• IAM2063 – CEO and Fitness Innovator Elevates the Future of Fitness Industry
• IAM2062 – CEO Empowers Businesses and Consumers by Leveraging on Using AI Technology
• IAM2061 – Property Management Expert Specializes in Short-Term and Mid-Term Rental Management

Privacy Overview

• Teach A CEO

Share on Mastodon

.css-s5s6ko{margin-right:42px;color:#F5F4F3;}@media (max-width: 1120px){.css-s5s6ko{margin-right:12px;}} Join us: Learn how to build a trusted AI strategy to support your company's intelligent transformation, featuring Forrester .css-1ixh9fn{display:inline-block;}@media (max-width: 480px){.css-1ixh9fn{display:block;margin-top:12px;}} .css-1uaoevr-heading-6{font-size:14px;line-height:24px;font-weight:500;-webkit-text-decoration:underline;text-decoration:underline;color:#F5F4F3;}.css-1uaoevr-heading-6:hover{color:#F5F4F3;} .css-ora5nu-heading-6{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-webkit-box-pack:start;-ms-flex-pack:start;-webkit-justify-content:flex-start;justify-content:flex-start;color:#0D0E10;-webkit-transition:all 0.3s;transition:all 0.3s;position:relative;font-size:16px;line-height:28px;padding:0;font-size:14px;line-height:24px;font-weight:500;-webkit-text-decoration:underline;text-decoration:underline;color:#F5F4F3;}.css-ora5nu-heading-6:hover{border-bottom:0;color:#CD4848;}.css-ora5nu-heading-6:hover path{fill:#CD4848;}.css-ora5nu-heading-6:hover div{border-color:#CD4848;}.css-ora5nu-heading-6:hover div:before{border-left-color:#CD4848;}.css-ora5nu-heading-6:active{border-bottom:0;background-color:#EBE8E8;color:#0D0E10;}.css-ora5nu-heading-6:active path{fill:#0D0E10;}.css-ora5nu-heading-6:active div{border-color:#0D0E10;}.css-ora5nu-heading-6:active div:before{border-left-color:#0D0E10;}.css-ora5nu-heading-6:hover{color:#F5F4F3;} Register now .css-1k6cidy{width:11px;height:11px;margin-left:8px;}.css-1k6cidy path{fill:currentColor;}

• Business strategy |
• What is a contingency plan? A guide to ...

What is a contingency plan? A guide to contingency planning

A business contingency plan is a backup strategy for your team or organization. It lays out how you’ll respond if unforeseen events knock your plans off track—like how you’ll pivot if you lose a key client, or what you’ll do if your software service goes down for more than three hours. Get step-by-step instructions to create an effective contingency plan, so if the unexpected happens, your team can spring into action and get things back on track.

No one wants Plan A to fail—but having a strong plan B in place is the best way to be prepared for any situation. With a solid backup plan, you can effectively respond to unforeseen events effectively and get back on track as quickly as possible. 

A contingency plan is a proactive strategy to help you address negative developments and ensure business continuity. In this article, learn how to create a contingency plan for unexpected events and build recovery strategies to ensure your business remains healthy.

What is contingency planning?

What is a contingency plan .

A contingency plan is a strategy for how your organization will respond to important or business-critical events that knock your original plans off track. Executed correctly, a business contingency plan can mitigate risk and help you get back to business as usual—as quickly as possible. 

You might be familiar with contingency plans to respond to natural disasters—businesses and governments typically create contingency plans for disaster recovery after floods, earthquakes, or tornadoes. 

But contingency plans are just as important for business risks. For example, you might create a contingency plan outlining what you will do if your primary competitors merge or how you’ll pivot if you lose a key client. You could even create a contingency plan for smaller occurrences that would have a big impact—like your software service going down for more than three hours.

Contingency planning vs risk management

Project risk management is the process of identifying, monitoring, and addressing project-level risks. Apply project risk management at the beginning of the project planning process to prepare for any risks that might come up. To do so, create a risk register to identify and monitor potential project risks. If a risk does happen, you can use your risk register to proactively target that risk and resolve it as quickly as possible. 

A contingency plan is similar to a project risk management plan or a crisis management plan because it also helps you identify and resolve risks. However, a business contingency plan should cover risks that span multiple projects or even risks that could affect multiple departments. To create a contingency plan, identify and prepare for large, business-level risks.

Contingency planning vs crisis management

Contingency planning is a proactive approach that prepares organizations for potential emergencies by implementing pre-planned risk mitigation strategies. It involves identifying threats and crafting strategies in advance. 

Crisis management , on the other hand, is reactive, focusing on immediate response and damage control when a crisis occurs. While contingency planning sets the stage for effective handling of emergencies, crisis management involves real-time decision-making and project management during an actual crisis. Both are important for organizations and businesses to maintain their stability and resilience.

Contingency plan examples

There are a variety of reasons you’d want to set up a contingency plan. Rather than building one contingency plan, you should build one plan for each type of large-scale risk or disaster that might strike. 

Business contingency plan

A business contingency plan is a specialized strategy that organizations develop to respond to particular, unforeseen events that threaten to disrupt regular operations. It's kind of like a business continuity plan, but there's one key difference. 

While business continuity plans aim to ensure the uninterrupted operation of the entire business during a crisis, a business contingency plan zeroes in on procedures and solutions for specific critical incidents, such as data breaches, supply chain interruptions, or key staff unavailability. 

A business contingency plan could include:

Strategies to ensure minimal operational disruption during crises, such as unexpected market shifts, regulatory compliance changes, or severe staff shortages.

Partnerships with external agencies that can provide support in scenarios like environmental hazards or public health emergencies.

A comprehensive communication strategy with internal and external stakeholders to provide clear, timely information flow during crises like brand reputation threats or legal challenges.

Environmental contingency plan

While severe earthquakes aren’t particularly common, being unprepared when “the big one” strikes could prove to be catastrophic. This is why governments and businesses in regions prone to earthquakes create preparedness initiatives and contingency plans.

A government contingency plan for an earthquake could include things like: 

The names and information of the people designated to handle certain tasks in advance to ensure the emergency response is quick and concise

Ways to educate the public on how to respond when an earthquake hits

A timeline for emergency responders.

Technology contingency plan

If your business is particularly data-heavy, for example, ensuring the safety and cybersecurity of your information systems is critical. Whether a power surge damages your servers or a hacker attempts to infiltrate your network, you’ll want to have an emergency response in place.

A business’s contingency plan for a data breach could involve: 

Steps to take and key team members to notify in order to get data adequately secured once more

The names and information of stakeholders to contact to discuss the impact of the data breach and the plan to protect their investment

A timeline to document what is being done to address the breach and what will need to be done to prevent data breaches in the future

Supply chain contingency plan

Businesses that are integral parts of the supply chain, such as manufacturing entities, retail companies, and logistics providers, need an effective supply chain contingency plan to continue functioning smoothly under unforeseen circumstances.

These plans hedge against supply chain disruptions caused by events like natural disasters or technological outages and help organizations reduce downtime and ensure real-time operational capabilities. 

A supply chain contingency plan could include:

Secure critical data and systems while promptly notifying key team members, such as IT staff and management, for immediate action.

A predetermined list of essential stakeholders, including suppliers, customers, investors, and authorities, should be contacted to inform them about the disruption and steps being taken.

A detailed timeline is essential for documenting the immediate response and outlining long-term strategies to prevent future disruptions in the supply chain.

Pandemic contingency plan

In the face of a global health crisis, a pandemic contingency plan is vital for organizations in healthcare, retail, and manufacturing. This plan focuses on mitigation strategies to minimize operational disruptions and ensure the safety of employees while maintaining business continuity. 

A pandemic response plan could include:

A comprehensive health and safety protocol for employees, which integrates regular health screenings, detailed risk analysis, and emergency medical support as key components.

Flexible work arrangements and protocols for remote operations and digital communication.

A list of key personnel and communication channels for immediate response and coordination.

Regularly reviewing and adapting the pandemic contingency plan as part of an ongoing disaster recovery plan to address evolving challenges and lessons learned.

How to create a contingency plan

You can create a contingency plan at various levels of your organization. For example, if you're a team lead, you could create a contingency plan for your team or department. Alternatively, company executives should create business contingency plans for situations that could impact the entire organization. 

As you create your contingency plan, make sure you evaluate the likelihood and severity of each risk. Then, once you’ve created your plan—or plans—get it approved by your manager or department head. That way, if a negative event does occur, your team can leap to action and quickly resolve the risk without having to wait for approvals.

1. Make a list of risks

Before you can resolve risks, you first need to identify them. Start by making a list of any and all risks that might impact your company. Remember: there are different levels of contingency planning—you could be planning at the business, department, or program level. Make sure your contingency plans are aligned with the scope and magnitude of the risks you’re responsible for addressing. 

A contingency plan is a large-scale effort, so hold a brainstorming session with relevant stakeholders to identify and discuss potential risks. If you aren’t sure who should be included in your brainstorming session, create a stakeholder analysis map to identify who should be involved.

2. Weigh risks based on severity and likelihood

You don’t need to create a contingency plan for every risk you lay out. Once you outline risks and potential threats, work with your stakeholders to identify the potential impact of each risk. 

Evaluate each risk based on two metrics: the severity of the impact if the risk were to happen and the likelihood of the risk occurring. During the risk assessment phase, assign each risk a severity and likelihood—we recommend using high, medium, and low. 

3. Identify important risks

Once you’ve assigned severity and likelihood to each risk, it’s up to you and your stakeholders to decide which risks are most important to address. For example, you should definitely create a contingency plan for a risk that’s high likelihood and high severity, whereas you probably don’t need to create a contingency plan for a risk that’s low likelihood and low severity. 

You and your stakeholders should decide where to draw the line.

4. Conduct a business impact analysis

A business impact analysis (BIA) is a deep dive into your operations to identify exactly which systems keep your operations ticking. A BIA will help you predict what impact a specific risk could have on your business and, in turn, the response you and your team should take if that risk were to occur. 

Understanding the severity and likelihood of each risk will help you determine exactly how you will need to proceed to minimize the impact of the threat to your business. 

For example, what are you going to do about risks that have low severity but high likelihood? What about risks that are high in severity, but relatively low in likelihood? 

Determining exactly what makes your business tick will help you create a contingency plan for every risk, no matter the likelihood or severity.  

5. Create contingency plans for the biggest risks

Create a contingency plan for each risk you’ve identified as important. As part of that contingency plan, describe the risk and brainstorm what your team will do if the risk comes to pass. Each plan should include all of the steps you need to take to return to business as usual.

Your contingency plan should include information about:

The triggers that will set this plan into motion

The immediate response

Who should be involved and informed?

Key responsibilities, including a RACI chart if necessary

The timeline of your response (i.e. immediate things to do vs. longer-term things to do)

For example, let’s say you’ve identified a potential staff shortage as a likely and severe risk. This would significantly impact normal operations, so you want to create a contingency plan to prepare for it. Each person on your team has a very particular skill set, and it would be difficult to manage team responsibilities if more than one person left at the same time. Your contingency plan might include who can cover certain projects or processes while you hire a backfill, or how to improve team documentation to prevent siloed skillsets. 

6. Get approval for contingency plans

Make sure relevant company leaders know about the plan and agree with your course of action. This is especially relevant if you’re creating team- or department-level plans. By creating a contingency plan, you’re empowering your team to respond quickly to a risk, but you want to make sure that course of action is the right one. Plus, pre-approval will allow you to set the plan in motion with confidence—knowing you’re on the right track—and without having to ask for approvals beforehand.

7. Share your contingency plans

Once you’ve created your contingency plans, share them with the right people. Make sure everyone knows what you’ll do, so if and when the time comes, you can act as quickly and seamlessly as possible. Keep your contingency plans in a central source of truth so everyone can easily access them if necessary.

Creating a project in a work management platform is a great way of distributing the plan and ensuring everyone has a step-by-step guide for how to enact it.

8. Monitor contingency plans

Review your contingency plan frequently to make sure it’s still accurate. Take into account new risks or new opportunities, like new hires or a changing business landscape. If a new executive leader joins the team, make sure to surface the contingency plan for their review as well. 

9. Create new contingency plans (if necessary)

It’s great if you’ve created contingency plans for all the risks you found, but make sure you’re constantly monitoring for new risks. If you discover a new risk, and it has a high enough severity or likelihood, create a new contingency plan for that risk. Likewise, you may look back on your plans and realize that some of the scenarios you once worried about aren’t likely to happen or, if they do, they won’t impact your team as much.

Common contingency planning pitfalls—and how to avoid them

A contingency plan is a powerful tool to help you get back to normal business functions quickly. To ensure your contingency planning process is as smooth as possible, watch out for common pitfalls, like: 

Lack of buy-in

It takes a lot of work to create a contingency plan, so before you get started, ensure you have support from executive stakeholders. As you create your plan, continuously check in with your sponsors to ensure you’ve addressed key risks and that your action plan is solid. By doing so, you can ensure your stakeholders see your contingency plan as something they can get behind.

Bias against “Plan B” thinking

Some company cultures don’t like to think of Plan B—they like to throw everything they have at Plan A and hope it works. But thinking this way can actually expose your team to more risks than if you proactively create a Plan B.

Think of it like checking the weather before going sailing so you don’t accidentally get caught in a storm. Nine times out of ten, a clear sunny day won’t suddenly turn stormy, but it’s always better to be prepared. Creating a contingency plan can help you ensure that, if a negative event does occur, your company will be ready to face it and bounce back as quickly as possible. 

One-and-done contingency plans

It takes a lot of work to put a contingency plan together. Sometimes when you’ve finished, it can be tempting to consider it a job well done and forget about it. But make sure you schedule regular reminders (maybe once or twice a year) to review and update your contingency plan if necessary. If new risks pop up, or if your business operations change, updating your contingency plan can ensure you have the best response to negative events.  

You’ve created a contingency plan—now what?

A contingency plan can be a lot of work to create, but if you ever need to use it, you’ll be glad you made one. In addition to creating a strong contingency plan, make sure you keep your plan up-to-date.

Being proactive can help you mitigate risks before they happen—so make sure to communicate your contingency plan to the team members who will be responsible for carrying them out if a risk does happen. Don’t leave your contingency plan in a document to collect dust—after creating it, you should use it if need be!

Once you’ve created the plan, make sure you store it in a central location that everyone can access, like a work management platform . If it does come time to use one of your contingency plans, storing them in a centrally accessible location can help your team quickly turn plans into action.

Related resources

Solve your tech overload with an intelligent transformation

9 steps to craft a successful go-to-market (GTM) strategy

Unmanaged business goals don’t work. Here’s what does.

How Asana uses work management to effectively manage goals

Maximizing Business Resilience: The Importance of Risk Assessment in Business Continuity Planning

Business Continuity Plan Risk Assessment: Businesses must have a strong Business Continuity Plan (BCP) in place in today’s uncertain business climate. This technique assists businesses in planning for unplanned disruptions and mitigating the consequences of unanticipated events such as natural disasters, cyberattacks, or global pandemics. A BCP, on the other hand, can only be effective if it incorporates a comprehensive Risk Assessment.

Risk assessment is essential in the BCP process because it helps organizations identify and analyze threats to their operations. Businesses may prioritize mitigation efforts and establish a more effective BCP by conducting a risk assessment to better understand the likelihood and potential impact of various threats and vulnerabilities.

In this article, we’ll review the importance of risk assessment in business continuity planning and look at the many parts, tools, and best practices for a thorough risk assessment.

On this page:

Understanding Business Continuity Planning and Risk Assessment

Benefits of conducting risk assessment in bcp, risk assessment components in bcp, risk assessment techniques for business continuity planning, next steps: best practices for conducting risk assessment in bcp.

Any good business continuity strategy must include risk assessment (BCP). It comprises identifying, assessing, and prioritizing company operations risks.

Organizations may better understand the probability and potential impact of various threats and vulnerabilities by conducting a comprehensive risk assessment, allowing them to make informed decisions about managing such risks.

The first step in doing a risk assessment is to define the scope of the review. This sometimes means defining the business activities and procedures necessary for your company to continue operating amid a disruption.

Once you’ve identified which critical functions, you can begin assessing the risks associated with each one.

Businesses may face a variety of risks, including supply chain interruptions, cyberattacks, power outages, and natural disasters.

Each danger must be evaluated for its likelihood and potential impact on your firm.

The following stages are frequently included in the Risk Assessment process:

• Identify the risks: This involves brainstorming and listing all possible risks impacting your business.
• Assess the risks: Once you have identified the risks, you need to evaluate each risk based on the likelihood of occurrence and the potential impact on your business.
• Prioritize the risks: After assessing each risk, you need to prioritize them based on their level of risk and potential impact on your business.
• Develop mitigation strategies: Once you have prioritized the risks, you can develop strategies to mitigate or reduce the impact of each risk.
• Monitor and review risks: Finally, you must regularly monitor and review your Risk Assessment to ensure that your mitigation strategies are effective and current.

Conducting a comprehensive Risk Assessment as part of your BCP will guarantee that your firm is better prepared to deal with unforeseen interruptions and recover rapidly in the event of a disaster.

Conducting a Risk Assessment as part of your Business Continuity Plan (BCP) process has several advantages for your company.

By identifying, analyzing, and prioritizing risks, you may create a more effective BCP to help your organization survive and recover from unforeseen interruptions.

Here are some of the key benefits of conducting a Risk Assessment in your BCP:

Helps Identify Potential Risks

A risk assessment may help you identify potential dangers to your business, both internal and external.

Analyzing your processes, systems, and procedures may reveal flaws and gaps that expose your company to risks.

Enables Prioritization of Risks

By identifying and prioritizing risks, you may effectively manage resources and focus on the most critical threats that may harm your business.

This ensures that you are prepared to deal with the most severe dangers.

Mitigates Potential Losses and Damages

By doing a risk assessment, you may develop mitigation methods to decrease the effect of probable threats.

Using these tactics may decrease losses and harm to your firm, allowing for a faster recovery and less downtime.

Enhances Business Resilience

By doing a risk assessment, you may discover opportunities to enhance your company’s procedures and systems and raise your organization’s resilience to threats.

This resilience may help your firm adjust and recover quickly when unexpected disruptions occur.

Risk assessment is essential for any successful Business Continuity Plan (BCP). It entails finding, evaluating, and prioritizing possible company operations threats.

Several components must be addressed while doing a complete Risk Assessment. The following are the main components of risk assessment in BCP:

• Risk Identification: The first step in assessing risk is identifying potential organizational risks. This includes both internal and external risks, such as disruptions in supply chains, cyberattacks, power outages, and natural disasters. All threats that might impede or hurt your company’s operations must be considered.
• Risk Analysis: The next stage is to assess each possible risk’s chance of occurrence and potential impact on your organization. This study allows you to understand the level of risk associated with each potential threat.
• Risk Prioritization: After you’ve examined each risk, you must assign a score based on its risk level and potential impact on your business. Using this method of prioritizing, you may focus your attention on the risks that have the most impact on your organization.
• Risk Mitigation Strategies: Once the risks have been selected, you must devise ways to mitigate or lessen the effect of each risk. Backup systems, contingency planning, crisis management procedures, and personnel training might all be part of these measures.
• Risk Monitoring and Review: You must regularly monitor and analyze your risk assessment to ensure that your mitigation methods are effective and up to date. Because of this continual monitoring, your BCP will remain effective and relevant, allowing you to be prepared for any changes in the risk environment.

A thorough Risk Assessment is essential for any Business Continuity Plan (BCP). Numerous methodologies may be employed to conduct a more complete and successful Risk Assessment.

Choosing the correct strategies based on your business’s requirements and risks is critical, allowing your firm to be better prepared to deal with unexpected interruptions and limit the effect of possible threats.

Here are some of the most commonly used techniques for conducting Risk Assessment in BCP:

Business Impact Analysis (BIA)

A business impact analysis (BIA) is a thorough procedure that detects and assesses the possible effect of a disturbance on your company’s operations.

This assists you in comprehending the vital company operations that must be prioritized during a crisis.

Related: Getting Started with Business Impact Analysis

Threat Analysis

A threat analysis involves identifying possible dangers to your firm, such as supply chain disruptions, cyberattacks, and natural disasters.

You may use threat analysis to assess the likelihood of each danger materializing and how it will influence your firm.

RELATED: What is Threat Management?

Risk Assessment Surveys

Surveys are a fantastic way to get information and comments from employees, stakeholders, and other essential stakeholders about possible threats to your firm.

Using this strategy, you may find possible threats and better understand the potential consequences of each risk.

Risk Assessment Workshops

Workshops are interactive gatherings that bring together key stakeholders to discover and assess potential risks to your organization.

Workshops are an excellent approach to assessing threats from diverse perspectives and developing a consensus on priority and mitigation strategies.

Risk Management Software

Several software solutions may help organizations manage their risk assessment process by assisting with risk detection, analysis, prioritization, and mitigation.

Using these technologies, many components of the risk assessment process may be automated, boosting its efficacy and efficiency.

RELATED: Managing Technology Risks

Remember that a well-designed Risk Assessment process is crucial to ensure your business is ready to deal with unforeseen interruptions and recover rapidly in the event of a catastrophe.

Conducting a Risk Assessment is essential for creating a successful Business Continuity Plan (BCP). On the other hand, the effectiveness of your Risk Assessment process depends on how effectively you plan and execute it.

Here are some best practices for conducting Risk Assessment in BCP:

• Involve the Right People: To be effective, your risk assessment process must involve the right people from throughout your organization, such as stakeholders, subject matter experts, and other relevant parties. These experts offer a range of perspectives and abilities that may help you identify potential dangers and develop practical mitigation solutions.
• Set Clear Objectives: It is critical to creating clear objectives for your risk assessment process, such as defining critical business operations, analyzing possible risks, and developing mitigation measures. Clear objectives help you stay focused on your goals by ensuring that everyone involved in the process understands what is expected.
• Use Multiple Techniques: Use a range of instruments, such as surveys, seminars, and interviews, to gather information and opinions on potential threats. Using a range of methodologies allows you to detect threats and analyze them from diverse perspectives, resulting in a more complete and accurate risk assessment.
• Evaluate the Likelihood and Impact of Risks: When considering prospective threats, consider the chance of each risk materializing as well as its potential repercussions on your firm. You may use this information to prioritize risks and develop effective mitigation strategies to mitigate the consequences of possible threats.
• Review and Update Regularly: To be current and helpful, your risk assessment technique should be assessed and adjusted on a regular basis. Because your business and the risk environment may change fast, keeping an updated Risk Assessment is critical to ensure you are sufficiently prepared for unexpected disruptions.

Malcolm is an advocate for digital privacy, specialising in areas such as Artificial Intelligence, Cyber Security and Internet of Things. Prior to joining BusinessTechWeekly.com, Malcolm advised startups, incubators and FTSE100 brands as a Risk Security Consultant. Malcolm is an avid reader, and devotes much of his time to his family in Hampshire.

Demystifying Wireless Application Protocol (WAP): Revolutionizing Mobile Connectivity

Demystifying Cognitive Analytics for Businesses

The Cyber Essentials scheme: 10 Key benefits

First Time selling on eBay? Here are some helpful tips and insights

PCI DSS Non-Compliance: Fines & Penalties Explained

What are the Benefit of a Virtual Assistant? Boosting Productivity and Efficiency…

How to write a business plan for a risk assessment company?

Writing a business plan for a risk assessment company can be an intimidating task, especially for those just starting.

This in-depth guide is designed to help entrepreneurs like you understand how to create a comprehensive business plan so that you can approach the exercise with method and confidence.

We'll cover: why writing a risk assessment company business plan is so important - both when starting up, and when running and growing the business - what information you need to include in your plan, how it should be structured, and what tools you can use to get the job done efficiently.

Let's get started!

In this guide:

Why write a business plan for a risk assessment company?

What information is needed to create a business plan for a risk assessment company.

• What goes in the financial forecast for a risk assessment company?
• What goes in the written part of a risk assessment company business plan?
• What tool can I use to write my risk assessment company business plan?

Having a clear understanding of why you want to write a business plan for your risk assessment company will make it simpler for you to grasp the rationale behind its structure and content. So before delving into the plan's actual details, let's take a moment to remind ourselves of the primary reasons why you'd want to create a risk assessment company business plan.

To have a clear roadmap to grow the business

It's rarely business as usual for small businesses. The economy follows cycles where years of growth are followed by recessions, and the business environment is always changing with new technologies, new regulations, new competitors, and new consumer behaviours appearing all the time...

In this context, running a business without a clear roadmap is like driving blindfolded: it's dangerous at best. That's why writing a business plan for a risk assessment company is essential to create successful and sustainable businesses.

To write an effective business plan, you will need to take stock of where you are (if you are already in business) and where you want the business to go in the next three to five years.

Once you know where you want your risk assessment company to be, you'll have to identify:

• what resources (human, equipment, and capital) are needed to get there,
• at what pace the business needs to progress to get there in time,
• and what risks you'll face along the way.

Going through this process regularly is beneficial, both for startups and existing companies, as it helps make informed decisions about how best to allocate resources to ensure the long-term success of the business.

To get visibility on future cash flows

If your small risk assessment company runs out of cash: it's game over. That's why we often say "cash is king", and it's crucial to have a clear view of your risk assessment company's future cash flows.

So, how can you achieve this? It's simple - you need to have an up-to-date financial forecast.

The good news is that your risk assessment company business plan already includes a financial forecast (which we'll discuss further in this guide). Your task is to ensure it stays current.

To accomplish this, it's essential to regularly compare your actual financial performance with what was planned in your financial forecast. Based on your business's current trajectory, you can make adjustments to the forecast.

By diligently monitoring your risk assessment company's financial health, you'll be able to spot potential financial issues, like unexpected cash shortfalls, early on and take corrective actions. Moreover, this practice will enable you to recognize and capitalize on growth opportunities, such as excess cash flow enabling you to expand to new locations.

To secure financing

Crafting a comprehensive business plan for your risk assessment company, whether you're starting up or already established, is paramount when you're seeking financing from banks or investors.

Given how fragile small businesses are, financiers will want to ensure that you have a clear roadmap in place as well as command and control of your future cash flows before entertaining the idea of funding you.

For banks, the information in your business plan will be used to assess your borrowing capacity - which is defined as the maximum amount of debt your business can afford alongside your ability to repay the loan. This evaluation helps them decide whether to extend credit to your business and under what terms (interest rate, duration, repayment options, collateral, etc.).

Similarly, investors will thoroughly review your plan to determine if their investment can yield an attractive return. They'll be looking for evidence that your risk assessment company has the potential for healthy growth, profitability, and consistent cash flow generation over time.

Now that you understand the importance of creating a business plan for your risk assessment company, let's delve into the necessary information needed to craft an effective plan.

Writing a risk assessment company business plan requires research so that you can project sales, investments and cost accurately in your financial forecast.

In this section, we cover three key pieces of information you should gather before drafting your business plan!

Carrying out market research for a risk assessment company

Before you begin writing your business plan for a risk assessment company, conducting market research is a critical step in ensuring precise and realistic financial projections.

Market research grants you valuable insights into your target customer base, competitors, pricing strategies, and other crucial factors that can impact the success of your business.

In the course of this research, you may stumble upon trends that could impact your risk assessment company.

You could discover that there may be a growing demand for risk assessment solutions tailored to specific industries. Additionally, you might find that there is an increasing preference for cloud-based risk assessment solutions among customers.

Such market trends play a pivotal role in revenue forecasting, as they provide essential data regarding potential customers' spending habits and preferences.

By integrating these findings into your financial projections, you can provide investors with more accurate information, enabling them to make well-informed decisions about investing in your risk assessment company.

Developing the sales and marketing plan for a risk assessment company

Budgeting sales and marketing expenses is essential before creating a risk assessment company business plan.

A comprehensive sales and marketing plan should provide an accurate projection of what actions need to be implemented to acquire and retain customers, how many people are needed to carry out these initiatives, and how much needs to be spent on promotions, advertising, and other aspects.

This helps ensure that the right amount of resources is allocated to these activities in order to hit the sales and growth objectives forecasted in your business plan.

The staffing and equipment needs of a risk assessment company

Whether you are at the beginning stages of your risk assessment company or expanding its horizons, having a clear plan for recruitment and capital expenditures (investment in equipment and real estate) is vital to ensure your business's success.

To achieve this, both the recruitment and investment plans must align coherently with the projected timing and level of growth in your forecast. It is essential to secure appropriate funding for these plans.

A risk assessment company might incur staffing costs such as salaries for experts in health and safety, human resources, and any other needed staff, as well as fees for consultants and subcontractors. Additionally, the company will likely need to purchase equipment such as computers, software, safety gear, and any other necessary items needed to complete the risk assessment.

To create a financial forecast that accurately represents your business's outlook, remember to factor in other day-to-day operating expenses.

Now that you have all the necessary information, it's time to dive in and start creating your business plan and developing the financial forecast for your risk assessment company.

What goes into your risk assessment company's financial forecast?

The financial forecast of your risk assessment company's business plan will enable you to assess the growth, profitability, funding requirements, and cash generation potential of your business in the coming years.

The four key outputs of a financial forecast for a risk assessment company are:

• The profit and loss (P&L) statement ,
• The projected balance sheet ,
• The cash flow forecast ,
• And the sources and uses table .

Let's look at each of these in a bit more detail.

The projected P&L statement

Your risk assessment company forecasted P&L statement enables the reader of your business plan to get an idea of how much revenue and profits your business is expected to make in the near future.

Ideally, your reader will want to see:

• Growth above the inflation level
• Expanding profit margins
• Positive net profit throughout the plan

Expectations for an established risk assessment company will of course be different than for a startup. Existing businesses which have reached their cruising altitude might have slower growth and higher margins than ventures just being started.

The forecasted balance sheet of your risk assessment company

The projected balance sheet of your risk assessment company will enable the reader of your business plan to assess the overall financial health of your business.

It shows three elements: assets, liabilities and equity:

• Assets: are productive resources owned by the business, such as equipment, cash, and accounts receivable (money owed by clients).
• Liabilities: are debts owed to creditors, lenders, and other entities, such as accounts payable (money owed to suppliers).
• Equity: includes the sums invested by the shareholders or business owners and the profits and losses accumulated by the business to date (which are called retained earnings). It is a proxy for the value of the owner's stake in the business.

Analysing your risk assessment company projected balance sheet provides an understanding of your risk assessment company's working capital structure, investment and financing policies.

In particular, the readers of your plan can compare the level of financial debt on the balance sheet to the equity value to measure the level of financial risk (equity doesn't need to be reimbursed, while financial debt must be repaid, making it riskier).

They can also use your balance sheet to assess your risk assessment company's liquidity and solvency:

• A liquidity analysis: focuses on whether or not your business has sufficient cash and short-term assets to cover its liabilities due in the next 12 months.
• A solvency analysis: takes and longer view to assess whether or not your business has the capacity to repay its debts over the medium-term.

The cash flow forecast

As we've seen earlier in this guide, monitoring future cash flows is the key to success and the only way of ensuring that your risk assessment company has enough cash to operate.

As you can expect showing future cash flows is the main role of the cash flow forecast in your risk assessment company business plan.

It is best practice to organise the cash flow statement by nature in order to show the cash impact of the following areas:

• Cash flow generated from operations: the operating cash flow shows how much cash is generated or consumed by the business's commercial activities
• Cash flow from investing activities: the investing cash flow shows how much cash is being invested in capital expenditure (equipment, real estate, etc.) either to maintain the business's equipment or to expand its capabilities
• Cash flow from financing activities: the financing cash flow shows how much cash is raised or distributed to financiers

Looking at the cash flow forecast helps you to make sure that your business has enough cash to keep running, and can help you anticipate potential cash shortfalls.

Your risk assessment company business plan will normally include both yearly and monthly cash flow forecasts so that the readers can view the impact of seasonality on your business cash position and generation.

The initial financing plan

The initial financing plan, also known as a sources and uses table, is a valuable resource to have in your business plan when starting your risk assessment company as it reveals the origins of the money needed to establish the business (sources) and how it will be allocated (uses).

Having this table helps show what costs are involved in setting up your risk assessment company, how risks are shared between founders, investors and lenders, and what the starting cash position will be. This cash position needs to be sufficient to sustain operations until the business reaches a break-even point.

Now that you have a clear understanding of what goes into the financial forecast of your risk assessment company business plan, let's shift our focus to the written part of the plan.

The written part of a risk assessment company business plan

The written part of a risk assessment company business plan plays a key role: it lays out the plan of action you intend to execute to seize the commercial opportunity you've identified on the market and provides the context needed for the reader to decide if they believe your plan to be achievable and your financial forecast to be realistic.

The written part of a risk assessment company business plan is composed of 7 main sections:

• The executive summary
• The presentation of the company
• The products and services
• The market analysis
• The strategy
• The operations
• The financial plan

Let's go through the content of each section in more detail!

1. The executive summary

The executive summary, the first section of your risk assessment company's business plan, serves as an inviting snapshot of your entire plan, leaving readers eager to know more about your business.

To compose an effective executive summary, start with a concise introduction of your business, covering its name, concept, location, history, and unique aspects. Share insights about the services or products you intend to offer and your target customer base.

Subsequently, provide an overview of your risk assessment company's addressable market, highlighting current trends and potential growth opportunities.

Then, present a summary of critical financial figures, such as projected revenues, profits, and cash flows.

You should then include a summary of your key financial figures such as projected revenues, profits, and cash flows.

Lastly, address any funding needs in the "ask" section of your executive summary.

2. The presentation of the company

In your risk assessment company business plan, the second section should focus on the structure and ownership, location, and management team of your company.

In the structure and ownership part, you'll provide an overview of the business's legal structure, details about the owners, and their respective investments and ownership shares. This clarity is crucial, especially if you're seeking financing, as it helps the reader understand which legal entity will receive the funds and who controls the business.

Moving on to the location part, you'll offer an overview of the company's premises and their surroundings. Explain why this particular location is of interest, highlighting factors like catchment area, accessibility, and nearby amenities.

When describing the location of your risk assessment company to a third party financier, you could emphasize the potential it has to serve a wide range of customers. You might point out that the area is highly populated, making it possible for the company to reach a large number of potential clients. It could also be noted that the area has excellent transportation infrastructure, allowing for easy access to and from the company's location. Additionally, the area could be described as possessing a vibrant business climate, offering the potential for further growth and opportunities for collaboration with other businesses in the region.

Finally, you should introduce your management team. Describe each member's role, background, and experience.

Don't forget to emphasize any past successes achieved by the management team and how long they've been working together. Demonstrating their track record and teamwork will help potential lenders or investors gain confidence in their leadership and ability to execute the business plan.

3. The products and services section

The products and services section of your business plan should include a detailed description of the offerings that your company provides to its customers. 

For example, your risk assessment company might offer a comprehensive custom risk assessment service to identify and prioritize risks and vulnerabilities in a customer's business, a training program to help customers understand the basics of risk assessment and how to apply it to their business, and software to help customers track risks and monitor results. By offering these services, your risk assessment company can provide customers with the tools and information necessary to accurately assess their risk and make informed decisions.

When drafting this section, you should be precise about the categories of products or services you sell, the types of customers you are targeting and how customers can buy them.

4. The market analysis

When you present your market analysis in your risk assessment company business plan, it's crucial to include detailed information about customers' demographics and segmentation, target market, competition, barriers to entry, and any relevant regulations.

The main objective of this section is to help the reader understand the size and attractiveness of the market while demonstrating your solid understanding of the industry.

Begin with the demographics and segmentation subsection, providing an overview of the addressable market for your risk assessment company, the key trends in the marketplace, and introducing different customer segments along with their preferences in terms of purchasing habits and budgets.

Next, focus on your target market, zooming in on the specific customer segments your risk assessment company aims to serve and explaining how your products and services fulfil their distinct needs.

For example, your target market might include small business owners. These individuals need to ensure that their businesses are compliant with industry regulations and that they are protected against potential lawsuit risks. By offering a risk assessment service, you can help small business owners understand their risks and take proactive steps to reduce and manage them.

Then proceed to the competition subsection, where you introduce your main competitors and highlight what sets you apart from them.

Finally, conclude your market analysis with an overview of the key regulations applicable to your risk assessment company.

5. The strategy section

When crafting the strategy section of your business plan for your risk assessment company, it's important to cover several key aspects, including your competitive edge, pricing strategy, sales & marketing plan, milestones, and risks and mitigants.

In the competitive edge subsection, clearly explain what sets your company apart from competitors. This is particularly critical if you're a startup, as you'll be trying to establish your presence in the marketplace among entrenched players.

The pricing strategy subsection should demonstrate how you aim to maintain profitability while offering competitive prices to your customers.

For the sales & marketing plan, outline how you plan to reach and acquire new customers, as well as retain existing ones through loyalty programs or special offers.

In the milestones subsection, detail what your company has achieved thus far and outline your primary objectives for the coming years by including specific dates for expected progress. This ensures everyone involved has clear expectations.

Lastly, in the risks and mitigants subsection, list the main risks that could potentially impact the execution of your plan. Explain the measures you've taken to minimize these risks. This is vital for investors or lenders to feel confident in supporting your venture - try to proactively address any objection they might have.

Your risk assessment company could face financial risks, such as a decrease in revenue. This could be due to a decline in demand for your services, or an inability to secure investors and funding. Your risk assessment company could also face operational risks, such as the introduction of new technology or changes to regulatory requirements. This could lead to a need to update or upgrade existing systems, or to modify processes and procedures in order to remain compliant.

6. The operations section

The operations of your risk assessment company must be presented in detail in your business plan.

The first thing you should cover in this section is your staffing team, the main roles, and the overall recruitment plan to support the growth expected in your business plan. You should also outline the qualifications and experience necessary to fulfil each role, and how you intend to recruit (using job boards, referrals, or headhunters).

You should then state the operating hours of your risk assessment company - so that the reader can check the adequacy of your staffing levels - and any plans for varying opening times during peak season. Additionally, the plan should include details on how you will handle customer queries outside of normal operating hours.

The next part of this section should focus on the key assets and IP required to operate your business. If you depend on any licenses or trademarks, physical structures (equipment or property) or lease agreements, these should all go in there.

You could consider the company's digital and physical infrastructure as key assets. This may include their servers, databases, networks, and other IT systems that are essential for their operations. Additionally, they might have intellectual property, such as proprietary software and algorithms, that could be used to provide their services and protect their clients' data.

Finally, you should include a list of suppliers that you plan to work with and a breakdown of their services and main commercial terms (price, payment terms, contract duration, etc.). Investors are always keen to know if there is a particular reason why you have chosen to work with a specific supplier (higher-quality products or past relationships for example).

7. The presentation of the financial plan

The financial plan section is where we will include the financial forecast we talked about earlier in this guide.

Now that you have a clear idea of the content of a risk assessment company business plan, let's look at some of the tools you can use to create yours.

What tool should I use to write my risk assessment company's business plan?

There are two main ways of creating your risk assessment company business plan:

• Using specialized business planning software,
• Hiring a business plan writer.

Using an online business plan software for your risk assessment company's business plan

The modern and most efficient way to write a risk assessment company business plan is to use business plan software .

There are several advantages to using specialized software:

• You can easily create your financial forecast by letting the software take care of the financial calculations for you without errors
• You are guided through the writing process by detailed instructions and examples for each part of the plan
• You can access a library of dozens of complete business plan samples and templates for inspiration
• You get a professional business plan, formatted and ready to be sent to your bank or investors
• You can easily track your actual financial performance against your financial forecast
• You can create scenarios to stress test your forecast's main assumptions
• You can easily update your forecast as time goes by to maintain visibility on future cash flows
• You have a friendly support team on standby to assist you when you are stuck

If you're interested in using this type of solution, you can try The Business Plan Shop for free by signing up here .

Hiring a business plan writer to write your risk assessment company's business plan

Outsourcing your risk assessment company business plan to a business plan writer can also be a viable option.

Business plan writers are experienced in writing business plans and adept at creating financial forecasts without errors. Furthermore, hiring a consultant can save you time and allow you to focus on the day-to-day operations of your business.

However, hiring business plan writers is expensive as you are paying for the software used by the consultant, plus their time, and their profit margin of course.

From experience, you need to budget at least £1.5k ($2.0k) excluding tax for a complete business plan, more if you need to make changes after the initial version (which happens frequently after the initial meetings with lenders or investors).

You also need to be careful when seeking investment. Investors want their money to be used to grow the business, not spent on consulting fees. Therefore, the amount you spend on business plan writing services (and other consulting services such as legal services) needs to be negligible relative to the amount raised.

The other drawback is that you usually don't own the business plan itself: you just get the output, while the actual document is saved in the consultant's business plan software - which makes it difficult to maintain the document up to date without hiring the consultant on a retainer.

For these reasons, outsourcing the risk assessment company business plan to a business plan writer should be considered carefully, weighing both the advantages and disadvantages of hiring outside help.

Ultimately, it may be the right decision for some businesses, while others may find it beneficial to write their business plan using online software.

Why not create your risk assessment company's business plan using Word or Excel?

I must advise against using Microsoft Excel and Word (or their Google, Apple, or open-source equivalents) to write your risk assessment company business plan. Let me explain why.

Firstly, creating an accurate and error-free financial forecast on Excel (or any spreadsheet) is highly technical and requires a strong grasp of accounting principles and financial modelling skills. It is, therefore, unlikely that anyone will fully trust your numbers unless you have both a degree in finance and accounting and significant financial modelling experience, like us at The Business Plan Shop.

Secondly, relying on spreadsheets is inefficient. While it may have been the only option in the past, technology has advanced significantly, and software can now perform these tasks much faster and with greater accuracy. With the rise of AI, software can even help us detect mistakes in forecasts and analyze the numbers for better decision-making.

And with the rise of AI, software is also becoming smarter at helping us detect mistakes in our forecasts and helping us analyse the numbers to make better decisions.

Moreover, software makes it easier to compare actuals versus forecasts and maintain up-to-date forecasts to keep visibility on future cash flows, as we discussed earlier in this guide. This task is cumbersome when using spreadsheets.

Now, let's talk about the written part of your risk assessment company business plan. While it may be less error-prone, using software can bring tremendous gains in productivity. Word processors, for example, lack instructions and examples for each part of your business plan. They also won't automatically update your numbers when changes occur in your forecast, and they don't handle formatting for you.

Overall, while Word or Excel may seem viable for some entrepreneurs to create a business plan, it's by far becoming an antiquated way of doing things.

• Having an up-to-date business plan is key to maintaining visibility on your future cash flows.
• A business plan has 2 parts: a financial forecast highlighting the expected growth, profitability and cash generation of the business; and a written part which provides the context needed to interpret and assess the quality of the forecast.
• Using business plan software is the modern way of writing and maintaining business plans.

We hope that this guide helped you to better understand how to write the business plan for a risk assessment company. If you still have questions, do not hesitate to contact us.

Also on The Business Plan Shop

• How to write a 5 years business plan
• Business plan myths

Know someone who owns or wants to start a risk assessment company? Share this article with them!

Founder & CEO at The Business Plan Shop Ltd

Guillaume Le Brouster is a seasoned entrepreneur and financier.

Guillaume has been an entrepreneur for more than a decade and has first-hand experience of starting, running, and growing a successful business.

Prior to being a business owner, Guillaume worked in investment banking and private equity, where he spent most of his time creating complex financial forecasts, writing business plans, and analysing financial statements to make financing and investment decisions.

Guillaume holds a Master's Degree in Finance from ESCP Business School and a Bachelor of Science in Business & Management from Paris Dauphine University.

Create a convincing business plan

Assess the profitability of your business idea and create a persuasive business plan to pitch to investors

500,000+ entrepreneurs have already tried our solution - why not join them?

Not ready to try our on-line tool ? Learn more about our solution here

Need some inspiration for your business plan?

Subscribe to The Business Plan Shop and gain access to our business plan template library.

Need a professional business plan? Discover our solution

Write your business plan with ease!

It's easy to create a professional business plan with The Business Plan Shop

Want to find out more before you try? Learn more about our solution here

• RiskyProject Professional
• RiskyProject Lite
• RiskyProject Enterprise
• Microsoft® Project
• Oracle® Primavera
• Engineering and Construction
• Software Development
• Small Business
• Non Profit Organizations
• Event Chain Methodology
• Articles and White Papers
• Presentations
• Project Risk Analysis and Project Risk Management Webinars
• Project Management Course
• Risk Management Course
• Online Project Management Training
• Project Management Consulting
• Frequently Asked Questions
• Support Form
• Validate RiskyProject License
• Partner Programs
• RiskyProject Resellers
• RiskyProject Consulting Partners

How to Identify Critical Risks

Home → Blog: Project Management and Project Risk Analysis → How to Identify Critical Risks

The goal of risk analysis is to identify critical risks: those risks that have the most potential to positively or negatively impact your project objectives. Identifying critical risks is a process of prioritization and this an output of qualitative or quantitative risk analysis. Risk prioritization facilitates project decisions, particularly with regards to risk mitigation and response planning. There are a number of tools which can help with risk prioritization, particularly the risk register and the risk matrix.

Why We Should Prioritize Risks

Let us assume that this summer you are planning a road trip from Boston to New York that will primarily travel along the I95. The weather forecast is promising, nothing spectacular, but good for travelling. Before embarking on your trip, you perform an-hoc risk assessment. Like a good project manager, you want to minimize the chance of delays and determine what you might require in case of an emergency. Here is an example of risks that you might encounter:

• You run out of gas and your trip could take a lot longer. This is could be especially concerning if you find yourself out of gas while on the I95 as this means that you will have increased probability of other risks occurring as you are stranded precariously on the side of the freeway. Mitigation plan: Start with a full tank of gas and, if you are extremely risk averse, you might choose to carry an extra gas caner or two.
• Your car breaks down. As with the above, this has the potential to seriously impact your schedule (as well as your budget). Mitigation plan: Perform all scheduled maintenance and perhaps ask your mechanic to inspect all major systems. However, even a well maintained vehicle can suffer a breakdown, so you may want to carry a few spare parts. For example, some light bulbs, spark plugs, a crankshaft, and an alternator, just in case.
• You get a flat tire. You already have a spare one, but you could get a second flat. Mitigation plan: Carry a second spare tire.
• In spite of the forecast, the weather is unpredictable and may turn for the worst. Mitigation plan: Pack some extra supplies, candles, warm blankets, rain gear, extra food and other items that will help you survive a couple days in case of a major hurricane and floods. Take a raft and life jacket.
• You could be robbed. Could it happen on your way to New York? Absolutely. Mitigation plan: Wear body armor and carry your stun gun, pepper spray, and horn with you. Just in case things get really ugly, you probably should have your machine gun and enough rounds of ammunition of survive a long siege – think the “Walking Dead”.
• The roads could be blocked. Think of what happened to the King of France, Henry the IV. Well travelling down a road, he found it blocked by several logs. When they stopped, an assassin jumped into the carriage and stabbed the king. Henry IV was not good in risk management, but you are. Mitigation plan: Take a chainsaw and, just in case, your mother-in-law can ride in the back as a body guard.
• You could get a speeding ticket. You could go the speed limit and eliminate the risk altogether, but your plan calls for a speed of 15% over the posted limit. It will get you to New York quicker, but close to a speed that will put you at risk for a ticket. Mitigation plan: You could buy some anti-radar devices, but better yet, you can install stealth technology and your car invisible to police radar.

You might be starting to see a problem here. If you try to avoid and/or mitigate all of the risks you have identified, this will result in two things. Your car will be so laden down with supplies it will be unable to move and the expense of all your mitigation efforts will mean that you won’t have any funds to enjoy the sites if you manage to get to New York. For example, though we haven’t checked, we believe stealth technology would take a considerable chunk out of your budget. The reality is that you must deal with constrained resources (budget, time, etc.) and it would be impossible to completely mitigate all of your risks. The solution is to prioritize your risks to determine which are the most important, so that given your limited resources you can minimize your risks in the most cost effective manner possible. Now, the question is, how do you determine what risks are the most important? This is where the risk register comes in as it is the key to prioritizing your risks.

Risk scores

We discussed risk registers when we talked about risk identification. Now, we can use the risk register as part of the risk analysis, including risk response planning, and risk monitoring and control. To prioritize risks, you need to assign each one a risk score. The risk score is calculated using a risk’s probability and impact.

Risk score = Risk Probability * Risk Impact

If a risk occurs, it will have varying impacts on different project objectives (such as duration, cost, and safety). For example, the risk “run out of gas” may have a significant impact on your trip duration, but very little on cost or safety. Therefore, the risk score should be calculated separately for each objective. If you calculate the all probabilities and impacts of a risk, you can calculate its overall risk score. Table 1 shows an example of the risk register with risk scores calculated based on overall probabilities and impacts. The bar on the right column is an easy way to present risk scores. To make the score easier to understand, you can multiply them by a certain value (e.g. 100). Please note that risks in the risk register are sorted based on risk score. As a result, Table 1 is a tornado diagram for risk scores.

Risk scores relatively simple and yet powerful indicator of the order in which we should prioritize our risk response planning activities. Done properly, it provides a realistic measure of the potential impact and it relative importance as compared to other project risks. There are many cases in projects where a risk’s impact is very significant but the probability of occurring are very small. Psychologically, people overestimate the “score” of risks very high because the impacts arouse emotions like fear and anxiety. The classic situation is the risk of a terrorist attack on an aircraft. Although the impact of the risk can be very significant, the probability is very small. The score of a risk “terrorist attack” is lower than many other risks related to the operation of aircraft, such as mechanical problems or a sleep deprived pilot. As a result, people often support greater expenditure towards the elimination of terrorist attacks as opposed to improving maintenance programs or monitoring sleep diaries of pilots. In our road trip example, though an armed robbery would have a significant impact on our project, the probability of it occurring is extremely low. Therefore, its overall risk score is lower compared to the other risks. If you have to make a choice between bringing extra rain gear or wearing body armor, rain gear should be your priority. In this way we can see how accurate risk scores are the key to prioritizing your risks and making the best use of your limited resources.

How To Calculate Critical Risks Within Your Organization

• October 29, 2020
• No Comments

In a world where it seems that all types of events and incidents are daily occurrences, the idea of managing risk is one that all of us are familiar with.  That said, different people have different ideas as to what it means to “manage risk”.

Some see the practice of managing risk as merely purchasing insurance to lessen the financial impact of a loss. Others look to identify risks within a given operation and bring awareness to leadership. Then, there are those who have a robust program in place that looks at categorizing risk, controls, ownership, along with having robust practices to identify, measure and mitigate those risks that exist within the operational environment. 

The first two categories—simply purchasing insurance or identifying and assigning ownerships to risk components—is not enough. 

It is crucial in this day and age that we identify, understand and thoroughly prepare our organizations and stakeholder groups to deal with Critical Risks. 

Critical risks are not Black Swans , they are more like Grey Rhinos that are highly probable, highly impactful, and most times we neglect to properly identify and plan for them accordingly.

“Gray rhinos are not random surprises, but occur after a series of warnings and visible evidence.” – Michelle Wucker.

So, if critical risk falls into the category of a Gray Rhino, the question becomes What is Critical Risk Management? Is this the new hot thing to replace Operational Risk Management or Enterprise Risk Management? Let’s explore and find out.

Defining Critical Risk Management (CRM)

Critical Risk Management is the practice of managing risk for events that can cause grave damage to an organization and result in serious outcomes such as fatalities, wide-spread outages, etc.  These events are the “Show Stoppers” within your organization, which if they come to reality, there is high potential of the organization not surviving the incidents. 

Critical Risk Management is not meant to replace other programs that manage risk within your organization. It is an additional component to a robust Enterprise Risk Management (ERM) program to ensure these Show Stoppers are understood and that proper defenses are utilized to ensure that the organization understands the conditions that must be in place prior to interacting with the risk(s).

Traditional Viewpoints vs. New Viewpoints

Traditional definition of risk:.

A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. – Business Dictionary

Traditional way to calculate risk:

Impact x Likelihood = Inherent Risk

Inherent Risk – Controls = Residual Risk

The traditional way is a good starting point and is an accurate way to measure financial risk.  However, for Critical Risk, this method makes it difficult to truly understand the variables, conditions, and capacity that the organization must have to successfully interact with the risk. 

For example, think of assessing risk for driving to Disney World on a family vacation.  We think of traffic patterns, the driver and the road conditions. Truly understanding variables, conditions, and capacity means that we would also evaluate weather, tire tread, mechanical state and safety features of the vehicle, and finally, we would also want to understand response time and availability of roadside assistance, ambulances, and medical facilities along way. This way, the entire ecosystem, variables and conditions are accounted for, giving you the most comprehensive understanding of the risk and its possible impacts.

New definition of risk:

The degree to which the Organization and/or the Operational Actor faces operational uncertainty. — Erick Anez

New definition of risk management:

The identification and management of the Organization’s Capacity in order to ensure proper interactions with risk(s) while operating in complex and adaptive environments. — Erick Anez

New way to calculate risk:

Asset/System + Hazard/Threat + Human Component + Likelihood = Inherent Risk

Inherent Risk (+ / -) Pathway(s) (+ / -) Controls = Residual Risk

Let’s make all of this real with an example.

Let’s put this to work with a high-level example of a Critical Risk Assessment for Airline Accidents. Airline X is looking to assess the risk of an airline accident.  Here are some facts about Airline X:

• Fleet of 200 Aircrafts (5 Different Types to include: Boeing 747, 737-88, MD 80, MD 88, MD 90)
• Crew of 2,500 Pilots
• Average of 1,250 flights per day
• Operates out of 10 U.S. Airports

Do we have enough information to assess the risk of an airline accident?  Under the traditional way to measure risk, we would run the following assessment:

Inherent Risk: Medium-Low

• Impact is high due to the likelihood of a large number of fatalities and the reputational damage stemming from the airline may be severe enough to cause operations to seize.
• According to the NTSB, Bureau of Transportation Statistics, there were 140 plane accidents during 2012-2016 and only 1.4% of those (2 accidents) resulted in fatalities.
• Scheduled and Routine Maintenance
• Checklists, Procedures, Safety Training (Crew)
• Airport Controls; Bird Strike Prevention
• Weather monitoring/reporting
• Runway monitoring software
• Evasive maneuvers
• Emergency Landing Techniques
• Reinforced windshields on aircraft

Residual Risk: Low

Asset: Boeing 747

• Age of Aircraft
• Mechanical History
• Aircraft type recalls, mechanical issues, previous incidents
• Maintenance History

System: Integrated Avionics

• Operating system known issues
• Operating system performance – Historical Performance
• Recalls, bugs, industry performance/issues

Hazards/Threats:

• Mechanical Failure
• Weather (Wind, Thunderstorms, etc.)
• Lightning Strike
• Electrical Fire
• Maintenance Negligence
• Aircraft Design & Manufacturing Defects
• Airline Corporate Negligence
• Air Traffic Control Negligence
• Runway Issues
• Object/Animal Strike
• Collision with Other Aircraft
• Pilot/Crew Member Intentional Crash

Human Component:

• Experience and Reliability of Pilots
• Experience and Reliability of Maintenance Crews
• Experience and Reliability of Airport Operations & Air Traffic Operations
• Ground Crew

Inherent Risk: Utilize a Risk Level Scale like the below. Feel free to modify levels to match your program.

Pathways: What are the ways that the organization interacts with the risk(s)?

• Maintenance Visits/Cycles
• Flights – Entire Cycle from boarding through landing at arriving destination

Controls (in addition to those mentioned under traditional view):

• Pilot Training, Health & Background Checks
• TSA Security Controls
• Safety Controls of Operating System
• Safety Controls of Air Traffic Control systems
• Fleet Maintenance Scheduled (Verified to match best practices & FAA requirements)
• Aircraft Safety Components

Residual Risk: Inherent Risk (+/-) Total of Pathways & Controls.  Each pathway and control would have to be assessed and scored, remembering that more information is also necessary.

Utilize a Risk Level Scale like the below. Feel free to modify levels to match your program.

Bear in mind that an assessment similar to the above would have to be performed for each type of aircraft in order to identify differences in the Assets and Controls. 

These assessments will show Airline X the true measurement of risk per aircraft type. These can be aggregated to create an overall assessment of the risk.

Why this new way of calculating Critical Risk is so essential for your Crisis Readiness

Knowing the whole picture of your operating environment and all of its components will better place your organization to ensure safe and reliable performance in the complex and adaptive environments in which we operate today. 

Sadly, if you take the time to research the reasons behind most airline accidents (55%) are classified to be “Human Error”.  It is worth noting that no person, system, and/or organization is perfect.  If we design systems that are counting on the Operational Actor (Human Component) to be “Perfect”, this is in fact a flawed system.

Systems must be robust enough to ensure safe and compliant usage, but nimble enough to ebb and flow with the types and severity of hazards and threats.  By labeling 55% of these incidents as Human Error, we fail to learn where we can increase defenses in order for these events to not repeat themselves.  We can either blame the operator or we can learn from the event; we cannot do both.

Choosing to learn from the event, adapt and evolve is the Crisis Ready® way.

Crisis Ready® organizations hold themselves accountable and as such, choose to learn from events that lead to both successes and failures.  Which type of organization are you today? What type of organization do you aspire to be tomorrow?

It is our responsibility as Crisis Management professionals to “Hold up the Mirror” to our organizational leaders and ask if they like the organization’s reflection. It is by taking this approach that we can get from point A to point B and ensure readiness, preparedness, accountability, and true resilience.

Subscribe to the Crisis Ready® Blog

Email address:

Sector Please select from dropdown Academic (professor) Academic (student) Consultant / Advisor Professional (private sector) Professional (public sector)

Recent Posts

• How To Improve Your Crisis Communication Strategy By Understanding Near And Far Enemies April 4, 2024
• How to Apply Emotional Awareness to Powerfully Enhance Crisis Communication February 19, 2024
• Could We Train AI with Emotional Intelligence to Predict a Crisis?  February 4, 2024
• How Ego Hinders Effective Crisis Response July 26, 2023
• What the Dylan Mulvaney Bud Light can controversy should teach us June 26, 2023

Blog Categories

• AI and Crisis Ready
• Case Studies
• Coronavirus (COVID-19)
• Crisis Communication
• Crisis Ready
• Crisis Ready Culture
• Crisis Ready Flowcharts
• Crisis Ready Formulas
• Crisis Ready Hindrances
• Crisis Ready Resources
• Crisis Ready Strategies
• Critical Thought
• Current Affairs
• Exercises and Simulations
• Leadership Development
• Post-Crisis Review
• Risk Management
• Thought Leadership

Upcoming Crisis Ready Course:

Developing your crisis communication program.

Join us, September 21st and 23rd, to take your crisis communication skills to the next level.

Take the first step towards your Crisis Ready® Certification

Course: mastering the art of crisis communication and leadership, our next cohort kicks off soon, the crisis ready ® coaching program.

Erick Anez is the Global Head of Business Resilience at Finastra. Erick is a proven leader with well over a decade of experience leading change and transformation in the Operational Resilience field.

His hands-on approach focuses on operational learning, culture, and reputational management. Erick holds a Bachelor of Emergency & Homeland Security, Graduate studies in Security and Disaster Management, is a Certified Business Continuity Professional (CBCP), Certified Risk Management Professional (CRMP), graduate of the FEMA institute in Incident Management and Command, and is a respected member of Public-Private partnerships within the Department of Homeland Security (DHS), Federal Bureau of Investigations (FBI) and  the Federal Emergency Management Agency (FEMA).

Some of his most notable achievements in the field include leading the private sector response to Hurricane Maria as well as working with the Department of Homeland Security (DHS) in Continuity of Operations (CCOP) projects for mission-critical facilities in the United States. Erick has also trained with the Center for Disease Control (CDC) in Infectious Disease Planning and community response, including Point of Dispensing initiatives.

From 2016 to 2019, Erick held several roles at Crowley and, most recently, was the company’s Managing Director of Safety & Resilience. During this time, he was responsible for resilience operations supporting all business segments as well as leading the organization’s safety culture improvement journey. At Crowley, he led the Occupational Health & Safety, Business Continuity, and Crisis Management teams.

Before joining Crowley, Erick held similar roles at Southwest Gas and Third Federal Savings & Loan.

• Filed under: Crisis Ready , Crisis Ready Culture , Post-Crisis Review , Risk Management

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Subscribe to the blog!

Newsletter Signup

Stay informed and at the cutting edge of your crisis readiness. Subscribe to the Crisis Ready Institute to gain from experts, be the first to receive new resources, and receive exclusive offers and materials.

Brian Kinch

Brian is an internationally recognised risk professional. He has over 35 years of experience, predominately discharging roles in domestic and international financial services businesses, including senior roles with HSBC, Visa International and Lloyds Banking Group. He has additional consulting expertise in areas such as insurance, telecommunications, the public sector and across industries in a risk, authentication, data protection, cyber, continuity and resilience context. Furthermore, he has held senior positions with the decision management and analytic giant FICO (Fair Isaac) where he was the principal risk practitioner, and both led their global fraud consulting and was a leading contributor to their enterprise risk roadmap.

Brian is an innovator and thought leader and has co-authored potential patents in the first party fraud and payment tokenisation space. He was a founder of the Mobile Identity Authentication Standard (MIDAS) Alliance, a collaboration of Information Security professionals, which was responsible for the creation of the Publicly Available Specification (PAS 499) for digital authentication by the British Standards Institution, a seminal piece of work in preparation for the implications of the European Payment Services Directive 2.

He is also a leading figure for both the Business Continuity Institute where he founded what has become two of the UK Chapters, and where he remains on the management committee, and the Institute of Strategic Risk Management where he has roles on the Global Advisory Council and as Chair of the Oversight Committee.

Brian co-founded with his brother, almost a decade ago, his own firm, Knight360 Limited, where he acts as a dedicated security advisor and risk practitioner, enjoying helping clients embrace and overcome their greatest business challenges. The company specialises in areas of business development and regulatory compliance activity and offers a raft of business consulting and partner solution services including with and through GDS Link, a client of Knight360’s which Brian has gone on to serve as Managing Director in their Global Fraud Solutions area, and where he has been independently recognised as Managing Director of the Year 2022.

Currently Brian is also retained on an equity basis as Chief Advisor to KM2 Ethical Finance Ltd, a firm where he was the founding Chief Executive Officer and was independently awarded as one of the CEOs of the Year in 2021. The KM2 business is vested in assuring the robust identification and considered remediation of misappropriated losses which sit at the nexus of bad-debt and fraud.

Throughout his career Brian has proven equally adept at working alone, leading a small team, or overseeing multi-geography operations involving well over 1,000 people.

Maxine Herr

Maxine Herr has served as Public Information Officer for Morton County in North Dakota since 2017. She started her career as a TV news reporter and anchor for the CBS affiliate in Bismarck, ND before moving to Phoenix, AZ where she worked in marketing roles for a media company and a national engineering firm. After returning to North Dakota in 2009, she did freelance writing and public relations consulting. Maxine joined the North Dakota Emergency Management Support Team in 2016 and has helped lead communication efforts for a 234-day pipeline protest, regional flooding, and the state’s COVID-19 response. Maxine’s favorite thing about her 25-year career is finding ways to communicate effectively with creativity. Maxine is married and any gray hairs can be attributed to raising her three teenagers.

Master Sgt. US Army (retired)

Rob Keller was retired from the U.S. Army when he received a call from the ND Department of Emergency Services (NDDES) to return to full time Public Information Officer status to work a “small protest happening in southern Morton County” that would probably fizzle out in 2-3 months.” Nine months later he returned to retirement status. During the Dakota Access Pipeline (DAPL) protest, Rob was the lead Public Information Officer for the Morton County Sheriff Department and the ND Department of Emergency Services Joint Information Center. Rob and his team of over 15 PIOs worked over 500 media engagements during the 234-day protest that garnished the attention of the world.

“This was the most challenging and rewarding position that I have ever been involved in my entire career. I felt that I was the “right person in the right place at the right time for the right reasons.”

Rob’s previous career positions had in effect prepared him for his last public affairs mission.

He received a Bachelor of Science degree in Television Journalism, was a TV news reporter, TV anchor, a community relations officer for a police department, a television producer, marketing and advertising for the U.S. Army, worked multiple FEMA disasters in North Dakota to include floods, wildfires, snow storms and a Canadian Pacific railroad anhydrous ammonia spill. Not to mention during his 26-year Army career, he was deployed on two public affairs missions to Iraq, five PIO missions to Ghana, Africa and working with twelve Killed In Action (KIA) soldiers and their families.

He was the Deputy PIO for the ND COVID-19 response and formed a 50-persom Joint Information Center staff within two weeks.

He has been a FEMA Crisis Communication trainer for over 10 years having trained over 600 PIO practitioners.

Far from retiring, Rob and his colleague co-founded the ND Public Information Officer (NDPIO) Association this past year (2021). The 501c3 is a nonprofit statewide organization made up of professional communicators who work in local, state, tribal, federal, or other public safety venues. This organization is dedicated to the principles of open government.

Rob has left Morton County and back to semi-retirement but is training Public Information Officers from multiple agencies who may have a need for crisis communication and for their agency to be “Crises Ready”. He is married with a very understanding wife, a son who is following in his footsteps as a career military man and a daughter who is a “stay at home” mom. He has five grandchildren that now take up his entire time. He is also an “adventure motorcycle rider” who has traveled on journeys across Canada to the Arctic Ocean, South American and everything in between.

Mike Todd is the founder and CEO of Near-Life. He has experience in media and technology. Beginning his career in digital content, he has also worked in film and television: creating internationally acclaimed feature documentaries for the likes of BBC, ESPN and PBS.

Digital Training Solutions (now trading as Near-Life) was established in 2016 around an NGO learning project (Mission Ready), funded through the United States Aid department and the UK equivalent. The project garnered international recognition and its success prompted an invitation for Mike to speak at the UN World Humanitarian Summit, as well as to the UN in New York.

A related project, developed with the Norwegian Refugee Council, was recognised for 'Excellence in Learning Design' at the Learning and Technology Awards - Europe's top EdTech awards. He has extensive experience in dealing with the resilience and responder communities. He most recently led the delivery of a major immersive learning / Tech project with the World Health Organization’s Emergency Medical Teams programme.

About the Inaugural Membership Feedback

As we get this membership off the ground, we’re looking to our 2022 inaugural members to be a part of helping us strengthen and tailor this program to meet your needs.

This will involve regular communication with the Crisis Ready Team to provide feedback, share requests for additional ways to support you and your business, etc.

About the Crisis Ready Courses

Each Crisis Ready Course is designed to help you strengthen your Crisis Ready® Expertise. Course subjects will include crisis communication, establishing governance, crisis leadership, storytelling for crisis comms, DEI integration, and more.

Each course is complete with:

• Anywhere from 4-15 hours of virtual learning that you can do at your own pace
• Knowledge tests
• Worksheets and resources to help you bring these valuable learnings and use them within your client work (applicable solely to those who have the license through this membership)
• A Certificate Of Completion upon successful completion of each course

Crisis Ready: Building an Invincible Brand in an Uncertain World (Bulk Purchase)

Opportunity for individualized coaching and support.

• Sometimes feel as though you’re in over your head with your clients’ issue and crisis management needs
• Could use support and coaching to help you prepare for and have business development discussions with prospective clients
• Wish you had more behind-the-scenes support as you serve and support your clients
• Would benefit from personalized coaching and support as you take your Crisis Ready skills and services to the next level...

... then you will benefit from Crisis Ready Institute's 1:1 coaching and support. This opportunity is retainer-based and is offered exclusively to our consultant and small agency members.

This offering provides personalized coaching and support in:

• Managing client issues and crises as they arise. We support you as you support your clients so that you can feel confident in the recommendations and advice you provide.
• Integrating the Crisis Ready Model into your business and client work.
• Helping you strategize business development conversations and close more deals.
• Gaining buy-in from existing clients. We can be your frontward-facing partner or remain behind-the-scenes, whatever the situation calls for.

Two Packages Available:

Monthly retainer* Hours of support per month

$2,500 USD Up to 5

$5,000 USD Up to 10

* This is in addition to the annual membership fee.

Danny Langloss

Danny Langloss is a dynamic leadership motivational speaker specializing in creating leadership cultures, employee engagement, ownership, belonging, change leadership, and crisis leadership.

Danny’s leadership has been tested by the most difficult situations. Global pandemics, leading the City of Dixon back from the $54 million Rita Crundwell theft, homicide investigations, hostage situations, school shooter incidents, major legislative reform, and creating high performing cultures across very difficult professions are just some of the leadership challenges Danny and his teams have overcome in their pursuit of excellence. Danny has applied these skills to create great teams across many different leadership roles, including city manager, police chief, state task force chairman, legislative initiatives, not-for-profits, and private organizations.

Paul Damaren

Paul Damaren has worked as a Senior Executive in the Certification space for 17 years and has over 35 years’ experience in the hospitality, service and retail agri-food sectors. Damaren is skilled in sales, marketing, certification, operations and software applications. He possesses an MBA from McGill University.

Mr. Damaren is experienced managing full P&L and $100M in global sales. Across his career he has built a reputation as a professional undeterred by obstacles and committed to success. He is skilled in cultivating top performing teams that always exceed organizational objectives and is able to lead organizations out of challenges through improvement initiatives and change management. He is an expert in relationship building strategies to ensure metrics are always met or surpassed and is a technologically savvy professional that thrives with constantly evolving environments and guides growth with clear visions.

Damaren has worked with countless clients for their food safety, supply chain, health & wellness, brand protection, quality, environmental, health & safety, GMP, automotive, aerospace, medical and information technology requirements.

Damaren is a board member of the OFPA, Ontario Food Protection Association and has assumed the position of Treasurer for 2022. He is a current Advisory Council Member with The George Washington University, School of Business for their Digital Marketing Certificate Program. Mr. Damaren is also a Partner and CCO of StepUp Learning Company Inc., a consulting and advisory business. Further, Damaren also maintains an Executive Partner position with ReposiTrak, a global software company that provides an integrated platform for optimizing sales, sourcing & safety in the food supply chain.

Before working in the Certification industry, Damaren was a professional Chef/consultant for 20+ years working in major hotel chains, restaurants, private golf courses and food service organizations such as Aramark. Further, Damaren was a member of the National Canadian Federation of Chefs and Cooks (C.F.C.C.) for 14 years, member of the Region of Waterloo Culinary Association (R.W.C.A.) for 14 years, President of R.W.C.A. (Region of Waterloo Culinary Association) for 3 years, special Events chairman - R.W.C.A. – 1998 – 2000 and National Culinary Ambassador to Russia for 5 years.

Tarisa Shelton

Tarisa Shelton was born and raised in Arizona. She graduated with a Bachelors's in design studies and management from Arizona State University in 2015. After graduation, she traveled to multiple countries to try and learn from different cultures and perspectives. With being excited by what the world had to offer, she taught English in South Korea to elementary students for a little over a year.

After traveling and teaching in Korea, she worked as a production manager at an animation studio in DC. During that time, she committed herself to learning as much about finances as humanly possible. Through that journey, she found infinite banking, in 2018. Since then, she's been helping clients, family, friends implement this process to fundamentally set a financial foundation that is unshakable and sets them up for success not only today but for generations to come.

Emmie Saavedra

Emmie Saavedra is the President and Co-Founder of The Champions Institute, where she leads teams of expert coaches, trainers and consultants on Sales, Communication and Extreme Leadership. With more than 30 years in the medical and dental industries, and over a decade in entrepreneurship, her strengths lie in building deep relationships, elevating personal and team performance, and empowering strong leadership. She is an award-winning Certified Trainer and Coach with Codebreaker Technologies and masterfully trains the B.A.N.K. Methodology to teams and entrepreneurs to produce astronomical results, top revenues, and trusting relationships. Emmie is committed to empowering others to achieve phenomenal success both in life and in business because she believes that both are tightly integrated and hold the KEY to living a fulfilling and joyful life.

Cathy Compton, HALL OF FAME CHAMPIONSHIP COACH

Cathy Compton truly is a coach of Champions. For over 20 years, Cathy has been coaching championship teams and building empowering leaders. With an extensive background in coaching world class athletes, Cathy has worked with, coached, and consulted top level CEO’s, corporate executives, Olympic Athletes, business owners, Major League Baseball players, and other elite professionals who are committed to peak performance. Cathy ranks as one of the most successful college coaches in NCAA Softball history and is a member of two college Halls of Fame. Her expertise is building winning teams, developing empowered leaders, and training top performers how to better communicate and collaborate for optimal results.

Career Highlights Include:

• Overall Coaching record 410-130 ranking her as one of the top winningest coaches in NCAA history
• 15 winning seasons over 15 years as a Head College Coach
• Built the LSU softball program achieving a top 10 national ranking in her first two years leading the program
• Coached professional Women’s Softball (Durham Dragons) Durham S.C.
• Has coached All-Americans, Olympic athletes, and professional athletes across multiple sports
• Member of 2 College Softball Halls of Fame
• Built and managed Corporate wellness programs for America Online, Motorola, 3 Com, EMC, Netscape and Netpark
• Co-founder of Youphoria, A Wellness based, weight loss company
• Performance Coach for CEO’s, Olympic athletes, business owners, and Major League Baseball players
• Author of “Empowered Women” an Amazon Best-Seller

Certification/Awards:

• Body Code & Emotion Code Certified Trainer
• Extreme Leadership Coach/Trainer (Steve Farber)
• Bankcode Technologies Coach and Certified Trainer
• BANK Blueprint ICON award - Codebreaker Technologies

Pragya Dubey

Pragya Dubey is Vice President, Global Services & Media Analytics at Agility PR Solutions. Pragya has over 20 years of industry experience in consulting and executing public relations, communications, and media measurement programs. She has worked with a range of clients representing Fortune 500 companies, federal, provincial, and municipal government divisions, and small to medium sized businesses. The key focus of her work has been in tracking companies’ communication activities to measure, and correlate and connect how these activities are impacting business objectives. Pragya’s approach includes educating, consulting, problem solving for clients, and creating solutions that are objective-based programs with defined success metrics.

Pragya has taught at the Ottawa-based Algonquin College’s public relations program and given guest lecture at Carleton University. She was the speaker at the Public Relations Society of America's (PRSA) 2020 annual conference on the topic of measurement. She actively conducts measurement-related webinars for Agility PR Solutions and other PR forums.

Liam Kelly has worked in the field of church communications in the Catholic Church for more than forty years, including time in the Vatican and in London at the Bishops’ Conference of England and Wales. Since 2002 he has been working in the Abbot’s office at Ampleforth Abbey.

Before you go to checkout...

Click below...

• Add to cart

Crisis Ready Governance Audit (Have experts review and provide feedback on your Crisis Ready Governance Structure)

1:1 Consultation (45-minute one-on-one consultation time with a member of the Crisis Ready Team, after the live event)

Have experts review your crisis comms program prior to the course

1:1 Consultation time with a member of the Crisis Ready Team, post the course (per hour)

Shawna Bruce

Shawna Bruce is a seasoned strategic communicator and trainer with 30 years of crisis communications, public information and public affairs experience and a passion for public safety.

After serving in the Canadian Forces as a Public Affairs Officer (27 years) and working in the petrochemical industry at Dow Canada as their national Public Affairs Manager (8 years), Shawna began putting her focus into crisis communication, community preparedness, public information and emergency management training when she began her own consulting business: M.D. Bruce and Associates Ltd in 2019.

Shawna considers herself "a life-long learner" and is a leader who specializes in developing teams and sharing her knowledge and experience on the critical role of public information in emergency management with an emphasis on how communications support operational objectives.

A self-identified "Master of Disaster" (RRU MA DEM) Shawna's goal is to support emergency managers and DEMs identify opportunities to communicate throughout all phases of an emergency management program, and works to prepare communications teams to respond in an emergency setting.

Currently, Shawna is also a part-time instructor for NAIT’s Disaster and Emergency Management program (Disaster and Crisis Communications), supports co-instructing the Public Information Officer course as part of NAIT's Centre of Applied Disaster and Emergency Management IMT Academy, develops curriculum for delivery in post-secondary school and Continuing Education programs and is the Public Member on the Board of Directors at NR CAER - a mutual aid emergency response organization in Alberta's Industrial Heartland.

An engaging speaker and trainer, Shawna delivers workshops for risk and crisis communications, emergency public information, how to use public notification systems effectively, on-camera media awareness training, and spokesperson training for industry, municipalities, organizations, first responders and anyone who is looking to build the skill sets of their teams to respond to fill the need of crisis communications and public information.

🍎 School district communicator @ Stoughton Area School District.

🏙 Belmont University grad.

Melanie Litten

Media • Social Media • Public Relations • Nonprofit Director

Mark Hobden

Currently employed as the Director of Operations Support with Bidvest Noonan.

Having worked on several high profile contracts at Management level, I am a results driven and self-motivated professional. A wealth of practical security experience within the security industry and HM Forces. Well developed presentation and communication skills at all levels. Proven planning, organisational and administrative abilities.

Lorelei Russell

Employee Services provides Compensation, Benefits and Wellness services to over 8000 employees represented by 14 Collective Agreements and professional associations.

Jan Walther

I bring the most value when I'm given a "blank sheet" opportunity to develop solutions for complex, multifaceted, consumer-focused challenges. I am most passionate about identifying or creating opportunities to increase engagement, visibility, and revenue.

Understanding and advocating for memorable consumer experiences is at the heart of what I bring to any opportunity. While providing leadership and strategic vision is what I do best, focusing on what is relevant and important to target consumers is essential.

I am passionate about building brands that drive consumer insistence and loyalty. My experience in developing brands ranges from the core of strategy building and story creation to tactical activation and data assessment to measure success.

Whether leading enterprise integrated marketing strategies, creating content, or developing relationships as a business partner, I am a visionary and results-oriented collaborator with extensive experience in metrics-driven, brand-focused marketing and communications.

As an outstanding innovator, communicator, and relationship builder, my expertise in translating business objectives into strategies have proven to grow revenue and engagement especially in large organizations in which local market integration is essential.

My leadership style is based on a true coaching philosophy that encourages growth and trust for all team members. I am a highly-effective, hands-on team leader who enthusiastically influences and motivates teams to meet complex business challenges.

Angelica Montagano

I specialize in communications (corporate, internal and external), digital and content marketing, brand awareness and reputation and public relations. I’ve advised individuals and businesses (small and large) on what steps they need to take to reach their target audience.

If you need help with content marketing strategy (blog writing, podcasting, YouTube), strategic communications strategies (internal communications, crisis communications, corporate communications), public relations, lead generation or even team building and relationship management – then please feel free to reach out to me.

Amy McKenzie

Passionate communications professional with a diverse experience in public relations, social media, and leadership.

Patrick Campion

Founder of Preparedness Advisors LLC. I am an experienced emergency management and homeland security professional focused on providing innovative strategy and data analysis solutions, streamlined project management support, and straightforward consultation. Please visit the Preparedness Advisors website: www.preparednessadvisors.com for more information.

Elle Arlook

Elle Arlook serves as APCO’s Deputy Advisor on Equity & Justice and a senior associate director in the Corporate Communications practice. Elle has a depth of experience counseling clients through transformation rooted in efforts to advance equity, diversity, and inclusion. She has counseled clients through challenges that range from responding to external societal crises to racial discrimination lawsuits and boycotts. Her background includes experiences that sit at the intersection of DE&I and traditional corporate communications, stakeholder relationship development, non-profit strategic counsel, media relations and crisis management. Her clients have included one of the world's largest global health companies and household names such as Walgreens, Walmart, National Urban League, CarMax, and the University of North Carolina System's Racial Equity Taskforce.

David Meerman Scott

I was fired. Sacked. My ideas were a little too radical for my new bosses. So I started writing books, speaking at events and advising emerging companies. That was in 2002 and since then my books have sold over a million copies in 29 languages.

Many new forms of social media have burst onto the scene over the years, including blogs, podcasts, video, virtual communities, Twitter, Facebook, Foursquare, Instagram, and many many others. But what’s the same about all the new Web tools and techniques is that together they are the best way to communicate directly with your marketplace.

My latest Wall Street Journal bestselling book "Fanocracy: Turning Fans into Customers and Customers into Fans" released from Portfolio / Penguin Random House. I wrote Fanocracy with my 26 year old daughter Reiko. The book is about Fandom culture and how any business can grow by cultivating fans.

My 2007 book "The New Rules of Marketing & PR" opened people's eyes to the new realities of marketing and public relations on the Web. Six months on the BusinessWeek bestseller list and now in a 7th edition with 400,000 copies sold in more than 29 languages from Albanian to Vietnamese, "New Rules" is now a modern business classic.

My other international bestsellers include "Real-Time Marketing & PR" and "Marketing Lessons from the Grateful Dead" (written with HubSpot CEO Brian Halligan) and my most recent books are "The New Rules of Sales & Service", and "Marketing the Moon" (written with Richard Jurek and with a foreword from Gene Cernan, the last man on the moon and now being made into a film).

I'm Go-to-Market LP at Stage 2 Capital where I invest in and advise some of the most promising new businesses in the world. I'm a co-founder and Partner in Signature Tones, a sonic branding studio.

I serve as an advisor and investor in emerging companies that are transforming their industries by delivering disruptive products and services.

Pre-pandemic, I delivered keynote speeches at in-person conferences and company meetings all over the world. Now I focus on virtual events.

Katie Nelson

I am the Social Media + Public Relations Coordinator for the Mountain View Police Department in northern California. I specialize in social media management, speaking across the country on social media best practices, crisis communications and forming positive working relationships between law enforcement and the media.

Before joining MVPD, I worked as a public safety reporter for papers including the San Jose Mercury News, the East Bay Times and the San Francisco Chronicle. Published nationally, I was an award-winning journalist for my breaking news coverage of the Asiana Airlines crash at San Francisco International Airport and my investigative work on the state Department of Social Services led to major legislative reform to protect elderly residents in California.

Lisa Manyoky

With over 30 years of communication, branding, marketing and entrepreneurial expertise in my hip pocket, I understand people, interpersonal dynamics, motivation, expression, business—and words, especially words!

I can't resist the chance to help professionals figure out if what they're putting out there—whether you can see it, hear it, read it or feel it—is getting them where they want to go OR if where they are is where they should be. I look for that delicious sweet spot of what they WANT to do, ARE BUILT to do and ARE MEANT to do. Then, I determine if their “message” is working for them, fix it if it needs fixing, adjust the volume so their world can hear them, and make a plan that helps them keep on keepin’ on as they stretch toward their goals.

As a career entrepreneur, founder of Presence Intelligence™, and licensed, specialty-certified coach with a neuroscience focus (wow!), I blend an understanding of brainpower, behavior, aesthetics and communication with business smarts to help professionals...

• identify what makes them tick
• find their "fit"—personally and professionally
• strengthen and make good use of their natural assets
• develop their one-of-a-kind presence that’s true to who they really are
• refine communications to reflect who they are and draw in resources and people right for them
• improve perception and reception
• become excellent (or more excellent than they already are)
• shape lives in important ways
• get remembered for something great by those who matter to them.

I am a bit of a firecracker who champions self-mastery, integrity, personal best and kindness. I am the consummate wordsmith with an energetic style, a quick wit and an expansive mindset. I am direct but diplomatic, dynamic and funny. I also have a very big heart.

Lewis Werner

My mission is to cultivate proactively safer communities.

Proactive risk management makes people less stressed, more comfortable, happier, and more productive. Cultivating proactive security operations desrisks and accelerates human progress, raising quality of life for everyone.

I cultivate proactively safer communities by arming Security Professionals with the data they've been missing for decades. Operations, Finance, Marketing & Supply Chain have been building metrics and KPIs based on real-time process control, outcomes, and projections. Security, especially physical security, has been left with: "Monthly Incidents and Annual Budget".

If you HAVE data, you can measure it. If you MEASURE data, you can IMPROVE it. I started Quill Security to provide risk data for security professionals.

Quill Security is building the inevitable future of the security industry. When you embrace risk data, you will:

• Earn your seat at the table with answers instead of assurances.
• Communicate clearly with non-security stakeholders to achieve buy-in.
• Spend less time debating and more time taking PROACTIVE ACTION.
• Know your measure of success and unambiguously achieve it.

Nothing like Quill has ever existed before. Protect your community with the future of security.

Alliancé Babunga

Alliancé [pronounced “aliya-n-say”] comes with a background in politics, leadership and education which speaks to her passion for people and positive change. Through her experiences she has learned first-hand the importance of having a unique voice, the value of authentic communication, being relatable with one's audiences, establishing relationships and working collaboratively to get things done.

She has worked in multiple political campaigns; a highlight being the successful election of two city councilors, one Member of Parliament and one Prime Minister.

As a crisis communications enthusiast, she came to the realization that the traditional crisis preparedness plan does not meet the demands and needs of today—the Covid-19 pandemic and its aftermath demonstrated the extent of this truth. She sought for a more proactive approach that would empower leaders and organizations to readily take on the new evolving challenges. It is her curiosity that grounded her interest in pursuit of crisis communication and led her to the Crisis Ready® Institute.

In 2020 and 2021, Alliancé grew her career with the Crisis Ready® Institute as the Marketing and Community Manager. Her portfolio included building and strengthening the Institute’s brand reach, visibility and engagement, and fostering the growth of the Crisis Ready® Community .

Alliancé holds a Bachelor of Arts in International Relations from the University of British Columbia, studied Peace and Conflict Resolution Studies at Uppsala University in Sweden, and recently completed the Public Relations Certificate program at Simon Fraser University.

Alliancé serves as Events Manager in the British Columbia chapter of the International Association of Business Communicators (IABC), Regional VP Administration in the British Columbia chapter of the Canadian Black Chamber of Commerce (CBCC) as well as Public Policy Coordinator on a Partisan National Women’s Commission.

Lisa DuBrock

Lisa has 20+ years both in Management of fortune 100 firms and in the Management Consulting Business. She specializes in security both physical and logical. Lisa utilizes a myriad of methodologies based on her clients needs, including: ISO 27001, ISO 20000, ISO 9001, ISO 22301, ANSI/ASIS-SPC.1, ANSI/ASIS-PSC.1 and ISO 18788.

She has a CPA, a CBCP (Certified Business Continuity Professional), and an MBCI.

Lisa teaches at George Mason University in their PTAC and she sits on the ASIS Standards and Guidelines Commission developing ANSI accredited standards.

Prior to becoming a Managing Partner at Radian Compliance, LLC, Lisa spent a number of years at Discover Card, where she held positions such as National Director Cardmember Service, National Director Business Continuity, Bank Operations and Regulatory Compliance and she assisted on the launch of their credit card in the UK market.

Her goals are to grow her own firm, Radian Compliance, LLC, over the next 5 years.

Sign up to demo this course!

We're excited to be sharing Sustained Resilience: Building Tomorrow's Leaders with you. Fill in the form below to gain access to demo this course. Once you fill in this form, we'll send you an email with further instructions.

Thank you for the honor of considering this important course for your curriculum. We look forward to sharing in the experience with you!

• Winter 2021
• Summer 2021
• By checking this box, (a) I represent I am a faculty member at my academic or educational institution, and (b) I agree that I am subject to and shall comply with the Terms of Service and any other rules, requirements, and/or other policies regarding this program.

Melissa Agnes

Founder and ceo, crisis ready institute.

• Recognized globally as an expert, thought-leader and visionary in the field of crisis management.
• Has worked with global players, including NATO, the Pentagon (DoD), Ministries of Foreign Affairs and Defense, financial firms, technology companies, healthcare organizations, cities and municipalities, law enforcement agencies, aviation organizations, global non-profits, etc.
• Author of Crisis Ready: Building an Invincible Brand in an Uncertain World—ranked amongst the leading crisis management books of all time and named as one of the top ten business books of 2018 by Forbes.
• Creator of the Crisis Ready ® Model–which is recognized and being taught as leading industry best practice in universities and higher education curriculums around the world, including at Harvard University.
• Sits on the panel tasked with developing the International Standard for Crisis Management— ISO 22361, Guidelines for developing a strategic capability.
• Visiting scholar at D’Youville University, where she co-created and co-teaches a Crisis Ready Program for young college students.
• Sits on Police Professional Standards, Ethics and Image Committee for the International Association of Chiefs of Police.
• Global Advisor for The Institute for Strategic Risk Management (ISRM), a global player established to help progress and promote the underlying understanding and capabilities associated with strategic risk and crisis management on a global scale.
• Leading international keynote speaker on the subject and TEDx alumna.
• Founder of the Crisis Ready ® Community.

Build for a stronger tomorrow by strengthening your team’s skills in issue management, crisis management, and crisis communication.

Between the demands of our social impact economy, the divisiveness of society and the many other challenges in front of us, embedding a crisis ready culture is more important than ever before. Having a team that is trained, poised, and empowered to effectively respond to risk, controversy and other threats, will strengthen stakeholder relationships and increase the brand equity of your organization. This is a powerful opportunity. The Crisis Ready® Coaching Program is specifically designed to equip your team with the tools needed today for launching into a stronger tomorrow.

Effectively manage through today’s challenges with the help of a diverse group of experts.

From best practices around re-opening, to diversity and inclusion, to managing through the impacts that 2020 has left on your business, the Crisis Ready® Coaching Program is designed to support you through the challenges of today, in order to recover faster and stronger for an even better tomorrow.

Gain strategic foresight into the coming months, giving you the tools you need to better anticipate and plan for a stronger future.

COVID-19 continues to affect a great majority of professionals and businesses, leaving them blindsided by its impact and all the uncertainty that came with it. The Crisis Ready® Coaching Program provides you with access to a diverse group of experts, each with unique areas of insight, to help provide you and your team with strengthened foresight to better anticipate and plan for both the risks and opportunities that lay ahead of us all.

Shireen Fabing

With almost twenty years of marketing experience, thirteen of which was spent in the telecom industry, Shireen brings with her an experience toolkit which includes marketing, public relations, communications, training & development, fundraising and project management.

She started her career in a PR agency and her portfolio included retail promotions and events as well as various high-profile projects for the City of Cape Town. This position came only a few short years after apartheid was lifted in South Africa and it is what she claims toughened her up for the real world. She built tenacity, resilience and grit in those early years and more importantly, learnt the importance of building contingencies around all events and programs.

When she made the move to Canada in 2002 to join her mom and siblings, she was mentally ready for the challenge of starting a new life. Circumstances found her back at school studying part time, working full time in the PR division of an ad agency, and volunteering for a not-for-profit benefitting at-risk youth. It was in this latter portion of her journey that she found a passion for Sponsorship Marketing & Special Events.

Accepting an entry level marketing position at a large Canadian telco to get her foot in the door, Shireen quickly gained not only the North American experience she was lacking, but also credibility with internal and external stakeholders, with her strongest suite being that she was always prepared for whatever would prove to come. She enjoyed getting to see some of Canada while showcasing some of the biggest concerts, festivals, theme park & sports activations, along with a multitude of innovative product launches.

The personal pride of her career was finding non-traditional sales venues where she successfully “married” marketing tactics and sales with a profitable outcome for the organization.

Shireen’s bio is not complete without talking about her boxing life. Initially she started the sport to help her create a work-life balance, however in 2013, when she was asked to compete in her first sanctioned charity bout, she humbly obliged.

The Fight to End Cancer was founded in 2011 and has donated over $1.5M to date in support of cancer research with proceeds going directly to support the Princess Margaret Cancer Foundation. This didn’t come as a shock to her family, friends or colleagues as they knew she’d be all in for training and fundraising! Training like a fighter was no different from the day-to-day boardroom she was used to - only with gloves, her self-motivation and a will to win! She was the first female corporate fighter to enter the ring for this annual event and with her opponent, they set the stage for future female bouts in coming years as they claimed bragging rights for “fight of the night”.

Today she continues to support the initiative, pursuing the sport as an amateur boxer and boxing coach allowing her to share her passion for the sport that found her.

Shireen spreads the word that she is living proof that you can do whatever you set your mind to, no matter what stage you’re at in life. Her personal mantra - strong is my beautiful - has turned into the driving force that is behind the self- proclaimed “Machine”.

Detective Frank Rivas

High Tech Professional with diverse,domestic and international background: Business Development, Operations Management, Program/Project Management, Partner Management, Process Improvement. Additional experience includes: asset and brand protection, threat/risk analysis.

Always interested in new challenges, dynamic work environment which provides intellectual stimulation and professional growth.

Specialties: Partner management, supply chain management, Operations Management, Latin American region, Public Safety, Risk/Threat Analysis, Leader / Talent Development

Peter Willis

My gift is to help individuals and groups of people think wider and deeper together than they might otherwise, especially about matters of critical importance. My current work is to help decision-makers reflect on, and learn from, their response to crisis.

Dr. Rafik Chaabouni

Specialities: Cryptography, Security, public key cryptography, range proof, set membership, certificate revocation.

Tom Compaijendion

Working on a future-proof crisis organization

✓ CRISIS MANAGEMENT IS CUSTOMIZATION A lot comes to your organization during a crisis. It is not always easy for employees to switch quickly from daily activities to the ‘crisis position’, with clearly defined roles, tasks, sharp processes and short consultations. Many employees are too little concerned with crisis on a daily basis to be really good at it. In short: crisis management is always tailor-made – and that is not always easy in a crisis situation, in which crisis consultations are often unstructured and go in all directions. I ensure that crisis organizations are better prepared for a crisis through advice, training, training and practice, so that they take the right actions more quickly, maintain confidence in the organization and thus prevent the crisis from becoming a ‘reputation crisis’.

✓ ANALYSIS AND YOUR ENVIRONMENT IN IMAGES A crisis places high demands on communication: the public and stakeholders expect a quick response (within an hour); the reaction must be visible among the thousands of messages on social media and one must take into account that the emotion wins over the ratio. I help organizations to set priorities and, in the midst of the complex playing field, to maintain good coordination with all stakeholders and to take on the role for which the organization is responsible.

✓ IMPACT ON YOUR ORGANIZATION In times of terrorism, (a growing number of) cyber attacks, coronavirus and other crises, knowledge of crisis management and crisis communication is crucial. After all, a crisis poses a risk of (image) damage. Most companies are therefore working on it, but despite the training, it turns out that it does not work well during an exercise. I guide and advise organizations in the transition to a more organized and partly automated information management system.

✓ROADMAP TO PERFECTION Compaijen Crisis Management and Communication has knowledge and experience at all levels: both national (Ministries), local (municipality of Amsterdam, security region) but also international (United Nations, EU consultation). As a trainer, I am one of the few with exceptional crisis experience. This allows me and we are able to convey a clear story with interesting cases and keep things simple. We always aim to make the organization truly better – and not just to complete training.

*Translated from Dutch

Andrea Bonime-Blanc

Andrea Bonime-Blanc, JD/PhD, is CEO and Founder of GEC Risk Advisory and a global governance, risk, ESG, ethics, cyber and crisis strategist, serving a broad cross-section of business, nonprofits, and government agencies. Since 2017, she has served as the Independent Ethics Advisor to the Financial Oversight and Management Board for Puerto Rico.

Dr. Bonime-Blanc spent two decades as a c-suite global corporate executive at Bertelsmann, Verint, and PSEG overseeing legal, governance, risk, ethics, corporate responsibility, crisis management, compliance, audit, InfoSec and environmental health and safety, among other functions. She began her career as an international corporate lawyer at Cleary Gottlieb, was born and raised in Europe and is multi-lingual.

She serves on several Boards and Advisory Boards including Greenward Partners (a Spanish green energy firm), Ethical Intelligence (an EU-based AI ethics firm), ProtectedBy.AI (A US based AI cybersecurity firm), Epic Theatre Ensemble (a NYC nonprofit), the NACD New Jersey Chapter and NYU Stern-based think tank, Ethical Systems. She also serves as a Governance Mentor at Plug & Play Tech Centre, a global start-up eco-system. She is a NACD Board Leadership Fellow and Governance faculty and holds the Carnegie Mellon CERT Certification in Cyber-Risk Oversight.

Andrea is a global speaker, including at Davos, and appears regularly on Bloomberg TV, Yahoo Finance, Cheddar and other media. She is faculty at NYU’s Center for Global Affairs Masters program teaching “Cyber Leadership, Risk Oversight and Resilience”. She is an extensively published author of many articles and several books including The Reputation Risk Handbook, Emerging Practices in Cyber-Risk Governance and The Artificial Intelligence Imperative. Her latest book, Gloom to Boom: How Leaders Transform Risk into Resilience and Value (Routledge 2020) debuted as an Amazon #1 Hot Release in Business Ethics and Game Theory. She lives in New York City with her family and is an avid photographer and artist.

Marylène Ayotte

Marylene is a Life Transformation Consultant, Trainer and Coach licensed with The Brave Thinking and HeartMath Institutes, premier training centers for transformational coaching in California. She also holds a Bachelor’s Degree in Business and Human Resources Administration and a Master’s Degree in Organizational Communications and Change Management.

Through her professional career and track record of over 20 years as a Coach, HR Executive Leader and Change Management expert in medium and large corporations, Marylène now shares her know-how & proficiencies through inspiring workshops and in-depth, proven and reliable transformational coaching tools and programs.

Marylene’s passion is to inspire in others self-reflection and greater awareness leading to growth mindsets and behavioural changes. As a result, individuals reach and sustain new heights in performance, success and vitality.

Licy Do Canto

Licy Do Canto, is a veteran of public policy, corporate strategy, health care communications and diversity and inclusion, is managing director of APCO Worldwide’s Washington D.C. office headquarters and mid-Atlantic region lead. Licy is also a Global Advisory Council (GAC) member here at the Crisis Ready Institute and a highly recognized African-American public affairs, lobbyist and communications strategist— recognized by TheHill newspaper for the 11th consecutive year as one of the most influential leaders in Washington, DC.

As Executive Vice President and Managing Director in the BCW Public Affairs and Crisis practice, Licy drives healthcare and social impact policy and strategy, and helps shape strategic direction on diversity, inclusion and belonging for the firm and its clients across North America, in public and corporate affairs, government relations, communications, crisis and reputation management. Licy also leads the BCW Healthcare Team in Washington, D.C.

An expert in public affairs, policy and diversity and inclusion, with over twenty five years of experience at the international, national, state and local levels across the nonprofit, philanthropic, corporate and government sectors, Licy is an accomplished, values-driven leader with unparalleled experience in developing and leading integrated public affairs campaigns combining strategic communications, public relations, political/legislative initiatives, policy, coalition building, grassroots efforts and advocacy.

Before joining BCW, Licy built and lead a nationally recognized minority owned strategic public affairs and communications firm, served as Health Practice Chair and Principal at The Raben Group, was the Chief Executive Officer of The AIDS Alliance for Children, Youth and Families, and managed and helped set the leadership direction for strategic policy, communications, and advocacy investments in executive and senior government affairs roles for the American Cancer Society and the nation’s Community Health Centers.

Before joining the private sector, Licy was domestic policy advisor to U.S. Congressman Barney Frank and served in several capacities in the Office of Senator Edward M. Kennedy. During his extensive tenure in Washington, D.C., Licy has played a leading role in efforts to draft, shape and enact legislation and policy to improve the public health, health care safety net and the lives, livelihoods and well-being of the nation’s disadvantaged and underserved communities. 

Licy also has worked with Moet Hennessey to drive diversity and inclusion on Wall Street and corporate America. He has partnered with Vice President Al Gore, senior government officials, scientists, NGOs and activists, on global climate change impact and sustainability across Africa. And he was appointed by Republican and Democrat governors to oversee the conservation, preservation and management of a prominent U.S. national historic landmark.

Licy is a graduate of Duke University and holds a certificate in public health leadership in epidemic preparedness and management from the University of North Chapel Hill—School of Public Health and Kenan Flagler Business School, and is the recipient of multiple industry awards and citations for his leadership, policy and public affairs acumen, including being named to The Hill Newspaper list of most influential  leaders in Washington, D.C. consecutively over the last ten years. As a global citizen, Licy has lived in Turkey and Spain, and is fluent in Spanish and Cape Verdean Portuguese.

Recognized globally as an expert, thought leader and visionary in the field of crisis management, Melissa Agnes has worked with global players, including NATO, the Pentagon (DoD), Ministries of Foreign Affairs and Defense, financial firms, technology companies, healthcare organizations, cities and municipalities, law enforcement agencies, aviation organizations, global non-profits, and many others.

In 2020, Melissa founded Crisis Ready Institute, a public benefit corporate dedicated to creating a crisis ready, crisis-resilient world by elevating industry standards; providing training and certification programs to professionals that better protect people, brands, the environment, and the economy in times of crisis; and promoting and incentivizing organizations and leaders to invest in effective crisis readiness.

Her book, Crisis Ready: Building an Invincible Brand in an Uncertain World , is taught in dozens of universities around the world, including at Harvard University; is ranked amongst the leading crisis management books of all time, by Book Authority ; and was named one of the top ten business books of 2018 by Forbes .

Melissa is the creator of the Crisis Ready® Model, which is recognized and being taught as leading industry best practice in the fields of crisis management and crisis communication.

As an in-demand international keynote speaker and a TEDx alumna , Melissa has traveled the world helping organizations and leaders further strengthen their crisis ready mindset, skills and capabilities.

In 2019, Melissa founded the Crisis Ready® Community , a space for professionals to come together to support one another, collaborate and strengthen their crisis ready skills.

Melissa sits on the Board of Trustees for D'Youville University, a private University in New York, where she also serves as a visiting scholar for the course she co-created and co-teaches on Crisis Leadership.

Melissa also sits on the Board of Directors for ZeroNow, a non-profit organization committed to ending harmful events in schools.

Passionate about serving law enforcement and bridging the trust divide between agencies and the communities they serve, Melissa is a member of the International Association of Chiefs of Police (IACP). In 2021 she co-chaired a committee that was tasked with developing a strategy and plan of action to begin managing and overcoming the trust crisis in the U.S.

In 2019 and 2020, Melissa sat on the panel tasked with developing the International Standard for Crisis Management— ISO 22361, Guidelines for developing a strategic capability.

Born and raised in Montreal, Quebec (Canada), Melissa currently lives in New York City and enjoys traveling, rollerblading, sailing, and working out when she isn’t working.

Aaron Marks

Founder and Principal, One Thirty Nine Consulting Global Advisory Council Member, Crisis Ready® Institute

Aaron Marks is the founder and principal of One Thirty Nine Consulting, providing services for small and large businesses in Risk, Crisis, and Consequence Management.

Supporting both domestic and international clients, he provides operational and subject matter expertise in readiness and preparedness, crisis and incident management, and business and operational continuity for complex systems and organizations.

Aaron has provided in-depth review, assessment, and analysis for technology, policy, and operational programs for clients in healthcare, critical manufacturing, and entertainment and hospitality, as well as for state, local, tribal, territorial, and federal governments in the United States, Europe, and the Middle East. He is a recognized authority on the application of nontraditional techniques and methodologies to meet the unique requirements of training, evaluation, and analytic games and exercise.

Prior to entering the readiness and preparedness field, Aaron was the Director of Operations for a commercial ambulance and Emergency Medical Services (EMS) provider in western New York State where he participated in the integration of commercial EMS and medical transportation resources into the local Trauma System.

During his 30-year career, Aaron has worked in almost every aspect of EMS except fleet services. This includes experience in Hazardous Materials and Tactical Medicine, provision of prehospital care in urban, suburban, rural, and frontier environments, and acting as a team leader for both ground and aeromedical Critical Care Transport Teams.

Aaron is a FEMA Master Exercise Practitioner and received a B.A. in Psychology from Texas Tech University in Lubbock, Texas, and a master’s degree in Public Administration with a focus in Emergency Management from Jacksonville State University in Jacksonville, Alabama. He is also a Nationally Registered Paramedic and currently practices as an Assistant Chief with the Amissville Volunteer Fire and Rescue Department, Amissville Virginia.

Chris Hsiung

Chris is the 11th Police Chief of the Mountain View Police Department, located in the heart of Silicon Valley. For more than 25 years, he has served the Mountain View community, and as the department’s leader, is passionate about maintaining MVPD’s role as a progressive law enforcement organization in the 21st century.

Chris is an internationally recognized speaker and columnist on the areas of crisis communications, critical incident management, leadership, and engagement with stakeholder groups. In his time with Mountain View PD, Chris has held a variety of investigative, tactical, and leadership roles, serving in every division in the organization. He is a graduate of the Harvard Kennedy School of Government Senior Executives in State and Local Government program and has a master’s degree in eBusiness Management from Notre Dame de Namur in Belmont, CA.

Chris also serves in several leadership positions on multiple boards, including as president on the Government Social Media Leadership Council and committee member on the IACP's Professional Standards, Ethics, and Image Committee. Previously, Chris served as a board member for the Peninsula Conflict Resolution Center and two terms as a commissioner on the City of San Mateo Community Relations Commission .

You can connect with him on Twitter @Chief_Hsiung or LinkedIn .

Ashley Davis

Ashley is a Brand and Marketing Strategist who partners with CEOs, executives and solopreneurs to grow their personal and professional brands. After spending over a decade working in strategic communications for multimillion dollar brands and startups, Ashley knows what truly drives conversations, builds mutually beneficial relationships between organizations and their stakeholder groups and attracts strong strategic partnerships.

Ashley has helped organizations and leaders increase employee awareness and overall understanding of the company vision. She has strong experience / knowledge of social media tools and techniques for driving awareness, reputation and brand—and is known for advancing a company's messaging in the marketplace by growing the following of now multiple multimillion dollar brands and startups.

Ashley has served as the Editor of monthly all employee publications by managing the planning, writing and production. She is an integral part of new product launches and is frequently engaged to train entire sales teams along with channel / distribution partners on new product launches. In addition to her extensive experience, Ashley is a trained business coach.

Ashley holds a BA in Global Business Management from the University of Phoenix.

Newsletter sign up

• Starting a Business
• Growing a Business
• Small Business Guide
• Business News
• Science & Technology
• Money & Finance
• For Subscribers
• Write for Entrepreneur
• Entrepreneur Store
• United States
• Asia Pacific
• Middle East
• South Africa

Copyright © 2024 Entrepreneur Media, LLC All rights reserved. Entrepreneur® and its related marks are registered trademarks of Entrepreneur Media LLC

Business Plan Risks How to present your business risks without scaring away investors

By Stever Robbins • Dec 11, 2004

Opinions expressed by Entrepreneur contributors are their own.

Q: I would like to include a risk analysis in my business plan. I don't know how to show risks without sending investors into an anxious frenzy.

A: Any start-up idea will have enough risk to fill a dozen business plans. No investor expects a risk-free plan. Angels and VCs know start-ups are incredibly risky. If they don't, don't take their money--they don't know what they're doing! Most projects fail for reasons that could have been (and sometimes were) predicted far in advance. Since entrepreneurs are optimistic folks by nature: They tend to brush off predictions of doom and charge ahead assuming they will find a way to overcome. You can often avoid the most dire scenarios with intelligent upfront risk planning.

The risk analysis in your plan is to show that you've thought through risks, that you know how to plan for probable risks, and that your plan can survive when things go wrong.

Your plan can address several kinds of risk. You don't need to address every kind of risk in the book, but pick the risk categories that are most relevant to your company and include a paragraph or two about each:

• Product risk is the risk that the product can't be created. Biotech firms often have a high degree of product risk. They never know for sure they can produce the drug they are hoping to produce.
• Market risk is the risk that the market will develop differently than expected. Sometimes markets take too long to develop, and cash runs out while a company is waiting for customers.
• People risk is big in companies that depend on having certain employees or certain kinds of employees. I was with a company that had hired one of the world experts in a certain type of 3-D modeling. It was possible that without this man on board and happy, the company wouldn't be able to create their product.
• Financial risk is the risk that a company will run out of money or mismanage their money in some way. Finance companies may have huge financial risk, since bad lending policies combined with poor investment policies can sink them.
• Competitive risk is the risk that a competing product or service will be able to win. Many Web-based businesses have high competitive risk since they can be started with little money and have no way of locking in customers.

What investors want is to know that you are prepared to respond to risks. To the extent possible, outline what your response is to the risk you anticipate. After all, assuming you get funding, those risks may really come to pass. And you will really have to do something about it. By showing investors some of the alternatives you've thought through, you raise their confidence that you'll be able to deal if things don't go according to plan.

For example, consider the risk to a restaurant that people won't come back. What are the reasons you believe that would happen? What can you do to keep that from happening in the first place? It amazes me how many restaurants have a lousy menu selection or bad food and go under without ever asking customers, "Did you enjoy your meal? What could we do to make it better?" An at-the-table survey may be how you propose to avoid having the wrong menu. If things go wrong, you may decide to proactively invite critics to the restaurant for specific feedback on how to make the experience better.

The key is acknowledging that things can go wrong and demonstrating some creativity in finding a solution. You certainly needn't respond to every risk imaginable. Your goal is to provide enough to help your investors feel secure that you have anticipated and dealt with major risks, and they can count on you to handle things that come up once the business is under way.

Stever Robbins is a consultant specializing in mastering overwhelm, power and influence. The author of It Takes a Lot More Than Attitude...to Lead a Stellar Organization , he has been a team member or co-founder of nine startups, an advisor and angel investor, and co-developer of Harvard's MBA program. You can find his other articles and information at SteverRobbins.com .

This article originally appeared on Entrepreneur.com in 2002.

Stever Robbins is a venture coach, helping entrepreneurs and early-stage companies develop the attitudes, skills and capabilities needed to succeed. He brings to bear skills as an entrepreneur, teacher and technologist in helping others create successful ventures.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick Red Arrow

• A Student in an Ivy League University's Most Popular MBA Leadership Class Asked a Tough Question: What If Your Boss's Downfall Is Necessary to Get Ahead?
• Lock Zillow Co-Founder Shares a 'Misunderstood' Truth About Starting, Funding and Selling Your Company
• Lisa Vanderpump Says If You Want to Run a Business, Get Some Thicker Skin
• Lock These Are the 10 Best States for Starting a Side Hustle , New Research Reveals
• Popular Appetite Suppressant Ozempic Can Be Made for Less Than $5 a Month , New Research Suggests
• Lock Bankruptcy Isn't a Sign of Failure — It's a Strategy. Here's Why It Might Be the Right Move for You .

Most Popular Red Arrow

Getting laid off allowed him to focus on his sentimental side hustle. now he's on track to earn over $700,000 in 2024..

Alaa El Ghatit wasn't fulfilled at his day job. So he started LifeOnRecord to help people record memories and well wishes.

This Is the Framework You Need to Create a Brand Worth Your Customers' Loyalty and Make More Money Doing It

The first impression your customers will get of your business in this day and age is your website — so it needs to be created with intent. Here's how to use compelling storytelling on your website and one specific framework to capture their attention.

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

This Once Single Mom Had Negative $1,500 in Her Bank Account Before She Started a Lucrative Side Hustle — and Earned $100,000 Within 1 Year

Dixie Bagley did a friend a favor — and it turned into a high-paying business opportunity.

Scale Your Content Output with Write Bot — Now Just $40

This AI content writer can save you time and money, especially now that it's just $39.99 for a lifetime subscription.

You Need a Community With Shared Values to Find Long-Term Success — Here's How to Cultivate It.

Entrepreneurs need to remember this growth strategy: nurturing a purpose-driven community of like-minded entrepreneurs around them.

Successfully copied link

• +1 (800) 826-0777
• VIRTUAL TOUR
• Mass Notification
• Threat Intelligence
• Employee Safety Monitoring
• Travel Risk Management
• Emergency Preparedness
• Remote Workforce
• Location and Asset Protection
• Business Continuity
• Why AlertMedia
• Who We Serve
• Customer Spotlights
• Resource Library
• Downloads & Guides

How to Build a Disaster Recovery Plan for Better Business Continuity

A disaster can derail your business without warning. Get back to business quickly and safely with a disaster recovery plan.

What Is a Disaster Recovery Plan?

• 6 Steps to Build Your Plan
• Instill a Culture of Preparedness

Within days of the tragic terrorist attack on the World Trade Center, business disruptions began rippling outward from New York City. Trucks delayed at the Canadian and Mexican borders led to shut-down assembly lines at Ford Motor Company. The Toyota factory in Indiana couldn’t make cars because parts weren’t coming in from Germany with air traffic shut down.

September 11, 2001 was a watershed event that forced many business leaders to “wake up” and admit that disasters can and do have widespread and lasting impacts globally. Over the decades that followed, disaster recovery became less about reacting to a crisis and more about ongoing risk management.

As John Liuzzi, National Director of Business Continuity at Southern Glazer’s Wine & Spirits, shared , professionals in his field no longer see disaster recovery and business continuity as administrative or compliance issues but as an integrated part of the business. Liuzzi says, “It’s about threat intelligence, disaster recovery, and crisis management that’s all seamless.”

A single human error can spur disruptive events from your supply chain to the front of the house. The longer your business stays out of service, the greater the loss to your people, systems, physical assets, and your company’s reputation.

From navigating a national tragedy to local demonstrations or a sudden blackout, a well-executed disaster recovery plan is your key to coming away with as few scratches as possible. Let’s break down what that could look like for your business.

Download Our Business Continuity Checklist

A disaster recovery plan (DRP) is a documented strategy for returning to normal operations quickly after an unexpected incident. The purpose is to provide specific instructions for actions to take before, during, and after any disaster. A comprehensive DRP should address all types of disasters, including human-instigated and natural, internal and offsite, accidental and intentional.

The range of potential disaster scenarios covered by a DR plan includes:

• Malware or ransomware
• System outages
• IT infrastructure failure
• Equipment failures
• Building damages
• Power outages
• Civil Unrest
• Citywide or regional issues
• Health crises

What’s included in a disaster recovery plan?

The exact structure depends on your business, but a disaster recovery strategy typically begins with risk analysis and includes plans for emergency operations , data backup and recovery, redundancy and backup systems, communications, and incident recovery—all supporting the goal of preserving business continuity.

While business continuity and disaster recovery go hand in hand, they’re not interchangeable. A DR plan is more focused than a business continuity plan and does not necessarily cover all contingencies for business processes, assets, human resources, and external partners.

Disasters Are an Ongoing Threat to Business Continuity

Businesses lose a lot to disasters each year—especially catastrophic events such as floods and hurricanes. In 2022, the world suffered $313 billion in losses from natural disasters. But catastrophic events can also be driven by humans. Security breaches are one example of a common and costly human-made disaster, and they can lead to business downtime amounting to about $4.5 million per incident.

Whatever the reason—products aren’t available, stores can’t open, data centers fail, or your teams can’t get to work—everybody suffers. Your company sacrifices revenue, employees miss out on wages, and customers are left unserved. And once that cycle sets in, it can perpetuate itself.

If your business is located in an area susceptible to specific weather events, you absolutely need to plan for natural disasters. For example, plan for hurricanes in southern coastal areas, blizzards in snow-prone areas, or wildfires in the western and southwestern United States.

New market expansion or rapid team expansion can pose an added risk to business recovery, thanks to new processes, equipment, sites, and relationships. But even when it’s business as usual, all it takes is a cyberattack, an unexpected storm, or a chewed-through cable to cause the type of incident that could derail business operations.

If your organization’s disaster recovery plan is nonexistent, outdated, or a glorified checklist, now is the time to review, revise, or create a plan for disaster recovery solutions—before you need it.

Build Your Comprehensive Disaster Recovery Plan in 6 Steps

1. assess risks and vulnerabilities.

The first step is a risk assessment to uncover the threats you’re up against. A threat assessment and business impact analysis (BIA) will help you identify potential disasters and understand the possible consequences.

Take inventory of each functional area of the organization, your sites, people, physical and digital assets, key suppliers, and partners. Document your business’s internal infrastructure and data management to facilitate rebuilding after a disaster, and prioritize components based on their importance to business continuity.

2. Create your team

Decide who will create, update, and execute the plan. This disaster team will spearhead recovery and communication efforts during a crisis.

Assign specific tasks to your disaster recovery team members and document responsibilities, with one person as team leader. Ensure the disaster management team includes representation from each business function and align recovery tasks to each business unit so every department is included.

3. Establish clear objectives and priorities

Define the goals and objectives your recovery efforts will accomplish. Determine what the plan will and won’t cover, and establish critical questions to answer like, “Where do we relocate people or migrate systems?” and “Which applications and infrastructure must be restored immediately in case of a disaster?”

Based on your business impact analysis, define recovery time objectives (RTO) for applications, hardware, equipment, and other critical systems within the business. Recovery point objectives (RPO) are another key metric to establish the maximum allowable data loss in the event of a disaster impacting information systems.

Expressed in seconds, minutes, hours, or days, your RTOs define the acceptable time since the last data recovery point and should be calculated based on their importance. In other words, how long before an outage could a data recovery take place before the business would be impacted negatively?

4. Create a communication plan

During a fire, flood, or other disaster, seconds count and connectivity is the key to maximizing your time. Your crisis communication plan can make the difference between “crisis averted” and catastrophic consequences. In devising a disaster recovery communication plan, prioritize these steps:

Identify key audiences: Determine who will need information during and after a disaster, such as employees, customers, suppliers, city officials, and local first responders. Keep contact information up to date so you can get in touch quickly.

Pro tip: An emergency mass communication system can even help you group audiences that may need different information at different times. By organizing contact groups in advance, you lose no time sending critical messages to ensure people’s safety and mitigate operational disruptions.

Establish media protocols: Establish guidelines for interacting with the media during a crisis. Designate spokespersons and prepare them with key messages to ensure a clear and consistent message.

Create communication templates: Develop templated messages that you can quickly customize for each scenario. Know who is in charge of sending the messages and train them on procedures and how to use the emergency communication solution.

Set up communication centers: Equip these centers with scripts, FAQs, and necessary technologies to handle inquiries and provide information for customers, suppliers, employees, and the media.

5. Document the disaster recovery process

Create step-by-step instructions in plain language to restore critical functions quickly after a disaster. Your emergency response plan should outline each step in disaster recovery procedures, document the order of operations, and assign each task to an owner.

Documentation of the disaster recovery process may include:

• Criteria for when you will activate the disaster recovery plan in different scenarios
• Records of all critical applications, cloud services, data storage services, service providers, and hardware and planned backup systems
• Communication protocols and instructions for the team in charge of the communications plan
• Precautions and preventive measures to guard against future disasters
• Emergency response procedures for evacuations, calling authorities, alternative work locations, supply chain contingencies, etc.
• Strategies, tools, and technologies used for data protection, storage, backup procedures, replication, and recovery
• A review of insurance coverages, including policies for flood, earthquake, or business interruption insurance

Store the DRP documentation away from the network in a secure yet accessible location. Consider immutable storage to prevent loss or unauthorized changes to the document.

6. Test and update the plan

You can’t possibly predict every scenario that might occur during a disaster. Doing a dry run is the best way to determine if your plan will work when you need it.

Stress test your plan through partial and full-scale recovery simulations. Use an after-action report to learn where there is room for improvement, then analyze, update, and retest different plans to find the best possible course of action. Conduct surprise drills to see how people and plans will function when an unexpected disaster strikes.

Instill a Culture of Preparedness in Your Organization

Ideally, disaster recovery is more than a checklist or an annual compliance exercise. “It has to be built into your organizational DNA.” said Liuzzi. He goes on to say that your chances of success are higher when you “make it part of the business, not separate” and shares some of his best practices for disaster recovery.

