Improve Your Risk Evaluation and Control tip #9 – final ranking

Remember the purpose of Risk evaluation and control is to allow the organization to focus on high probability and high impact events to identify where controls, mitigations or management processes are non-existent, weak or ineffective. Therefore, the top risks should influence risk management policy. The length of the list should be influenced by both your company’s size, risk appetite and the maturity of your business continuity management program. Your first key risk list may be only 3 to five key risks.  A risk averse large federal department might have a list of 50 key risks.

Tip #9 Give senior management final risk ranking approval

It is best to provide your senior management with a quick presentation of the key risks before submitting the final evaluation.  Senior management may disagree with your evaluation or have additional “big picture” information to add. This can also prepare them for risk control recommendations that will appear in the final report.

Your risk assessment report to senior management should include the methodology, the risk chart, a list of your organization’s top risks (within the scope of your assessment), and any recommendations for loss control measures including your cost benefit analysis of these measures.

Return tomorrow for our final tip on risk evaluation and control…

(For more information on DRI’s professional practices please read Professional Practice One – Program Initiation and Management DRII Professional Practices  June 1, 2012 Version 1)


  • Be Prepared

  • Professionals

  • Categories

%d bloggers like this: