Exposure to a risk event (such as damage to a data centre) is assessed in three ways:

1. Potential financial impact if risk event happens

2. Probablity of risk event happening

3. Adequacy of controls in place to mitigate the impact if the risk event actually occurs.

You can also link to webpages giving case studies of similar risk events, statistics on frequency of occurence and best practice on controls.