Monitor for ongoing threats

As the world’s largest wine and spirits distributor, Southern Glazer’s needs to be alert 24/7 to manage its complex global supply chain. With ongoing threat intelligence, they are the first to know about all types of external risks—upcoming storms, wildfires in impacted areas, demonstrations, or geopolitical upsets. When contextual risk intelligence is built into your emergency preparedness, you’re not spending excessive time and resources monitoring and filtering through potential threats.

Nurture internal and external relationships before an incident happens

As Liuzzi attests from experience, running a successful business continuity program is about being prepared and building a culture where preparedness is not an afterthought. Part of building this level of safety culture is creating partnerships before an incident happens. For example, you could join an industry-specific safety organization. Support local fire, police, and emergency services departments at their events and work with them for company training.

Internally, nurturing a culture of emergency preparedness might look like:

• Proactively providing access to resources like emergency kits and online tools for employee preparedness
• Engaging employees in ongoing training, drills, and testing Promoting company values that include situational awareness and company resilience
• Running disaster recovery tabletop exercises as part of a safety meeting
• Partnering with your global security operations center ( GSOC ) and other org-wide teams to optimize backup and recovery plans
• Winning buy-in from executive stakeholders by tying the value of business continuity to the data they care about

Optimize Your Business Continuity & Disaster Recovery Strategies

You can’t always avoid disasters, but you can prepare for them. A disaster recovery plan helps you recover what is lost (data, physical property, or something else) and get back to running smoothly as soon as possible. More importantly, educating your teams and building ongoing support for disaster recovery and continuity programs will go a long way in helping your organization respond quickly and effectively in an emergency.

More Articles You May Be Interested In

Business Continuity Checklist

Please complete the form below to receive this resource.

Check Your Inbox!

The document you requested has been sent to your provided email address.

Cookies are required to play this video.

Click the blue shield icon on the bottom left of your screen to edit your cookie preferences.

Mobile Menu Overlay

The White House 1600 Pennsylvania Ave NW Washington, DC 20500

U.S-EU Joint Statement of the Trade and Technology   Council

Leuven, Belgium

I. Introduction

The sixth ministerial meeting of the Trade and Technology Council (“TTC”) took place in Leuven, Belgium, on 4 and 5 April 2024. It was co-chaired by European Commission Executive Vice President Margrethe Vestager, European Commission Executive Vice President Valdis Dombrovskis, United States Secretary of State Antony Blinken, United States Secretary of Commerce Gina Raimondo, and United States Trade Representative Katherine Tai, joined by European Commissioner Thierry Breton, and hosted by the Belgian Presidency of the Council of the European Union.

The meeting took place against the backdrop of significant geopolitical developments and challenges, including Russia’s unprovoked and unjustified war of aggression against Ukraine and the escalation of violence in the Middle East, that have shaken the international rules-based order to which we are jointly committed. The United States and the European Union remain unwavering in our long-term political, financial, humanitarian, and military support to Ukraine.

There has been a buildup of global economic pressure through extensive non-market policies and practices. This accentuates excessive and possibly high-risk dependencies of strategic supplies, tilts the level playing field, and poses a threat to our economic security, our prosperity, and the well-being of our firms, workers, and citizens.

The acceleration of the digital transformation creates unprecedented opportunities for growth and innovation but also raises numerous risks and challenges that call for accelerating our efforts to establish joint leadership and continue robust coordination on our approaches for creating rules of the road for emerging technologies, such as artificial intelligence (AI), quantum technologies, and 6G wireless communication systems. We aim to foster interoperability and support our common democratic values and the protection of human rights, while also promoting innovation. We are also dedicated to continuing to equip our workforce with the skills necessary to meet the needs created by rapidly changing technology, including AI.

The cooperation between the United States and the European Union continues to be the bedrock for dealing with such global challenges, and the TTC has played a vital role in shaping a forward-looking dialogue and facilitating unprecedented coordination and quick responses to key trade and technology related issues and developments, not least in the context of Russia’s continued aggression against Ukraine. We therefore reaffirm the importance of the TTC and will continue to refine and adapt this forum to advance our shared objectives.

We have used the TTC to address global trade challenges, strengthen our economic and trade ties, accelerate the transition to climate-neutral economies, and boost our economic security. With the Transatlantic Initiative on Sustainable Trade (TIST), the TTC is contributing to the creation of a stronger, more sustainable, and more resilient transatlantic marketplace and facilitating environmentally responsible trade in goods and technologies. We have increased cooperation on interoperability of digital trade tools as well as standardisation of critical and emerging technologies to reduce the costs of trading across the Atlantic. To boost our economic security, we continue to cooperate through the TTC to diversify strategic supply chains, including solar panels, semiconductors, and critical raw materials, and to reduce vulnerabilities, including those caused by other countries’ non-market policies and practices. We have also deepened our dialogue and cooperation on export controls and investment screening.

Working with stakeholders, we continue to use the TTC to advance the governance of critical and emerging technologies, such as artificial intelligence, quantum technologies, semiconductors, biotechnology, and online platforms, including by supporting the development of rights-respecting international technical standards, codes of conduct, principles, and guidance. In particular, we call upon online platforms to ensure their services contribute to an environment that protects, empowers, and respects their users and the general public. We are working together to advance public interest research on online platforms, including to address particular societal risks, such as technology-facilitated gender-based violence. We will continue to combat foreign information manipulation and interference and to protect human rights defenders online, including in the context of elections.

We intend to continue our trade and technology cooperation as set out below.

II. Key Outcomes of the Sixth TTC Ministerial Meeting

A. Advancing Transatlantic Leadership on Critical and Emerging Technologies Artificial Intelligence

The United States and the European Union reaffirm our commitment to a risk-based approach to artificial intelligence (AI) and to advancing safe, secure, and trustworthy AI technologies. The dedicated coordination under the TTC continues to be instrumental to implementing our respective policy approaches which aim to reap the potential benefits of AI while protecting individuals and, society against its potential risks, and upholding human rights.

Our exchanges confirm our joint understanding that transparency and risk mitigation are key elements to ensure the safe, secure, and trustworthy development and use of AI, and we will continue to coordinate our contributions to multilateral initiatives such as the G7, the OECD, G20, Council of Europe, and UN processes to advance the responsible stewardship of AI. We encourage advanced AI developers in the United States and Europe to further the application of the Hiroshima Process International Code of Conduct for Organizations Developing Advanced AI Systems which complements our respective governance and regulatory systems.

With a view to ensuring continued and impactful cooperation on AI, leaders from the European AI Office and the U.S. AI Safety Institute have briefed one another on their respective approaches and mandates. These institutions today committed to establishing a Dialogue to deepen their collaboration, particularly to foster scientific information exchange among their respective scientific entities and affiliates on topics such as, benchmarks, potential risks, and future technological trends.

This cooperation will contribute to making progress with the implementation of the Joint Roadmap on Evaluation and Measurement Tools for Trustworthy AI and Risk Management , which is essential to minimize divergence as appropriate in our respective emerging AI governance and regulatory systems, and to cooperate on interoperable and international standards. Following stakeholder consultations, we have further developed a list of key AI terms with mutually accepted joint definitions and published an updated version .

We are also united in our belief of the potential of AI to address some of the world’s greatest challenges. We applaud the United Nations General Assembly Plenary Resolution “Seizing the Opportunities of Safe, Secure and Trustworthy Artificial Intelligence Systems for Sustainable Development,” that has solidified a global consensus around the need to manage the risks of AI while harnessing its benefits for sustainable development and the protection and promotion of human rights.

We are advancing on the promise of AI for sustainable development in our bilateral relationship through joint research cooperation as part of the administrative arrangement on artificial intelligence and computing to address global challenges for the public good. Working groups jointly staffed by U.S. science agencies and European Commission departments and agencies have achieved substantial progress by defining critical milestones for deliverables in the areas of extreme weather, energy, emergency response, and reconstruction . We are also making constructive progress in health and agriculture.

We will continue to explore opportunities with our partners in the United Kingdom, Canada, and Germany in the AI for Development Donor Partnership to accelerate and align our foreign assistance in Africa to support educators, entrepreneurs, and ordinary citizens to harness the promise of AI.

The United States and the European Union established a Quantum Task Force to address open questions on science and technology cooperation between the United States and the European Union on quantum technologies. Its primary objective is to bridge gaps in research and development (R&D) between the United States and the European Union, thereby harmonizing efforts in quantum technology advancements. This includes the establishment of a shared understanding and approach to technology readiness levels, development of unified benchmarks, identification of critical components in quantum technology, and advancement of international standards.

The task force continues work to address key questions that are necessary to reach an agreement on launching joint actions for science and technology cooperation in quantum, such as reciprocity in openness of quantum research programs and in intellectual property rights regimes.

Post-Quantum Cryptography Coordination

The United States and the European Union affirm the importance of the rapid mobilization to secure our digital communication networks against the threats posed by the potential for a future cryptanalytically-relevant quantum computer. Our joint work in Post Quantum Cryptography (PQC), feeding into the U.S-EU Cyber Dialogue, enables U.S. and EU partners to share information to understand activities in PQC standardization and in the transition to PQC.

The Road to 6G

The United States and the European Union share the belief that advanced connectivity can  facilitate a more inclusive, sustainable, and secure global economy. We concur on shared principles for the research and development of 6G wireless communication systems, and we recognize that by working together we can support the development of technologies and global technical standards for tomorrow’s critical digital infrastructure that reflect shared principles and values. We support open, global, market-driven, and inclusive multi-stakeholder approaches for the development of technical standards for secure and interoperable telecommunications equipment and services. On the road to 6G, in a geopolitical environment increasingly marked by tension and conflict, the growing requirement for security and resilience of key enabling communications technologies and critical infrastructure highlights the need to rely on trusted suppliers, to prevent vulnerabilities and dependencies, with potential downstream effects on the entire industrial ecosystem.

We delivered a 6G outlook in May 2023. In addition, the two main industry associations on each side of the Atlantic jointly developed a 6G Industry Roadmap in December 2023. The roadmap affirmed the commitment of the stakeholders to collaborate on the development of 6G networks and proposed a comprehensive set of critical strategic reflections and recommendations from academia and industry. On 26 February 2024, ten countries, including some EU Member States concluded a joint statement on 6G .

These milestones have contributed to shaping the joint “ 6G vision ” that we are adopting today. This vision focuses on technology challenges and research collaboration including on microelectronics; AI and cloud solutions for 6G; security and resilience; affordability and inclusiveness, sustainability and energy efficiency; openness and interoperability; efficient radio spectrum usage; and the standardisation process.

Having decided on this 6G vision, the United States and the European Union will strengthen cooperation between their research and innovation funding agencies, notably through an Administrative Arrangement signed between the U.S. National Science Foundation (NSF) and the Directorate‑General for Communications Networks, Content and Technology (DG Connect) of the European Commission covering collaboration in the field of 6G and Next Generation Internet technologies.

Considering the importance of developing a common vision to 6G and cooperating in the global standardisation process through standardisation organisations such as ETSI/3GPP, we also intend to develop an outreach plan with likeminded partners to support and advance the development of 6G networks.

Semiconductors

The coordination on our respective efforts to build resilient semiconductor supply chains remains crucial to the secure supply of semiconductors, which are indispensable inputs to an ever-growing range of key industry sectors, and to ensure leadership in cutting-edge technologies.

We have been cooperating fruitfully under two administrative arrangements:

• A joint early warning mechanism aimed at identifying (potential) supply chain disruptions and enabling early action to address their impacts, which has already proven useful in monitoring developments in the gallium and germanium markets; and
• A transparency mechanism for reciprocal sharing of information about public support provided to the semiconductor sector.

We intend to extend the two administrative arrangements for a period of three years to enable further coordination and to establish synergies between our support for investments in the semiconductor sector taking place under the EU Chips Act and the U.S. CHIPS Act.

The United States and the European Union share concerns about non-market economic policies and practices that may lead to distortionary effects or excessive dependencies for mature node (“legacy”) semiconductors. On the side of the fifth TTC ministerial meeting, which took place on 30 January 2024 in Washington, D.C., we held a joint roundtable with high-level industry representatives dedicated to legacy semiconductor supply chains. Both the United States and the European Union are committed to continuing to engage closely with industry on the issue. We plan to convene further government-to-government discussions with like-minded countries on this topic in the near future. In January 2024, the United States launched an industry survey to assess the use of legacy chips in supply chains that directly or indirectly support U.S. national security and critical infrastructure. The European Union is also gathering information on this issue. We intend to, as appropriate, continue to collect and share non-confidential information and market intelligence about non-market policies and practices, commit to consult each other on planned actions, and may develop joint or cooperative measures to address distortionary effects on the global supply chain for legacy semiconductors.

We plan to continue working to identify research cooperation opportunities on alternatives to the use of per- and polyfluorinated substances (PFAS) in chips. For example, we plan to explore the use of AI capacities and digital twins to accelerate the discovery of suitable materials to replace PFAS in semiconductor manufacturing.

Biotechnology Cooperation to Promote the Bioeconomy and Address Global Challenges

The bioeconomy is supported by the use of foundational and widely-applicable tools and technologies (including emerging biotechnologies), which have the potential to drive innovation to address global challenges. .These tools and technologies also represent an opportunity to begin developing a common international understanding of the bioeconomy and future efforts to evaluate, measure, and grow the global bioeconomy as a whole. A crucial component of this effort is establishing a shared understanding of some of the risks and vulnerabilities associated with the bioeconomy, including economic and security considerations, alongside a simultaneous commitment to enabling the safe, secure, sustainable, and responsible use of tools and technologies for bioeconomic development.

We look forward to cooperating on shared research, development, and innovation priorities through the U.S.-EU Joint Consultative Group that will push bioeconomic development forward in ways that address the most pressing global challenges we all face.

We acknowledge the significant promise and risks associated with the integration of advanced biotechnology with other technological disciplines such as AI, information technology, nanotechnology, neurotechnology, chemistry, and medicine, which will drive innovation and have significant implications for academia, industry, and economic security. To address the potential risks associated with the convergence of these technologies, we are committed to work toward mechanisms to safeguard dual-use advanced biotechnology items and equipment.

Transatlantic Cooperation on Standards for Critical and Emerging Technologies and Clean Energy Transition

The United States and the European Union share an interest in recognizing mutually compatible technical standards as a way to expand transatlantic approaches for the deployment of critical and emerging technologies that reflect our shared values.

We plan to continue to exchange information on international standardisation activities for critical and emerging technologies via the “Strategic Standardisation Information (SSI)” mechanism, as established at the second U.S-EU TTC ministerial meeting. Our deepened cooperation enables us to cooperate on global standards. In order to strengthen collaboration with the private sector, we organised a joint stakeholder workshop in Washington D.C. on 17 November 2023, which identified relevant areas for transatlantic collaboration.

Together with standards development organisations and stakeholders, we have endeavoured to work towards mutually compatible standards and best practices in areas of strategic interest with the objective of avoiding unnecessarily burdensome technical trade barriers, without prejudice to the specificities and needs of our respective legal systems.

Over the last two years, our cooperation has led to tangible outcomes. We have facilitated commonly recognised international standards for the rollout of megawatt charging systems for heavy-duty vehicle charging points, and joint work of U.S. and EU standardisation bodies on plastics recycling and additive manufacturing since the start of the TTC. Our work continues to facilitate the development of mutually recognised and compatible standards to enhance new opportunities for cooperation within our respective standardisation systems.  

Following a successful round of government-to-government technical exchanges, the European Commission and U.S. government released a Digital Identity Mapping Exercise Report Digital Identity Mapping Exercise Report which provides the results of an initial mapping centred on the definitions, assurance levels, and references to international standards included across Revision 3 of the NIST Digital Identity Guidelines ( Special Publication 800-63, Revision 3 ) and European Regulation  (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market. The next phase of this project will focus on identifying potential use cases for transatlantic interoperability and cooperation with a view toward enabling the cross-border use of digital identities and wallets.

The United States and the European Union intend to continue to identify emerging technology standards that are enablers of the clean energy transition for transatlantic collaboration. B. Promoting Sustainability and New Opportunities for Trade and Investment 

Transatlantic Initiative on Sustainable Trade 

The Transatlantic Initiative on Sustainable Trade (TIST) work programme, which we launched at the fourth U.S-EU TTC ministerial meeting in May 2023, has advanced our cooperation on actions to accelerate the transition to climate-neutral economies in the United States and the European Union in a mutually beneficial way. The United States and the European Union have been making progress on the different work strands under the TIST work programme and will continue to advance this work.

Building a Transatlantic Green Marketplace

Building on our strong economic links to accelerate the green transition while creating new business opportunities for our firms and good employment opportunities for our citizens is a key objective of the TIST.

On 30-31 January 2024, the United States and the European Union jointly organised the “ Crafting the Transatlantic Green Marketplace ” event in Washington, D.C. The event brought together representatives from the U.S. and EU business, civil society, and labor communities to engage in a series of thematic stakeholder-led discussions that focused on identifying opportunities for transatlantic collaboration to promote the transition to a more sustainable and climate-neutral economy on both sides of the Atlantic. The United States and the European Union thank the participants for their time and input. We are currently analysing the various proposals for cooperation received from the stakeholders to assess their potential to be taken forward.

In addition, the United States and the European Union will continue various efforts under the TIST umbrella, including exploring potential avenues of cooperation on conformity assessment.

Green Public Procurement

The United States and the European Union underscore that, by achieving a common understanding on green public procurement practices, we can accelerate the uptake of more sustainable and greener solutions to achieve our common environmental and climate goals.

To this end, we have issued a Joint U.S.-EU Catalogue of Best Practices on Green Public Procurement . It will contribute to advancing sustainability objectives by identifying and promoting policy tools for accelerating the deployment of publicly financed sustainability projects in the United States and the European Union.

The Joint Catalogue presents a collection of policies, practices, and actions used across all stages of the procurement process, from the strategic planning to pre-procurement, procurement, and post-contract award stage, and addresses all types of environmental and climate challenges, such as reduction of greenhouse gas emissions, energy efficiency or promoting circular economy approaches. It can serve as an inspiration for policymakers and suppliers, as well as provide ideas for the uptake of green solutions in public procurement globally.

The United States and the European Union will continue to work together on how to use the Joint Catalogue and maximise its impact.

Secure and Sustainable Supply Chains for the Clean Energy Transition

The United States and the European Union reaffirm that secure and sustainable transatlantic supply chains are key for a solid and steadfast transition towards a net zero economy and will help reduce excessive dependencies in strategic economic activities. We intend to continue to cooperate on strategic supply chains, such as solar, to help us increase secure supply of clean energy. The United States and the European Union share common challenges in the solar sector and reaffirm the importance of a dedicated workstream that explores ways to jointly support our photovoltaic manufacturing capacity (including equipment) and to diversify and de-risk this supply chain.

The United States and the European Union also continue efforts to promote transparency and traceability to improve social standards and environmental protections across supply chains that support the green transition. In this context, we are planning a workshop with stakeholders to present ongoing initiatives to promote innovative solutions in the management of sustainable supply chains, including a focused session on solar.

U.S-EU Clean Energy Incentives Dialogue

The United States and the European Union share a strong commitment to tackling the climate crisis. We want to further the growth of the global clean energy economy while establishing resilient, secure, and diverse clean energy supply chains. By strengthening and expanding clean energy industries and investing in future-oriented sectors, we generate jobs, ignite a positive cycle of innovation, and decrease costs for clean energy technologies.

Through the U.S-EU Clean Energy Incentives Dialogue, we continue to work in a transparent and mutually reinforcing manner, to avoid zero-sum competition, subsidy races and distortions in transatlantic trade and investment flows that could arise from our respective policies and incentives. In this way, we strive to maximise clean energy technology deployment that creates jobs and does not lead to windfalls for private interests. To further enhance transparency, we intend to share specific information about our respective public incentive programs starting with one sector as a pilot with the possibility to extend this to further sectors in the future and will explore putting in place a reciprocal mechanism for consultations.

We share concerns about a range of third country non-market policies and practices. We have discussed thoseused by certain third countries to attain a dominant global position in clean energy sectors, and recognise the value of continuing to exchange information on such non-market policies and practices. We will continue to explore policy tools and possible coordinated action to address harm caused by these policies and practices. including by fostering supply chain diversification, reducing dependencies, and building resilience to economic coercion.

Critical Minerals

The United States and the European Union affirm their close collaboration on diversifying global critical minerals supply chains. We welcome the launch of the Mineral Security Partnership ( MSP) Forum , which we will co-chair. The MSP Forum will formalize and expand its existing engagements with minerals producing countries, with a particular focus on advancing and accelerating individual projects with high environmental protections and social governance and labor standards and promoting discussion of policies that contribute to diverse and resilient supply chains.

Continuing our well-established cooperation on critical raw materials, a workshop on “Developing the permanent magnets value chain” resulted in valuable exchanges focussing on rare earth magnets. We plan to continue these exchanges in the future.

To promote a green transition, enhance economic security, and strengthen environmental protections and labor rights in international critical minerals supply chains, the United States and the European Union are advancing negotiations toward a Critical Minerals Agreement.

Transatlantic E-Mobility Cooperation

We welcome the successful completion of the Electro-mobility and Interoperability with Smart Grids workstream with the publication of the U.S-EU joint technical recommendations for “ Future Public Demonstrations of Vehicle-Grid Integration (VGI) Pilots ”. Devised in consultation with industry experts and stakeholders, the recommendations propose the development of best practices to prepare for large-scale VGI demonstrations, educate potential customers, and incorporate requisite customer-related factors in demonstration programme designs, and aim at supporting communication and coordination between the United States and the EU.

The recommendations complement the “ Transatlantic Technical Recommendations for Government Funded Implementation of Electric Vehicle Charging Infrastructure ,” which were presented at the fourth TTC ministerial meeting in May 2023 in Luleå, Sweden.

Together, the two sets of recommendations can benefit companies and end users, and transatlantic trade and investment, by supporting the expansion of e-mobility as well as the realization of U.S. and EU clean energy and de-carbonization commitments.

Enhancing eInvoicing Interoperability between the United States and the European Union

As part of our efforts to increase the use of digital tools that enhance trade, Electronic Invoicing (eInvoicing) has emerged as a transformative tool in modern business, offering efficiency gains, cost savings, and trade benefits. The continued cooperation and efforts towards compatible eInvoicing between the United States and the European Union. offer a spectrum of advantages, with the potential to significantly reshape cross-market transactions and the dynamics of transatlantic trade. Even though most of the eInvoicing technical specifications and profiles are highly aligned, there are differences between our respective eInvoicing systems. We intend to continue to cooperate and coordinate for greater compatibility, particularly in terms of business and technical interoperability, as outlined in the declaration annexed to this Joint Statement.

Trade and Labor in the Green Transition

Today, the United States and the European Union held their third session of the tripartite Transatlantic Trade and Labor Dialogue (TALD). This session brought together TTC principals and senior representatives from labor, business, and government from both sides of the Atlantic and continued the joint transatlantic work with social partners on the promotion of sustainable and responsible supply chains with strong protections for labor rights. Building on the discussions during the workshop on the “ Promotion of Good Quality Jobs for a Successful, Just and Inclusive Green Transition ” on 30 January 2024, the TALD meeting provided the opportunity to dive deeper and hear views from labor and business stakeholders on the topic of the green transition, with specific focus on the green transition and other challenges, and the future of TALD.

In addition, the United States and the European Union reaffirmed their commitment to cooperate to eliminate forced labor from global supply chains, as called upon in the labor and businesses stakeholders’ May 2023 joint recommendations, and they expressed the intention to continue technical dialogue to exchange information, as well as share best practices regarding the implementation of their forced labor policies, including with regard to research and risk assessment.

C. Trade, Security, and Economic Prosperity

Trade for Economic Security

Strengthening our economic security is a fundamental pillar of the transatlantic partnership. The TTC has helped provide a better understanding of our respective approaches to economic security. We intend to continue cooperation under the TTC to address common challenges using relevant trade and technology tools, bilaterally and in relevant fora, including the G7 and the World Trade Organization. We reaffirm shared concerns about the challenges posed to our economic security by, among other issues, economic coercion, the weaponization of economic dependencies, and the use of non-market policies and practices by third countries. We share the objective of continuing efforts to de-risk and diversify our trade and investment relations, including by reducing critical and excessive dependencies and strengthening the resilience of strategic supply chains.

Cooperation on Export Controls and Sanction-Related Export Restrictions

We continue to recognise the important role played by the TTC in supporting the European Union, the United States, and other international partners in their unprecedented cooperation on measures against Russia and Belarus. Such cooperation has helped bring about a continuous alignment of our regulations and a consistent application of export restrictions targeting Russia and Belarus through, for example, regular exchanges of information about authorisation and denial decisions. It has also supported coordination to counter the circumvention of our measures, such as through the creation and update of a common list of high priority items (CHP) and our outreach to industry.

We will continue to work to further align U.S. and EU priorities on Russian export restrictions and coordinated international messaging on those priorities to combat circumvention and improve efficiency and effectiveness of domestic controls. As regards the implementation of export restrictions against Russia, both sides welcome the setting up of the platform for the exchange of licensing information and plan to continue to exchange information on outreach activities, including to third countries and industry.

Both sides have also decided to continue work on facilitating secure high-technology trade and reducing administrative burdens in areas covered by export controls by developing a common understanding of respective rules and mapping out measures that would help streamline this trade, while maintaining a well-functioning and effective export control regime. For example, the United States has expanded licencing exceptions to EU Member States.

We welcome the impulse the TTC has given to coordinated action by the United States and the European Union in reaching out to other countries and supporting them in strengthening their export controls, for example, through the provision of secure software for the processing of licenses.

Investment Screening

We reiterate the importance of having effective foreign direct investment (FDI) screening mechanisms in place aimed at addressing national security risks in the United States and addressing threats to security and public order in the European Union. We welcome the progress in this regard and will continue to support the development and implementation of these mechanisms, while promoting an open and attractive investment environment.

We have carried out joint work to identify certain best practices on foreign direct investment screening with the intention to eventually bring these to the attention of screening authorities and stakeholders more broadly. We will soon launch of a joint repository that will provide additional resources to U.S. and EU Member State investment screening professionals. We have deepened our cooperation on investment screening through hosting a public stakeholder event and conducting outreach to like-minded partners in the Western Balkans to support their development of effective FDI screening mechanisms and intend to continue such outreach in 2024.

We will continue our cooperation on investment screening through technical exchanges, including on investment trends impacting security risks related to specific sensitive technologies to provide a better understanding of similarities and differences in approach.

Outbound Investment Security

We recognize the importance of investment, innovation, and open economies. At the same time, we are also attentive to concerns regarding potential security threats and risks to international peace and security that may arise from certain outbound investments in a narrow set of critical technologies. Against this background, the United States and the European Union will continue to exchange information on the security risks, risk analyses, and on our respective approaches around this issue, and how to address this new challenge.

Addressing Non-Market Policies and Practices

The United States and the European Union remain concerned about the persistent use of other countries’ non-market policies and practices and the challenge they pose both to our workers and businesses and to other third-country markets. We continue to exchange on the risks that non-market policies and practices, including non-market excess capacity, pose in certain sectors and to engage with partners where appropriate.

We engaged with other countries who share our concerns about China’s non-market policies and practices in the medical devices sector, and conveyed these concerns directly to China. The United States and the European Union will continue to monitor developments in the medical devices sector.

D. Defending Human Rights and Values in a Changing Geopolitical Digital Environment

Protecting Information Integrity in a Pivotal Year for Democratic Resilience

The United States and the European Union reiterate our unwavering commitment to support democracies across the world. We are determined to defend human rights and will continue to call out authoritarianism. In a year marked by democratic elections around the world, we call upon all actors including governments, industry, journalists, human rights defenders, and civil society to protect and defend information integrity both online and offline.

We express our strong support for the role of free, pluralistic, and independent media in protecting information integrity. Independent media should serve as a public watchdog and a key pillar of democracy, as well as an important and dynamic part of our economy. We recognize its indispensable role informing public opinion, fact-checking, and holding those in power accountable.

We are witnessing rapid technological advancements which provide opportunities to enhance information integrity but also create new risks. The United States and the European Union share the concern that malign use of AI applications, such as the creation of harmful “deepfakes,” poses new risks, including to further the spread and targeting of foreign information manipulation and interference (FIMI). We call upon technology companies and online platforms to uphold information integrity, including in the run-up to elections across the world.

In the European Union, the Digital Services Act (DSA) requires designated very large online platforms and search engines to assess and mitigate societal risks emanating from their services, including negative effects on civic discourse and electoral processes and recommends specific measures, including on generative AI content.

 Cooperation on Online Platforms

The United States and the European Union reaffirm their view that online platforms should exercise greater responsibility in ensuring that their services contribute to an online environment that protects, empowers, and respects their users. We reiterate that online platforms should take appropriate actions to address the impact of their services on the mental health and development of children and youth.

The United States and the European Union also reaffirm that urgent action is needed to address technology-facilitated gender-based violence, which disproportionately impacts women and girls, who often experience multiple and intersecting discriminations and oppressions. We developed a set of joint principles on combatting gender-based violence on online platforms that complement further the joint high-level principles on the protection and empowerment of children and youth and facilitation of data access from online platforms for independent research, which were released at the fourth TTC ministerial meeting. 

In addition to releasing these principles, we are also publishing a status report on mechanisms for researcher access to online platform data, which builds upon efforts undertaken by the academic and research community. The aim of this work is to disseminate information about the new and improved possibilities now available to study and understand systemic risks related to online platforms. We call on online platforms to expand and improve access for researchers, particularly on societal risks.

To deepen this work, in the margins of this Ministerial Meeting, we organized a joint workshop on access to platform data and using this data to combat technology-facilitated gender-based violence. We invited, and continue to encourage, the research community to analyse these data access mechanisms, and to explore how they can contribute to a better understanding of the functioning of – and the potential risks emanating from online platforms with regard to areas such as the mental health and development of children and youth, and technology-facilitated gender-based violence.

We share the commitment to the highest appropriate standards of protection in these areas for users in both the United States and the European Union.

Protecting Human Rights Defenders Online

The United States and the European Union recognise the key role human rights defenders (HRDs) play in defending human rights and fundamental freedoms, and we are committed to the protection of HRDs online and offline. We are working together to address human rights risks stemming from the misuse of digital technologies, including combatting internet shutdowns, unlawful surveillance, and the targeting of HRDs online. Elevating the critical role of HRDs and supporting and protecting them in doing their work safely is not only a shared foreign policy priority for the United States and the European Union, but an imperative for advancing human rights for all.

Following the commitment made at the fourth TTC ministerial meeting, we have published joint Recommended Actions for Online Platforms on Protecting Human Rights Defenders Online . This document sets out ten recommendations that online platforms can take globally to prevent, mitigate, and provide remedy for attacks against HRDs online.

These recommendations reflect commitments we made with global partners through the Declaration of the Future of the Internet and reflect key principles of U.S. and EU legislation, initiatives, and policies to safeguard human rights online. They were informed by extensive stakeholder consultations organized by the United States and the European Union from January 2023 to February 2024. The United States and the European Union intend to take further actions to address the needs of HRDs around the world. We will engage with all relevant stakeholders to promote the recommended actions and facilitate their implementation. We will also facilitate further exchanges and cooperation between the European Union- and United States-based emergency mechanisms on support strategies which seek to prevent, curb, mitigate, and eliminate online attacks, including the use of arbitrary and unlawful surveillance targeting HRDs.

Foreign Information Manipulation and Interference in Third Countries

The United States and the European Union consider foreign information manipulation and interference (FIMI) to be geopolitical and security challenges. We share the aim of addressing this threat and enhancing the resilience of democracies. Against this background, we have taken a number of actions to increase transatlantic cooperation to proactively address FIMI, including disinformation, while upholding human rights and fundamental freedoms. We will continue to work together to address FIMI through the TTC and other multi- and bilateral contexts.

We will continue to jointly use and further advance the common analytical methodology to identify, analyse and detect FIMI decided at the fourth TTC ministerial meeting. We are engaging with other international partners on a quarterly basis to familiarise them with this methodology. Expanding the network of partners familiar with this methodology will enhance our common understanding of the threat and allow us to jointly identify, analyse, and counter FIMI globally.

The European Union, the United States, and the Western Balkan partners share the same vision for an open, reliable, and secure Internet, as evidenced by their joint endorsement of the Declaration for the Future of the Internet. We will coordinate our efforts in order to support the Western Balkan partners by launching a coordination mechanism to address FIMI threats more effectively in the region. This is in line with the European Union’s and like-minded partners’ initiatives to increase their capabilities to further identify, assess, and counter FIMI. Our support will reduce third countries’, and in particular Russia’s and other actors’, including China’s, ability to effectively employ FIMI campaigns in the region. We will help our partners in the Western Balkans to develop capacity in five key action areas: the development of national strategies and policies, the creation of dedicated governance structures and institutions, increasing human and technical capabilities, protecting and supporting the role of independent media, academia, and civil society, and multilateral engagement.

Secure and Trusted Digital Infrastructure and Connectivity in Third Countries

The United States and the European Union reiterate the importance of and support for secure, trusted, and resilient digital connectivity and information and communication technology and services (ICTS) supply chains in third countries, provided by trusted suppliers.

We commend the decisions taken by partner countries towards trusted ICT ecosystems by ensuring high cybersecurity and resilience standards for connectivity solutions and networks, including by restricting or excluding high-risk suppliers from their national networks and using trusted vendors and services providers for maintenance and repair.

We will continue to reach out to partners across the world to understand the needs and challenges around securing digital infrastructure and explore how we can best collaborate to support the digitalisation goals of emerging economies. We continue to engage emerging economies through technical discussions and high-level roundtables to increase interest in secure digital connectivity. We also remain committed to continued exchanges with relevant industry actors such as mobile network operators and trusted equipment suppliers.

We are delivering on our commitments to support to secure and resilient connectivity projects in Costa Rica, Jamaica, Kenya, and the Philippines, including through mechanisms like the Global Gateway, the Partnership for Global Infrastructure and Investment, and technical exchanges, including third counties sharing experiences to accelerate secure connectivity in other parts of the region.

The United States and the European Union are supporting Tunisia’s goal of establishing secure digital connectivity and infrastructure by relying on trusted vendors through collaborative advocacy, technical assistance and by exploring financing, coordination, and policy alignment. This includes providing training programs to targeted Tunisian government agencies, IT professionals, and businesses, and promoting the development of cybersecurity standards and frameworks, in particular for 5G. The United States and the European Union are advancing discussions with relevant financial institutions for the mobilisation of support for secure digital connectivity infrastructure projects with trusted vendors.

We aim to continue our actions to support secure and resilient digital connectivity in third countries. Following the earlier signing of a memorandum of understanding between the European Investment Bank (EIB) and the U.S. International Development Finance Corporation (DFC), the United States and the European Union intend to augment their actions by furthering cooperation between the EU Member State and United States financing agencies. In 2023, the Export-Import Bank of the United States (EXIM) signed co-financing memorandums of understanding with the Swedish EKN and Finnish Finnvera respectively to facilitate joint support for export projects, and has enabled direct support to trusted suppliers from both sides.

We are committed to exploring options to act strategically, cooperatively, and efficiently to provide attractive incentives to partner countries to choose trusted suppliers for the development of their connectivity networks.

Secure and Resilient International Connectivity

The United States and the European Union recall the economic and geostrategic importance of cooperating on trust and security in the entirety of ICT infrastructure, including maintenance and repair. To this end, we continue to seek ways to advance cooperation on international connectivity with trustworthy, secure, and resilient networks. This could include trans-oceanic routes including through the Arctic and Pacific regions.

III. Building the Transatlantic Partnership Together with Stakeholders We remain committed to high levels of transparency and the close involvement of the transatlantic stakeholder community at large in the work of the TTC, including businesses, labor organisations, non-profit organisations, environmental constituencies, and academics.

We have therefore extensively reached out to stakeholders and given them the possibility to be involved and to provide input and receive feedback through the organisation of events, roundtables, and workshops and the establishment of dedicated websites like Futurium . With the support of the EU-financed Trade and Technology Dialogue, several high-level events have taken place and stakeholders have been consulted on topics such as sustainable trade, standardisation, AI, connectivity, and semiconductors.

In addition to these activities, we have also engaged with relevant stakeholders in more structured formats such as the Transatlantic Trade and Labor Dialogue, the Talent for Growth Task Force, and with small and medium-sized enterprises (SMEs) in a series of webinars on the topic of SME access to and use of digital tools.

Talent for Growth

The Talent for Growth Task Force, launched in April 2023 with a one-year mandate, has served both as a platform for best practices and a catalyst for innovative skills approaches that promote economic growth and create opportunities for workers in the technology sector. The Task Force brought together leaders from government, business, labor unions, and organisations that support training from the United States and the European Union. The Task Force identified, mapped, and disseminated implementable models and ideas in four critical areas: t raining workers to meet business needs, including women and underrepresented groups in technical jobs, Moving to a skills-first culture, and micro-credentials. The Task Force endorsed a statement featuring key messages stemming from these discussions.

The discussions in this group have confirmed the critical role talent plays for the sustainable growth of our economies and the well-being of our societies in an age of rapidly changing technology. It examined the acceleration of change brought about by AI. The Task Force has established bilateral relations between Task Force members which have catalysed private-sector initiatives and will last beyond the timeframe of the Task Force. The European and the United States remain dedicated to continuing to equip our workforces with the skills necessary to meet the needs created by rapidly changing technology, including AI.

Small and Medium-Sized Enterprises (SMEs)

The United States and the European Union recognise the use of digital tools as a key enabler for SMEs to innovate, grow, and compete and are continuing their work to promote the uptake of digital technologies by SMEs.

Several webinars and outreach activities where SMEs shared their needs and experience were held during the last two years. After an analysis of these stakeholder exchanges, we have developed a common set of recommendations for U.S. and EU policymakers to implement measures to help SMEs to accelerate access to these technologies.

The recommendations focus on the topics of digital-related trainings; transatlantic exchange programmes; information-sharing on cyber-security, intellectual property, and standards; and access to finance. To continue the work, we intend to develop an implementation process for these recommendations, including measures such as a webinar on access to finance and the publishing of cross-referenced U.S. and EU websites with practical information for SMEs. IV. Conclusion and Next Steps Since its inaugural meeting on 29 September 2021, the TTC has realized substantial progress and achievements across all workstreams. These results have enabled the United States and the European Union: to explore how to create new trade and investment opportunities, notably to contribute to the green transition; to advance our shared leadership in emerging technologies, such as 6G, quantum, and biotechnology so that democracies can remain at the vanguard of these developments; to provide a robust joint response to Russia’s war of aggression against Ukraine; to cooperate on economic security measures to reduce economic dependencies; to continue to develop a shared understanding of the non-market policies and practices and the risks they pose or our workers, businesses and markets globally; to jointly enhance supply chain resilience while promoting transparency and cooperation on our industrial policy approaches in key sectors, including semiconductors and clean energy; to exchange information on best practices in eliminating forced labor from our global supply chains; to advance and reinforce interoperability between AI governance frameworks based on our shared democratic values to achieve our common vision for safe, secure, and trustworthy AI globally ; to advance the resilience and security of our ICT infrastructures; and to finance and promote secure connectivity with trusted suppliers around the world.

These achievements demonstrate the enduring ties between the United States and the European Union and the importance of maintaining an operational forum for cooperation on strategic trade and technology issues of common interest and geopolitical relevance. As the United States and the European Union enter their respective electoral processes, the work we do under the TTC will remain relevant, strategic, and timely, while allowing for the necessary flexibility to adapt to changing circumstances.

Building on the lessons learned from our cooperation so far, we intend to use the remainder of 2024 to engage with U.S. and EU stakeholders to learn their views on the future of the TTC.

Stay Connected

We'll be in touch with the latest information on how President Biden and his administration are working for the American people, as well as ways you can get involved and help our country build back better.

Opt in to send and receive text messages from President Biden.