Threat Meter

Disaster Recovery Planning Step 1 – The Threat Matrix


The starting point to creating a Disaster Recovery Plan (DRP) for your business is the Threat Matrix. By preparing a list of catastrophic events to your business, scoring them according to their likelihood and documenting your response will allow you to mitigate their damaging effects quickly and efficiently.

Here’s how to set up a Threat Matrix.

Identify the most common threats

Brainstorm with your team and list the most likely threats your business may face in your geographical area. A sample list is below:

  1. Fire
  2. Flood and water damage
  3. Natural Disaster (Hurricane, tornado, Nor’easter, etc.)
  4. Extended Loss of Electrical Power or Internet Connectivity
  5. Hardware Failure
  6. Software Corruption
  7. Social Engineering Attack
  8. Denial of Service Attack
  9. Disgruntled Employee (Data Deletion, Corporate Espionage Activities, etc.)
  10. Human Error
  11. Hacking – Stolen Confidential Information
  12. Malicious software (Trojans, ransomware, etc.)
  13. Loss or corruption of Key Digital Files and/or Databases
  14. Stolen unencrypted mobile devices (laptops, smart phones, tablets, etc.)
  15. Malicious intruder – Stolen/damaged servers, desktops, network equipment
  16. Bomb Threat
  17. Terrorist Attack
  18. State/Federal Emergency Declarations (i.e. Restricted travel, Government services, etc.)

The above is only a sample. As you can see, the word “Disaster” doesn’t only mean hurricanes, tornadoes and floods. Studies show that natural disasters account for only 3% of catastrophic data loss events.

The lesson here is to prepare for natural disasters—of course—but make sure you cover the multitude of other events that will most likely lead to disastrous data loss.

Give each threat a rating

There are many ways to rate things. If you’re mathematically inclined, you can create an intricate weight system to apply to each threat. However, keep in mind that simple is understandable which leads to action.

I favor a High (H), Medium (M) Low (L) scale. I know this is more subjective than using intricate mathematical models, but it is easy to understand, quicker and does the job nicely.

So, after identifying the threats, rate each of them High, Medium or Low. Make sure you revisit the list from time to time and update ratings and add new threats as appropriate.

Create or reference procedures covering each threat

Now that you have a list of threats with H, M, L ratings, it is time to make sure that you have detailed procedures on how to deal with each threat when they occur. As a business, you probably have written procedures covering your operations. If so, great! Provide a link or reference in your DR Plan so your staff can find them. Just make sure that they’re updated as your business changes.

If you don’t currently have a set of written procedures—you now have a handy list to get started!


Disaster planning is crucial to your company’s survival. Threats are everywhere and the digital landscape is getting more dangerous. For instance, social engineering, hacking and malicious software such as ransomware and credential-stealing trojans have vaulted to the top of the list in recent years.

Your goal must be Business Continuity and not merely surviving a disaster because your company can literally go out of business shortly after a catastrophe without a well written, tested Disaster Plan to guide your recovery.

P.S. – If you don’t have a written Disaster Plan

 Click the link below to our previous post and download our FREE, no registration, easy-to-use, fill-in-the-blanks Disaster Recovery Template that will make creating your written plan super easy:

A Simple Disaster Recovery Plan Template

XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions whose systems protect 460+ Petabytes of data with over 1400+ employees and 9 offices around the globe. Call (845) 362-9675 and let us introduce you to the ultimate defense against data loss—whatever the cause. Backup & Disaster Recovery | Business Continuity | Data Risk Assessment