Threat Matrix

If the COVID pandemic taught businesses anything, it is that threats to a business can come from anywhere, have significant impact and last a long time. Companies use risk assessments to evaluate potential threats to their business – companies should ask which threats are likely to occur and how they impact their organization. It is important to understand and prioritize threats before risk mitigation.

The Cincinnati Insurance Companies' Loss Control department has provided a list of weather-related and nonweather-related potential threats that could impact your organization. Before writing your Business Continuity Plan, it is critical to understand your business threats. Complete your risk assessment by using the matrix below to rank your threats. By identifying the highest threats you can then begin evaluating your controls.

Each threat has three elements (Likelihood, Duration, Magnitude), each having three options (Low, Medium, High) to select from with a designated threat score. The higher the threat score – the greater the threat impacts your business operations. The lower the threat score – the less of an impact on your business operations.

Once you complete the threat matrix, click the Print button to obtain a paper copy. Although we cannot offer individual Business Continuity Plans, we can provide free guidance on business continuity planning and understanding of the impact of threats. Please click the Submit button if you require assistance. This tool is for your business use, and we do not retain your threat matrix results unless you click the Submit button.

Business Continuity Threat Matrix: Evaluate and manage potential threats to ensure business continuity.
ThreatLikelihoodDurationMagnitudeThreat Score
Adjacent Risks (Railroad, Chemical Plant, Prison, Bodies of Water)

Adjacent risks are located outside your property lines and could expose your facility to loss:

  • chemical plants
  • tanks
  • railroads
  • prison
  • bodies of water
Bomb ThreatTypically bomb threats are phone-in threats where the caller states a bomb has been placed somewhere on your property. These must be taken seriously. There needs to be a written procedure for obtaining as much information from the caller as possible so it can be reported to law enforcement.
Chemical SpillsThere are different kinds of chemical materials - some are acidic, caustic or lethal. Regardless of size, take all chemical spills seriously with a formal, written chemical spill response procedure.
Communicable Disease/Pandemic

Maintaining a written response procedure to protect:

