Skip to main content
Wednesday, May 16, 2012

Risk Analysis

The Business Continuity Institute (BCI) states that the objective of risk evaluation and control within the context of business continuity management is:

"To determine the events that can adversely affect an organization, the damage that such events can cause, the timescale needed to restore normal operations and the controls that can be implemented to reduce the probability of impact."

A structured approach to risk evaluation involves four steps:

  1. Asset and threat identification.
  2. Quantification of potential losses.
  3. Assessment of vulnerabilities.
  4. Evaluation of solutions or mitigating factors.

Threats are events or situations that would cause financial or operational impact to the organization. These are measured in probabilities, such as "may occur one time in 10 years." Each threat has a duration of time that the business or operation would not be able to function in its normal manner, if at all.

Assets are composed of the physical assets that are owned by the organization and its financial assets as well. Revenues lost for the duration of the incident, additional costs to recover, fines and penalties incurred, lost good will or competitive advantages all are components in the assets figure.

Mitigating factors are the protection devices, safeguards, and procedures in place that reduce the effects of the threats. They do not reduce the threat, they only reduce the effect of the threat. Examples of mitigating factors in use include uninterruptible power supplies (UPS) and generator backups for replacement power, sprinkler systems to control the spread of fire, and access card readers to control physical access to company space.

Some things to review during this process are the facility infrastructure, computer and communication recovery and business function processes and components to help identify the kinds of risks and controls in place. During this phase, additional controls may be recommended to mitigate the effects of a particular risk identified.

Some possible tasks to consider when developing the scope of the above steps:

  1. Asset and Threat Identification
    1. Assets:
      1. List and categorize your assets.
      2. Consider both tangible, intangible (e.g. reputation), and transient (e.g. technology lead) assets.
    2. Look at areas of risk
      1. Policies and procedures.
      2. Manufacturing processes.
      3. Physical security of the facility.
      4. Personnel issues - recruitment, induction and discipline.
      5. Computer systems and networks.
      6. Communications.
      7. Marketing and/or customer interface.
    3. Assess the risks identified
      1. Through interviews and observations.
      2. Through structured walk-throughs and "what-if" scenarios.
      3. Then relate these back to your key assets.

  2. Quantify Your Potential Losses
    1. When possible look at company historical data to estimate losses.
    2. Seek outside opinions from others in your sector, consultants, etc.
    3. At times, "best guess" estimates are needed to establish losses resulting from having to restore a tarnished reputation.

    RISK = IMPACT x PROBABLITIY
    This calculation should enable you to rank risks from the most serious to the most trivial in terms of their overall impact to the business.


  3. Assessment of Vulnerabilities
    1. Use appropriate historical data.
    2. Apply commonly used industry formulas.
    3. Make subjective estimates.
    4. Apply a risk weighting system (there are many available to customize or develop your own).

  4. Evaluation of Solutions

    5. Risk control measures fall into one of four categories:

    1. Accept the risk - If the impact of a rare event is low it may be reasonable to accept the risk, such as the occasional theft of company property, which is unlikely to jeopardize the business. Some risks fall outside your control, such as governmental policy, and so must be accepted by default.
    2. Manage the risk - For frequent low impact risks, The most sensible strategy is to monitor and seek to reduce the risk. An example would be development of new procedures to reduce error.
    3. Reduce the risk - A frequent potentially damaging event is a target for reduction measures. The hazardous procedure should be re-engineered or carefully monitored to reduce risk. Alternatively, you might choose to outsource the risk thereby giving it to someone else better equipped to manage it.
    4. Planning - Business continuity planning addresses risks which are of low probability, such as fire and flood, but whose potential impact is failure.

      5. The type of risk to which each is an appropriate reaction are shown in the following table:

      Type of Risk and Reaction Table

Summary: You cannot remove all risk entirely but many businesses fall victim to damaging impacts from risks they had not identified or sought to control.


[Return to the top]
Business Continuity Planning
Additional References
Home   |  SORM Rules  |  State of Texas  |   Statewide Search  |   State Auditor's Fraud Hotline
State Link Policy  |  Texas Homeland Security  |  Governor's Committee on People with Disabilities
Site best viewed in IE 6 and NN 7 with Javascript Enabled
For questions about this site: SORM Webmaster     

Page last modified: May 09, 2012 @ 03:09pm C.S.T.