The key to an effective assessment rests with two key questions:
• What areas of your business are at risk when an incident occurs?
• How do you measure the impact?
While most organizations evaluate the financial impact, the majority view reputational impact as the more important. Other areas to measure include operational impact and legal impact. If your organization is regulated, you might measure legal impact, policy impact, and regulatory impact as separate areas.
Impact areas reflect the nature of the organization and its value chain. Getting the impact assessment right goes a long way to setting the right priority, executing the right response, and achieving an effective outcome.
For each impact area, it is important to provide metrics or descriptions that differentiate the impact level. Low, medium, and high are not enough as impact measures. Without metrics different people assign different meanings to the terms low, medium, and high.
For example, metrics for the legal department may be represented by a simple decision tree:
• Low impact – No legal action; legal not involved.
• Medium impact – Unlikely legal action; but, legal involved.
• High impact – Likely legal action; legal involved.
When possible, the impact metric should include costs. Cost metrics can be developed over time.