  • personnel
  • personal protective equipment
  • adequate food and water supplies
  • alternative suppliers
  • transportation
Cyber Risk-Information Technology DisruptionThis is a key corporate exposure which is growing. Your business should engage an IT consultant if you do not employ someone in that capacity. Put procedures in place so that employees experienced in information technology can assess and report cyber risks to management. Maintain business and production operations on separate and distinct servers. Establish IT controls to prevent penetration of IT systems and create backup procedures. In the event of penetration, implement your formal response plan.
DroughtDrought refers to inadequate water supply for potable and production uses. If the location is in a known drought area, prepare for alternative water sources.
Earth Movement (Landslide, Mudslide and/or Earthquake)Assess exposure to areas known for earthquakes, mud slides or landslides. Store heavy and important inventory at lower levels to prevent damage from falling. Identify alternative locations for future use. Have a system in place for facility occupant notification and emergency evacuation procedures.
Electrical System/Power OutagePut procedures in place for backup power supplies. Obtain a pre-signed contract for delivery of an emergency portable generator. If you have a generator, maintain it, and have adequate fuel supply onsite. Know where you will obtain additional fuel supplies. For a large facility or one with critical power needs, have two separate electrical lines servicing the facility.
Electromagnetic Frequency DisturbanceEMF is produced by all kinds of products, including cell towers, transmission lines, cell phones and computer peripherals. If your facility and/or operations are vulnerable to damage from EMF, consult electrical experts who may help reduce this exposure by installing EMF filtering devices, as well as creating procedures for additional exposure reduction.
Facilities with Childcare/Athletic Facilities/Medical FacilitiesThese kinds of operations present additional and unique exposures to businesses and require additional, formal controls to protect personnel, users and visitors.
Facility SecurityComplete a facility security assessment to ensure there are adequate and working controls to reduce as much as practicable exposure to employees, contractors, and visitors as well as the contents of the facility. Vary these controls with the sensitivity of your operations and contents too.
FireEnsure the facility has adequate fire protection in terms of construction, systems and water supply to control a fire situation to preserve your future operations.
Governmental Regulations/RequirementsSomeone within the facility is charged with ensuring the firm follows governmental regulations/requirements and compliance regulations are formally documented.
Heating System/Heating Ventilation Air Conditioning OutageEnsure that a preventative maintenance plan for maintaining, repairing and updating HVAC Systems and formal service contracts, including emergency responses, are in place.
HurricaneBusinesses in a hurricane-prone area with a formal, written emergency plan are better prepared to respond to a hurricane during and after the event.
Imported ProductsPerform due diligence for foreign suppliers. An attorney with knowledge of the foreign jurisdiction reviews written contracts. In the event of supplier disruption, there are alternative suppliers in place and a formal plan.
Inadequate Fire ProtectionFor inadequate fire protection, control ignition sources and improve fire protection. Ensure the local fire department is aware of the inadequate fire protection.
Industrial EspionageIndustrial espionage experts can assess and develop control plans for threats of competitors investigating your company to steal company secrets.
Labor DisputesThere is a formal plan to protect employees, contractors and visitors in the event of a labor dispute. This includes security controls to protect the facility, and their vehicles.
Lack of Business Continuity PlanA formal business continuity plan helps to ensure business operations continue when faced with a threat. Completing the Business Continuity Threat Matrix and placing controls where needed is the first step to writing your business continuity plan.
Lack of LiquidityIn the event of an emergency, be sure to have adequate liquid assets available.
Lack of Succession PlansSuccession plans help to ensure uninterrupted operations when individual employees leave the company. For key positions, an unplanned interruption could result in harm to the company.
Officer Kidnap/RansomFor key business executives, create a plan to prevent and respond to kidnap and ransom. Business executives vary their daily schedules, including the routes taken to their workplace. Business and home security controls, including access controls, lighting and cameras are in place. Contact a kidnap and ransom security expert who can provide expert information to prevent and to respond.
ProtestsHave adequate controls to protect employees, contractors, visitors and your physical facility in the event of a protest.
Riots and Civil DisorderImplement controls to prevent window breakage and access to the facility; protect employees, contractors and visitors and put controls in place for offsite emergency operations.
Snow/Blizzard/Ice StormHave pre-signed contracts with snow and ice removal companies, including when to respond to remove snow and ice in parking lots and on sidewalks. Establish emergency procedures to safely evacuate employees, contractors, and visitors as well as to shut down the facility if needed.
Special Events SponsorshipThoroughly evaluate event controls to protect visitors and the public to reduce your company’s liability exposure any time you agree to sponsor an event.
Supply Chain DisruptionKnow what to do if there are disruptions to supply chains. Have backup suppliers, including sole source suppliers and backup suppliers. For critical components, maintain a readily accessible and adequate inventory.
Telecommunications Infrastructure FailureConsider a backup communication system to use in the event of a telecommunications infrastructure failure such as loss of a cell tower or underground cable.
TerrorismEnsure there are adequate security controls to protect employees, contractors and visitors. Dependent upon the kinds of operations, specialized controls may be needed.
ThunderstormsEnsure your roof covering is maintained and any roof equipment is secured, your electrical communication and security systems are protected from lightning and the facility is equipped with lightning arrestors.
TornadoTornados provide little warning. If you are located in a tornado prone area, have controls in place to protect employees, contractors and visitors.
VandalismVerify that you have adequate lighting and other security controls to reduce the risk of vandalism.
Water Main Break and Cross-ContaminationHave supplies to prevent water from entering your facility when a significant water main crosses your property. Know who to call to respond to the broken main. Your emergency plan includes procedures for safely shutting down operations dependent on water and a backup supply. Know where you would obtain drinking water. Cross-contamination is a serious potential exposure because it could result in illness and production interruption. When you discover a cross connection of potential drinkable water, your must notify occupants immediately not to consume water from the crossed source.
WildfireHave emergency plans to protect employees, contractors and visitors if your facility is in a wildfire area. In addition, pre-plan to protect the physical facility, which could include contracting with experts to remove brush around the facility.
Workplace Violence/Criminal ActsHaving a formal, written zero tolerance policy can help to reduce the risk of workplace violence. Enforcing a no weapons policy can also help to deter violence. Depending upon your operations, you may have metal detection at key access points. Overall security controls including, lighting, cameras, access control and security systems can help to prevent criminal acts.

Please rotate your device to landscape mode to view our risk assessment tool.