Risk Assessments Come First: A Disciplined, Proven Approach Leaders Can Trust

Posted on by Keith Erwood
Risk Assessments Come First – ChatGPT AI Generated with Prompt by Keith Erwood

Risk Assessments Come First: A Disciplined, Proven Approach Leaders Can Trust

There is an ongoing debate in the risk and resilience community about how risk assessments should be conducted. That debate is not academic. It directly affects how organizations prioritize threats, allocate resources, and prepare for disruption.

From an emergency management and operational preparedness perspective, one principle remains clear:

You cannot assess impact meaningfully until you first understand the risks you face.

Risk assessment is the foundation. Everything else builds on it. Risk Assessments come first.

What a Risk Assessment Is and What It Is Not

A Risk Assessment (RA) is a high-level, structured evaluation of the risks an organization faces, based on two primary dimensions:

Likelihood of occurrence

Impact if the risk occurs

This is not the same as a Business Impact Analysis (BIA), and the distinction matters.

A risk assessment answers:

What threats are relevant to this organization?

How likely are they to occur?

How severe would the consequences be at a high level?

It provides situational awareness, not deep operational modeling.

Risk Comes First, By Design

In emergency management, military strategic planning, and civil defense disciplines, particularly those developed and refined through British and American systems before, during, and after World War II, risk identification and likelihood assessment precede impact analysis.

This approach reflects operational reality:

You cannot plan for every possible outcome

You must first understand which risks are credible

You must prioritize attention based on exposure, not speculation

This methodology has been tested across decades of real-world crises, not just theoretical frameworks.

How Impact Is Measured in a Proper Risk Assessment

In a disciplined risk assessment, impact is evaluated broadly but consistently, across key organizational dimensions not deeply modeled at this stage.

At Erwood Group, impact is assessed across:

People – safety, availability, leadership, and key personnel dependency

Property – facilities, physical assets

Process – operational workflows, service delivery

Technology – systems, data, infrastructure

Vendors – third-party dependencies

Overall Entity – reputation, financial stability, legal exposure

Each impact category is scored on a standardized scale (e.g., 1–5), allowing leadership to quickly understand where harm would be felt without prematurely overanalyzing.

A simplified representation looks like:

Risk Assessment Score = Likelihood + (People + Property + Process + Technology + Vendor + Entity) ÷ 6

This produces a clear, comparable risk profile across threats. Exactly what leadership needs at this stage.

Where the Business Impact Analysis (BIA) Fits

This is where many frameworks blur lines and where confusion begins.

The Business Impact Analysis is not a substitute for a risk assessment.
It is a separate, deeper analysis conducted after risks are understood and prioritized.

The BIA answers different questions:

Which business functions are most critical?

How quickly must they be restored?

What are the financial, operational, and regulatory consequences over time?

What dependencies drive recovery complexity?

In other words:

RA = breadth

BIA = depth

Conflating the two weakens both.

Why This Methodology Sometimes Sparks Debate

There are alternative approaches to risk assessment that place impact analysis first or attempt to collapse RA and BIA into a single exercise. In practice, many of these approaches originate from academic or regional frameworks that emphasize theoretical modeling over operational execution.

These models are widely written about and frequently cited, which can introduce bias into published guidance.

By contrast, the methodology outlined here is:

Field-tested

Operationally grounded

Designed for decision-making under uncertainty

Proven across emergency management and military contexts

Debate is healthy. But outcomes matter more than consensus.

What Happens After the Risk Assessment

Once risks are identified, scored, and prioritized, risk management begins.

This is where the AART framework is applied:

Accept – acknowledge and monitor the risk

Avoid – eliminate the activity creating the risk

Retain – consciously carry the risk with safeguards

Transfer – shift financial exposure (insurance, contracts)

This step requires experience and judgment. It is not mechanical, and it should never be rushed during the assessment phase.

A Leadership Perspective to Consider

A proper risk assessment does not attempt to predict every consequence.
It provides leaders with clarity about exposure.

When done correctly, it:

Sharpens focus

Enables prioritization

Informs continuity and resilience planning

Prevents overreaction and under preparation

Risk assessment is not where analysis ends.
It is where disciplined preparedness begins.

 

Ask yourself:

Do we clearly understand the risks we face?

Are they prioritized consistently?

Have we appropriately separated risk awareness from impact modeling?

If not, the foundation may need strengthening before deeper analysis begins.

Still Uncertain? Schedule a Free 30 Minute Risk Consultation

 

Schedule Risk Consultation

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>