Threat Matrix

If the COVID pandemic taught businesses anything, it is that threats to a business can come from anywhere, have significant impact and last a long time.  Companies use risk assessments to evaluate potential threats to their business – companies should ask which threats are likely to occur and how they impact their organization. It is important to understand and prioritize threats before risk mitigation.

The Cincinnati Insurance Companies' Loss Control department has provided a list of weather-related and nonweather-related potential threats that could impact your organization. Before writing your Business Continuity Plan, it is critical to understand your business threats. Complete your risk assessment by using the matrix below to rank your threats. By identifying the highest threats you can then begin evaluating your controls.

Each threat has three elements ( Likelihood, Duration, Magnitude), each having three options (Low, Medium, High) to select from with a designated threat score.  The higher the threat score – the greater the threat impacts your business operations.  The lower the threat score – the less of an impact on your business operations.

Once you complete the threat matrix, click the Print button to obtain a paper copy. Although we cannot offer individual Business Continuity Plans, we can provide free guidance on business continuity planning and understanding of the impact of threats. Please click the Submit button if you require assistance. This tool is for your business use, and we do not retain your threat matrix results unless you click the Submit button.

ThreatLikelihoodDurationMagnitudeThreat Score
Adjacent Risks (Railroad, Chemical Plant, Prison, Bodies of Water)

Adjacent risks are located outside your property lines and could expose your facility to loss:

  • chemical plants
  • tanks
  • railroads
  • prison
  • bodies of water
Bomb Threat Typically bomb threats are phone-in threats where the caller states a bomb has been placed somewhere on your property. These must be taken seriously. There needs to be a written procedure for obtaining as much information from the caller as possible so it can be reported to law enforcement.
Chemical Spills There are different kinds of chemical materials - some are acidic, caustic or lethal. Regardless of size, take all chemical spills seriously with a formal, written chemical spill response procedure.
Communicable Disease/Pandemic

Maintaining a written response procedure to protect:

