1. General
  2. Risk Management

What is PESTEL Analysis?

How to assess business risk and opportunities using PESTEL analysis

ISO 27001:2022 clause 4 "Context of the Organisation" requires:

"The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system."


Guidance is provided in ISO 31000:2018 (Clause 5.4.1) on how to achieve this but in summary the business should access external areas including:

  • the social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local;

  • key drivers and trends affecting the objectives of the organisation;

  • external stakeholders’ relationships, perceptions, values, needs and expectations;

  • contractual relationships and commitments;

  • the complexity of networks and dependencies.

Examining the organisation’s internal context may include, but is not limited to:

  • vision, mission, values and culture;

  • governance, organisational structure, roles and accountabilities;

  • strategy, objectives and policies;

  • capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies);

  • data, information systems and information flows;

The PESTEL register within Adoptech has been designed to meet this requirement and helps users identify the risks and opportunities that their business faces. The PESTEL analysis is one of the most frequently applied models in the evaluation of the highly dynamic external business environment.

The PESTEL framework breaks down risks and opportunities into categories:

  • Political - consider tax policy, labour law, environment law, trade restrictions, trade unions, tariffs, health, education and infrastructure of the countries within which the business operates.

    • Examples could include:

      • potential changes in taxes or regulations due to political changes

      • trade union impact due to political changes

      • responses to a pandemic

      • Brexit

      • inflation impacting wages

      • exchange rates

      • political instability

      • changes in tax

      • government technology grants (opportunity and risk that they are removed)

  • Economic/Commercial - consider economic growth, exchange rates, inflation, interest rates.

    • Examples could include:

      • potential recession

      • inflation

      • interest rates

      • running costs

      • changes in competition

      • the impact of the loss of a key client

      • ISO 27001 implementation (could be an opportunity)

      • layoff from big tech firms present an opportunity to hire

  • Socio-cultural - consider age and availability of staff, population growth rate.

    • Examples could include:

      • the ability to recruit talent in a given office location

      • your company's flexibility regarding home or remote working

      • other company's recruitment/redundancy plans

      • reliance on particular members of the team and the impact should they be unavailable

      • poor information security culture

      • ageing staff retire - loss of experience

  • Technological - consider technical innovation, R&D activity, automation, technological shifts and impact on costs and quality.

    • Examples could include:

      • cyber security

      • potential impact of AI

      • technical developments affecting your company's USP

      • inability to scale technology

      • poor code quality causing bugs

  • Environmental - consider environmental incidents, ecological and environmental aspects such as weather, climate, climate change which are likely to especially affect industries such as tourism, farming, and insurance.

    • Examples could include:

      • 'carbon impact' or 'green' positioning

      • location and potential for natural disasters

      • The February 2024 amendment to ISO 27001:2022 requires companies to determine whether climate change is a relevant issue. Any risks or opportunities related to climate change should be considered and outlined in the PESTEL
  • Legal - consider employment law, consumer law, health and safety legislation, data protection legislation, such as, GDPR.
    • Examples could include:

      • planned or potential legal changes

      • impact of a data breach

      • EU GDPR divergence from UK Data Protection

      • potentially significant fines for GDPR / Data Protection breaches

      • IR35

      • AI regulation being considered

  

How to conduct the PESTEL analysis

1 - Identify Risks and Opportunities

Work through each category and establish the associated risks/opportunities for your business.

2 - Assess the Likelihood

Determine the likelihood of the risk/opportunity, that is, the probability of it occurring. Score the probability on a scale of 1 to 5:

Level

Description

1

Very unlikely to occur

2

Low, unlikely to occur

3

Medium, it. is possible that it could occur, it has not occurred in the past

4

High, it is likely that it will happen. It has occurred in the past but not recently,

5

Very high, it probably will occur

3 - Assess the Consequence

Rate the consequence/impact on a scale of 1 to 5:

Level

Description

1

Minimal impact not really noticeable

2

Slight impact, would be felt but would not have an effect on operations

3

Impact, would affect operations but no long term effect on turnover

4

Major impact, would affect turnover

5

Severe.

If risk - business would be threatened

If opportunity - it would dramatically change the business

4 - Risk Rating and Acceptance

The overall risk is calculated by multiplying the likelihood and the consequence ratings giving a score of 1 to 25.

 

Score

Risk Rating

16-25

Critical risk, immediate action required to reduce risk or act on the opportunity.

9-15

High risk - apply further mitigation measures and/or alter method of work to reduce risk further or capitalise on the opportunity.

6-8

Medium risk - tolerable only if further mitigation is not practical and there is a need to continue the activity with identified controls. If an opportunity, it is worth consideration but immediate action may not be suitable.

1-5

Low risk - broadly acceptable if all reasonably practicable control measures in place. No action if an opportunity,

5 - Review the Register

The register should be reviewed, updated and assessed with the senior management team on a regular basis.

 

Wherever possible actions should be identified to bring the risks to an acceptable level or to capitalise on opportunities.

 

Options include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.