Risk and Opportunity Assessment and

Treatment Tool
BCMS-FORM-08-2

Implementation guidance
This Excel sheet must be removed from the final version of the document.

Design
This spreadsheet has been designed using CertiKit's colour scheme. To choose a different table colour scheme, click in
the table, select the Table Design menu tab and choose a different style. The same applies to the drop-down menu
"slicers" at the top of the screen. Click in one slicer, then hold down the Shift key and click on the rest, one by one. This
will select them all. Then click on the Slicer menu tab and choose a different style. You can also create your own table
and slicer styles using your own colour scheme to reflect your organization's branding.

Purpose of this document

This document should be used to perform a risk assessment, including assessing the expected effects of treatments.

Areas of the standard addressed

The following areas of the ISO22301 standard are addressed:
6. Planning
6.1 Actions to address risks and opportunities
6.1.1 Determining risks and opportunities
6.1.2 Addressing risks and opportunities
8. Operation
8.2 Business impact analysis and risk assessment
8.2.3 Risk assessment

12/13/2024 Page 1 of 12
General guidance
The key objective of the risk assessment is to ensure that all of the serious risks that need treatment are identified so
that something can be done about them. Be careful not to make your risk assessment too large or complicated as much
of the impact will be lost and it will be difficult to repeat at a later date. This workbook is intended to be used to assess
the effects of the proposed treatments also. Those risks that have been treated but still retain an unacceptable level of
residual risk may be good candidates for business continuity plans.

The ISO22301 standard requires that opportunities are considered as well as risks. Opportunities are effectively "good
risks" which, if they happen, are likely to have a positive effect on the BCMS. Examples of opportunities could include
an increase in funding for business continuity, legislation that mandates suppliers to improve their business continuity
controls or an improvement in technology that makes specific controls more effective (e.g. better backups, higher
reliability or improved monitoring).

This tool may be used to assess the risks and opportunities for the BCMS itself (as required in section 6.1 of the
ISO22301 standard), and the risks relating to the disruption of business activities (as required in section 8.2.3 of the
ISO22301 standard).

Note that supporting tabs may be hidden. These tabs contain data and reference tables and will need to be unhidden if
you wish to make any changes. Right click on any tab and select "Unhide".

Review frequency
It is a good idea to revisit this assessment on a regular basis and to ensure that new risks and opportunities are
identified and assessed.

Toolkit version number

ISO22301 Toolkit Version 6

Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is
©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number
6432088.

Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download
from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation
licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant
purchase order. The standard licence terms include special terms relating to any third party copyright included in this
document.

12/13/2024 Page 2 of 12
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended
to be used as a starting point only from which you will create your own document and to which you will apply all
reasonable quality checks before use.

Therefore please note that it is your responsibility to ensure that the content of any document you create that is based
on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should
take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document
templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly
excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document
templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result
of misstatements, errors and omissions in their contents.

12/13/2024 Page 3 of 12
 Risk and Opportunity Assessment
and Treatment Tool
BCMS-FORM-08-2

Assessment Details

Assessment Title [Short, descriptive title]

Assessment Scope [Describe the scope of the assessment - for example, location, process, assets]

Context of Assessment [Describe the general environment in which the assessment is carried out and
internal and external factors affecting it]
Risk Acceptance Criteria [Set out the factors which will make a risk acceptable and therefore not
require treatment]
Version [Start at Version 1]

Dated [Date the assessment was carried out]

Assessors [Name and title of person(s) carrying out the assessment]

Assessment Participants [Names and titles of people contributing to the assessment]

Approval [Name and title of approver]

Date Approved [Date the assessment was approved]

12/13/2024 Page 4 of 12
 This shape represents a table This shape represents a table This shape represents a table This shape represents a table This shape represents a table
slicer. Table slicers are not slicer. Table slicers are not slicer. Table slicers are not slicer. Table slicers are not slicer. Table slicers are not
supported in this version of supported in this version of supported in this version of supported in this version of supported in this version of
Excel. Excel. Excel. Excel. Excel.

If the shape was modified in an
earlier version of Excel, or if
the workbook was saved in
Excel 2007 or earlier, the slicer
Business Continuity Risk Assessment and Treatment Tool can't be used.
Start with the risks that are felt to have the highest likelihood and impact combination.
To refresh chart data on the risk dashboard, click on “Refresh All” on the Data ribbon.
If the shape was modified in
an earlier version of Excel, or
if the workbook was saved in
Excel 2007 or earlier, the
slicer can't be used.
If the shape was modified in an
earlier version of Excel, or if
the workbook was saved in
Excel 2007 or earlier, the slicer
can't be used.
If the shape was modified in
an earlier version of Excel, or
if the workbook was saved in
Excel 2007 or earlier, the
slicer can't be used.
If the shape was modified in an
earlier version of Excel, or if
the workbook was saved in
Excel 2007 or earlier, the slicer
can't be used.

RISK DESCRIPTION PRE-TREATMENT ASSESSMENT TREATMENT PLAN POST-TREATMENT ASSESSMENT

Ref Risk Summary Risk Description Risk Owner Existing Controls Likelihood Likelihood Rationale Impact Impact Rationale Risk Score Risk Level Treatment Proposed Treatment Treatment Treatment Treatment Post-Treatment Post-Treatment Post- Post-Treatment Post- Post- Comments
Option Chosen Action Cost Action Owner Action Likelihood Likelihood Treatment Impact Rationale Treatment Treatment
Timescale Rationale Impact Risk Score Risk Level

1 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated

2 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
3 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
4 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
5 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
6 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
7 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
8 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
9 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
10 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
11 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
12 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
13 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
14 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
15 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
16 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
17 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
18 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
19 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated
20 Select… Select… Calculated Calculated Select… - Select… Select… Calculated Calculated

12/13/2024 Page 5 of 12
 This shape represents a table This shape represents a table This shape represents a table This shape represents a table
slicer. Table slicers are not slicer. Table slicers are not slicer. Table slicers are not slicer. Table slicers are not
supported in this version of supported in this version of supported in this version of supported in this version of
Excel. Excel. Excel. Excel.

If the shape was modified in an
earlier version of Excel, or if
the workbook was saved in
Opportunity Assessment and Action Planning Tool Excel 2007 or earlier, the slicer
This is an assessment of the opportunities that may occur and what could be done to capitalize on them. Opportunities are uncertainties that are likely can't be used.
to have a positive effect (unlike risks, which are likely to have a negative effect).
If the shape was modified in
an earlier version of Excel,
or if the workbook was
saved in Excel 2007 or
earlier, the slicer can't be
used.
If the shape was modified in an
earlier version of Excel, or if the
workbook was saved in Excel
2007 or earlier, the slicer can't
be used.
If the shape was modified in an
earlier version of Excel, or if
the workbook was saved in
Excel 2007 or earlier, the slicer
can't be used.

To refresh chart data on the risk dashboard, click on “Refresh All” on the Data ribbon.

REF OPP SUMMARY OPP DESCRIPTION OPP TYPE OPP OWNER LIKELIHOOD LIKELIHOOD RATIONALE IMPACT IMPACT RATIONALE OPP SCORE OPP LEVEL ACTION ACTION OWNER ACTION TIMESCALE COMMENTS
1 Select… Select… Calculated Calculated
2 Select… Select… Calculated Calculated
3 Select… Select… Calculated Calculated

12/13/2024 Page 6 of 12
Business Continuity risk assessment and opportunity dashboard
To refresh chart data on the risk dashboard, click on “Refresh All” on the Data ribbon.

Pre-treatment assessment

Number of pre-treatment risks Pre-treatment risk levels by risk owner

Low
Medium
High

19
17
15
13
11
9
7
5
3
1

Post-treatment assessment

Number of post-treatment risks Number of risks by risk level pre and post treatment

Low
Medium
High
1

Risk level Low Medium

Data NaN 0 0
Column D NaN 0 0

Classification of risk and opportunity level Risk profile diagram

The chart below shows the rating scheme used to determine risk and opportunity level based on a combination of likelihood and impact. The charts below show the spread of risk severities before and after risk treatment.

Pre-treatment Post-treatment
LIKELIHOOD: What are the chances of the risk/opportunity event happening?

IMPACT: How major could the consequences be if the risk/opportunity event happened?

INSIGNIFICANT MINOR SIGNIFICANT MAJOR SEVERE

1 2 3 4 5 5 0 0 0 0 0 5 0 0 0 0 0

ALMOST MEDIUM MEDIUM HIGH HIGH HIGH

CERTAIN 5 10 15 20 25 4 0 0 0 0 0 4 0 0 0 0 0
5

LIKELY LOW MEDIUM HIGH HIGH HIGH

Risk Likelihood

Risk Likelihood

4 4 8 12 16 20 3 0 0 0 0 0 3 0 0 0 0 0

MODERATE LOW MEDIUM MEDIUM HIGH HIGH

3 3 6 9 12 15 2 0 0 0 0 0 2 0 0 0 0 0

UNLIKELY LOW LOW MEDIUM MEDIUM MEDIUM

2 2 4 6 8 10 1 0 0 0 0 0 1 0 0 0 0 0

RARE LOW LOW LOW LOW MEDIUM

1 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5

Risk impact Risk impact

Treatment plan

Risks by treatment option chosen Total treatment cost by risk level Treatment action owner
Select…

1
9

0 3

Opportunity assessment

Opportunities by level Opportunities by level and type

Calculated

19
17
15
13
11
9
7
5
3
20 1

Opportunity levels by opportunity owner Opportunity action owner

19 19
17 17
15 15
13 13
11 11
9 9
7 7
5 5
3 3
1 1
 Risk Assessment - Example Threats
The following is a standard list of typical threats that may be use as guidance for your risk assessment.

THREAT CATEGORY THREAT EXAMPLE

Human Malicious outsider Someone launches a denial of service attack on your cloud service platform

Malicious insider An employee or trusted third party accesses information in an unauthorised

manner from inside your network
Loss of key personnel One or more people with key skills or knowledge are unavailable perhaps due
to extended sickness
Human error An employee accidentally deletes customer data
Accidental loss A manager loses a memory stick with customer bank details on it

Natural Fire Your data centre burns down due to an electrical fault
Flood The nearby river breaks its banks and your main office is severely flooded

Severe weather Non-one can get into the office due to the weather
Earthquake The area of your main data centre is affected by an earth tremor that
damages all your servers
Lightning All your servers are fried by a lightning strike on the data centre building

Infection A new strain of virus results in widespread lockdown of people's movements

12/13/2024 Page 8 of 12
 Technical Hardware failure A key physical server has a processor failure
Software failure Your financial system processes invoices incorrectly due to a bug
Virus/Malicious code A virus spreads throughout your network preventing access to your (and your
customers') data

Physical Sabotage A disgruntled ex-employee takes an axe to your server room

Theft You come in on Monday morning to find some important drives have been
stolen
Arson Someone with a grudge against your organization starts a fire during the
night

Environmental Hazardous waste A lorry carrying hazardous waste has an accident outside your office
Power failure The sub-station supplying your area has a meltdown
Gas supply failure There is a suspected leak and all supplies are turned off

Operational Process error Your new data transfer procedure doesn't cater for unexpected
circumstances and PII is lost or sent to the wrong destination
Crime scene A crime happens in or near your office and the area is sealed off by police

12/13/2024 Page 9 of 12
 Risk or Opportunity Likelihood
This table should be used to decide upon the most appropriate likelihood for a particular risk or opportunity.

LIKELIHOOD DESCRIPTION SUMMARY

1 Improbable Has never happened before and there is no reason to think it is any more likely
now
2 Unlikely There is a possibility that it could happen, but it probably won't

3 Likely On balance, the risk is more likely to happen than not

4 Very Likely It would be a surprise if the risk did not occur either based on past frequency or
current circumstances
5 Almost certain Either already happens regularly or there is some reason to believe it is virtually
imminent

12/13/2024 Page 10 of 12
 Risk Impact
This table should be used as guidance to help to decide upon the correct impact rating for a particular risk.

IMPACT LEVEL IMPACT AREAS

Impact General Impact on product or service Impact on financial viability Impact on staff or public Damage to reputation Impact of breaching legal or Environmental damage
rating description quality well-being regulatory requirements
1 Negligible No effect Very little or none Very small additional risk No adverse comment No implications Negligible

2 Slight Some local disturbance to Some Within acceptable limits Localised discontent Small risk of not meeting Small, very local impact that can be
normal business operations compliance managed and corrected
3 Moderate Can still deliver product/service Unwelcome but could be Elevated risk requiring Some internal and In definite danger of operating Impact restricted geographically and can be
with some difficulty borne immediate attention external criticism illegally corrected quickly

4 High Business is crippled in key areas Severe effect on income Significant danger to life A severe test of customer Operating illegally in some Geographically wide impact area with a
and/or profit loyalty areas degree of clean-up possible over time
5 Very High Out of business; no service to Crippling; the organization will Real or strong potential Trust in organization is Severe fines and possible Catastrophic impact affecting the
customers go out of business loss of life irreparably damaged imprisonment of staff environment badly over a wide area

12/13/2024 Page 11 of 12
 Opportunity Impact
This table should be used as guidance to help to decide upon the correct impact rating for a particular opportunity.

IMPACT LEVEL EXAMPLE IMPACT AREAS

Impact General Impact on product or service
rating description quality
1 Negligible No effect
2 Slight Some local improvement to
normal business operations
Impact on financial
performance
Very little or none
Small increase in revenue or
profitability
Impact on staff or public Impact on reputation Impact on compliance with legal or Environmental impact
well-being regulatory requirements
Very small additional No positive comment No implications Negligible
benefit
Minor benefit to a few Localised improvement Small improvement in meeting Small, very local positive impact
individuals on a small scale compliance requirements

3 Moderate Temporary significant Reasonable increase in profit, Good improvement Some internal and Compliance is improved across a Positive impact restricted geographically
improvement or fair permanent revenue or other business across a limited audience external praise and number of areas
change metric positive attention

4 High product or service performance Very significant increase in Major improvement to Major reputational Level of compliance becomes very Geographically wide impact area with
is significantly boosted in key profit or business health and quality of life improvement significant and/or more easily permanent improvement over time
areas performance to a wide audience attained

5 Very High Huge improvement in existing Complete transformation in Transformation of health The organization is seen Very large change in compliance Huge benefit to the environment on a wide
or new products or services business performance on a and quality of life for a as an industry leader in levels with significant benefits scale
permanent basis very large group of its sector
people

12/13/2024 Page 12 of 12