Business Continuity Risk Management
There are many very good reasons why business continuity (BC) hazard and risk assessment needs to be conducted regularly. Some of the most important are:
- To identify problems and potential problems
- As an aid to decision making
- To assist with resource allocation
- To identify priority actions
All of these are key roles in BC management.
As with BC models there are many different Risk Management models. This is only one:
Each of these stages is very important in the overall risk management process:
Define – identify all of the potential risks that might occur
Assess – Assess the risks and grade them in relation to their probability and severity of impact
Mitigate – identify any activity which could either avoid, reduce or eliminate the risk
Plan – produce a plan to prioritise mitigation processes
Evaluate – the plan and the processes to ensure that they are workable and have the desired effect. Where necessary, return to the beginning of the cycle and repeat the process.
Stage 1 – Define the risks
To produce effective BC management risk assessment plans, risks must be defined and identified at all levels. The best people to identify risks are those who are working in the environments in which the risks occur. For example, the identification of risks which occur in hotels is best left to the hotel management. Risks which might impact on the nation as a whole are best identified by government bodies. Whoever assumes responsibility for identifying risks should consider all possible eventualities no matter how improbable.
Stage 2 – Assess the risks
Once all risks have been identified, decisions must be made:
How probable is it that the risk will occur
If the risk does occur how severe is the impact likely to be
Stage 3 – Mitigate the risks
During this process all of the identified risks must be examined to determine how best to deal with them. There are four options which will be discussed fully in a later Chapter.
Stage 4 – Plan
When the first three stages have been completed, a comprehensive risk assessment plan should be written and communicated to all persons who are required to take action in respect of it.
Stage 5 – Evaluate
It is very important that all stages of the risk assessment process are evaluated to ensure that all necessary action has been taken. The evaluation process should be conducted regularly, especially if there has been any change in circumstances. The process should be conducted before, during and after any BC situation.
BC Impact Analysis
The process of identifying:
- The likelihood of an identified risk occurring
- The impact on the organisation if it does
This information is then normally presented in a table. The table on the right is only an example. Your organisation may require a different format.
All Identified risks should also be recorded in a Risk Register. These can be either manual or electronic but should be accessible to anyone in the BC management team for easy amendment as necessary.
Are necessary to retain control of the risk assessment process
Should be maintained at all levels
At strategic (national) level will be a register of organisations as well as the risks at National level
Risk registers should contain at least:
- A risk reference
- Risk category
- Risk sub-category
- Description of the risk
- Likelihood rating
- Impact rating
- Risk rating
- Person or department responsible for monitoring the risk
Once risks have been identified they must be evaluated and mitigation activities identified. It is then necessary to conduct a Cost/Benefit Analysis which is the process of:
- Identifying the cost of implementing mitigation strategies
- Identifying the benefits to be gained from the mitigation strategies
- Identifying whether the potential cost of implementation outweighs the benefits to be gained
- Deciding whether to implement the strategies
The process must be realistic and should be guided by your ‘What is important’ analysis
Disaster management requires thorough planning if it is to be successful. The planning can mean the difference between people living and dying. Between businesses being able to recover from a disaster or going under. This book will help, in a simple but effective way, any business continuity practitioner to prepare for a disaster which might affect their organisation.