  • personnel
  • personal protective equipment
  • adequate food and water supplies
  • alternative suppliers
  • transportation
Cyber Risk-Information Technology Disruption This is a key corporate exposure which is growing. Your business should engage an IT consultant if you do not employ someone in that capacity. Put procedures in place so that employees experienced in information technology can assess and report cyber risks to management. Maintain business and production operations on separate and distinct servers. Establish IT controls to prevent penetration of IT systems and create backup procedures. In the event of penetration, implement your formal response plan.
Drought Drought refers to inadequate water supply for potable and production uses. If the location is in a known drought area, prepare for alternative water sources.
Earth Movement (Landslide, Mudslide and/or Earthquake) Assess exposure to areas known for earthquakes, mud slides or landslides. Store heavy and important inventory at lower levels to prevent damage from falling. Identify alternative locations for future use. Have a system in place for facility occupant notification and emergency evacuation procedures.
Electrical System/Power Outage Put procedures in place for backup power supplies. Obtain a pre-signed contract for delivery of an emergency portable generator. If you have a generator, maintain it, and have adequate fuel supply onsite. Know where you will obtain additional fuel supplies. For a large facility or one with critical power needs, have two separate electrical lines servicing the facility.
Electromagnetic Frequency Disturbance EMF is produced by all kinds of products, including cell towers, transmission lines, cell phones and computer peripherals. If your facility and/or operations are vulnerable to damage from EMF, consult electrical experts who may help reduce this exposure by installing EMF filtering devices, as well as creating procedures for additional exposure reduction.
Facilities with Childcare/Athletic Facilities/Medical Facilities These kinds of operations present additional and unique exposures to businesses and require additional, formal controls to protect personnel, users and visitors.
Facility Security Complete a facility security assessment to ensure there are adequate and working controls to reduce as much as practicable exposure to employees, contractors, and visitors as well as the contents of the facility. Vary these controls with the sensitivity of your operations and contents too.
Fire Ensure the facility has adequate fire protection in terms of construction, systems and water supply to control a fire situation to preserve your future operations.
Governmental Regulations/Requirements Someone within the facility is charged with ensuring the firm follows governmental regulations/requirements and compliance regulations are formally documented.
Heating System/Heating Ventilation Air Conditioning Outage Ensure that a preventative maintenance plan for maintaining, repairing and updating HVAC Systems and formal service contracts, including emergency responses, are in place.
Hurricane Businesses in a hurricane-prone area with a formal, written emergency plan are better prepared to respond to a hurricane during and after the event.
Imported Products Perform due diligence for foreign suppliers. An attorney with knowledge of the foreign jurisdiction reviews written contracts. In the event of supplier disruption, there are alternative suppliers in place and a formal plan.
Inadequate Fire Protection For inadequate fire protection, control ignition sources and improve fire protection. Ensure the local fire department is aware of the inadequate fire protection.
Industrial Espionage Industrial espionage experts can assess and develop control plans for threats of competitors investigating your company to steal company secrets.
Labor Disputes There is a formal plan to protect employees, contractors and visitors in the event of a labor dispute. This includes security controls to protect the facility, and their vehicles.
Lack of Business Continuity Plan A formal business continuity plan helps to ensure business operations continue when faced with a threat. Completing the Business Continuity Threat Matrix and placing controls where needed is the first step to writing your business continuity plan.
Lack of Liquidity In the event of an emergency, be sure to have adequate liquid assets available.
Lack of Succession Plans Succession plans help to ensure uninterrupted operations when individual employees leave the company. For key positions, an unplanned interruption could result in harm to the company.
Officer Kidnap/Ransom For key business executives, create a plan to prevent and respond to kidnap and ransom. Business executives vary their daily schedules, including the routes taken to their workplace. Business and home security controls, including access controls, lighting and cameras are in place. Contact a kidnap and ransom security expert who can provide expert information to prevent and to respond.
Protests Have adequate controls to protect employees, contractors, visitors and your physical facility in the event of a protest.
Riots and Civil Disorder Implement controls to prevent window breakage and access to the facility; protect employees, contractors and visitors and put controls in place for offsite emergency operations.
Snow/Blizzard/Ice Storm Have pre-signed contracts with snow and ice removal companies, including when to respond to remove snow and ice in parking lots and on sidewalks. Establish emergency procedures to safely evacuate employees, contractors, and visitors as well as to shut down the facility if needed.
Special Events Sponsorship Thoroughly evaluate event controls to protect visitors and the public to reduce your company’s liability exposure any time you agree to sponsor an event.
Supply Chain Disruption Know what to do if there are disruptions to supply chains. Have backup suppliers, including sole source suppliers and backup suppliers. For critical components, maintain a readily accessible and adequate inventory.
Telecommunications Infrastructure Failure Consider a backup communication system to use in the event of a telecommunications infrastructure failure such as loss of a cell tower or underground cable.
Terrorism Ensure there are adequate security controls to protect employees, contractors and visitors. Dependent upon the kinds of operations, specialized controls may be needed.
Thunderstorms Ensure your roof covering is maintained and any roof equipment is secured, your electrical communication and security systems are protected from lightning and the facility is equipped with lightning arrestors.
Tornado Tornados provide little warning. If you are located in a tornado prone area, have controls in place to protect employees, contractors and visitors.
Vandalism Verify that you have adequate lighting and other security controls to reduce the risk of vandalism.
Water Main Break and Cross-Contamination Have supplies to prevent water from entering your facility when a significant water main crosses your property. Know who to call to respond to the broken main. Your emergency plan includes procedures for safely shutting down operations dependent on water and a backup supply. Know where you would obtain drinking water. Cross-contamination is a serious potential exposure because it could result in illness and production interruption. When you discover a cross connection of potential drinkable water, your must nofity occupants immediately not to consume water from the crossed source.
Wildfire Have emergency plans to protect employees, contractors and visitors if your facility is in a wildfire area. In addition, pre-plan to protect the physical facility, which could include contracting with experts to remove brush around the facility.
Workplace Violence/Criminal Acts Having a formal, written zero tolerance policy can help to reduce the risk of workplace violence. Enforcing a no weapons policy can also help to deter violence. Depending upon your operations, you may have metal detection at key access points. Overall security controls including, lighting, cameras, access control and security systems can help to prevent criminal acts.