The OGO Blog

What Should a Credit Union Risk Assessment Look Like?

If you are in the process of building a business continuity plan for your organization, especially if you work for a Credit Union, than this post is for you…

The first step in building a comprehensive Business Continuity Program is to conduct a Business Impact Analysis or BIA. The Second Step in the process is to conduct a Risk Assessment.

The primary goals of a Risk Assessment are:

  • Evaluate BIA assumptions using various threat scenarios
  • Analyze threats based on likelihood and potential impact to institution, members and financial market
  • Prioritize potential business disruptions based on severity which is determined by impact on operations and probability of occurrence
  • Perform “gap analysis” that compares existing BCP to policies and procedures to be implemented based on prioritized disruptions and resulting impact

A Risk Assessment should meet the following criteria:

  • Be Based on comprehensive BIA
  • Be Documented
  • Reviewed and approved by Board and Senior Management annually
  • Disseminated to employees
  • Properly managed when outsourced to 3rd party

A Risk Assessment should address these specific items:

  • Provide specifics regarding what conditions should prompt implementation of the plan and the process for invoking
  • Immediate steps that should be taken during a disruption
  • Flexible for unanticipated scenarios and changing internal conditions
  • Focused on impact of various threats that could potentially disrupt operations
  • Developed based on valid assumptions and interdependencies


Once you have finished the BIA and now the Risk Assessment you should be in a good spot to start building individual plans for each department and putting in the content/resources you will need to create the actual Business Continuity Plan.

Are you trying to determine the best way to store and organize a Business Continuity Plan? Are you curious about the different types of Risk Assessments Credit Unions should perform?

Fill out this short form: