Tuesday, 19 March 2013

Evaluating Threats as part of Business Continuity

John Bartlett CBCI, DBCI
My first article ‘An introduction to Business Continuity’ introduced Business Continuity (BCM) related risks and outlined different types of risk that we and our organisations can experience. Risks are unavoidable; how we assess these, decide which ones to deal with and the level of risk we are prepared to accept (our risk appetite), is entirely within our control.

Whole industries have been established and libraries of books written on Risk Management. Often risk and risk management means different things to different people and industries.
This article is not intended to provide comprehensive details or guidance on developing and applying risk management within your organisation; this is already expected to be in place to a greater or lesser extent as part of good business practice. Instead, the purpose of this article is to provide guidance on risks in relation to BCM and the essential activities of your organisation, thereby ensuring informed decisions can be made to treat the risks and develop the most appropriate level of resilience and recovery for your organisation.
Risks normally arise as a result of people (not doing what they should or not doing it properly, forgetting something, doing something illegal), faulty goods or services (such as technical/machinery failure, pipes leaking/breaking, power failure, delivery failure) or natural and environment activities (for example extreme weather conditions, such as flooding or earthquake, incidents near to your organisation or global/national related incidents). All of these could directly affect and disrupt your organisations activities, or activities of organisations and people you are dependent upon to provide you with products or services.
Identifying Risks
In the first article we stated that risks to continuity can mainly be broken down into four key groups: people; infrastructure; information; and suppliers. There is no easy way of identifying all the potential risks to the organisation, but it is essential that there is an open culture in the organisation to identify and communicate risks, that otherwise may go unidentified, untreated and disrupt the organisations essential activities. One of the easiest ways to approach risk identification is to list all the characteristics of the risk groups (examples were provided in first article) and through a workshop with the appropriate people, identify the requirements for each essential activity (see article last week) and then apply a ‘what if’ analysis to each requirement, for example what if a particular person, application, supplier, material, piece of information, equipment or control (e.g. fire alarm) was not available or did not work properly.
Each risk identified should be listed in a register along with its owner and then evaluated in terms of their likelihood and impact, and their relationship with one another. For completeness, where an existing control is in place to protect against that risk, the control (such as fire sensors or alarm, or IT Disaster Recovery facility) should be evaluated to ensure it is sufficient to meet the requirements and that it works effectively. There may already be information to help on the evaluation of these controls (such as reports from Internal or External Auditors, independent consultants, etc.). If the evaluation of these controls identifies weaknesses or failings, this should be recorded as an Issue in the register. These issues should then be evaluated in terms of their impact the same as risks, and the highest likelihood value used (as it already exists).
Evaluating Risks
The value of a risk can be achieved by evaluating the likelihood and impact of each one using a simple scoring mechanism (for example 1 to 5, where 1 is very low and 5 is very high). To ensure consistency it helps to provide a definition of each level and measurement criteria. The individual scores should then be recorded in the register and a risk value calculated by multiplying the impact and likelihood scores together.
The risks and issues can then be plotted on a 5 x 5 matrix (where likelihood and impact are plotted on to the x and y axis) to easily identify clusters of risks/issues with colour codes (Red, Amber and Green) used to identify acceptable high, medium and low values on the matrix. This is often referred to as a heat map. The relationship between risks/issues and the requirement identified for essential activities should be reviewed and evaluated, and if necessary the impact and/or likelihood revised based upon these relationships. This will ensure that risks are reviewed in relation to the organisation as a whole, rather than individually, and any potential systemic impact to the organisation from a combination of risks is similarly assessed.
The definitions and values used as criteria to measure the likelihood and impact of the risks will be personal to each organisation, and should be agreed with the BCM sponsor and Senior Management.
Treatment of Risks
The corresponding treatment of risks/issues will depend upon the level of risk appetite accepted within the organisation and the most appropriate approach based upon strategy, plans/projects and method of operation. There are five potential approaches for risk treatment: prevention, reduction and transfer (these are all proactive preventative measures); acceptance; and contingency planning (reactive measure once a risk has materialised). Each of the risks/issues on the register should be reviewed, the options to treat each risk considered and an appropriate treatment chosen based upon a cost/benefit analysis. These treatments can then be included and managed under an existing, planned or strategic project, or combined into a separate risk treatment project. All of these treatments for BCM related risks combine to provide the scope of review and action under BCM.
Monitoring Risks
Whilst the BCM function can help identify risks and help select the most appropriate treatment to achieve resilience and recovery, a single individual within the organisation should have management responsibility and accountability for managing the organisations risks. Once an appropriate risk treatment has been implemented, the individual should establish a risk governance, monitoring and review framework to regularly review the status of risks with the BCM function and ensure the risk treatment remains appropriate and effective. This governance should include communication with the organisations stakeholders to ensure they are aware of the organisations key risks and the measures in place to manage them.

No comments:

Post a Comment