risk assessment

Risk Assessment For Business Continuity

In creating business continuity plans, every organization completes a series of risk assessment exercises. Without this general risk assessment, it would be impossible to prioritize what business continuity management (BCM) plans are needed. Each time a specific threat arises, business continuity teams need a risk assessment process to determine if the event merits activation of BCM teams and plans.

Monitoring Early Warning Signs

The key to effective event-specific risk assessment is to have some early warning detection in place. To best manage unplanned incidents, it helps to have visibility into the potential disruptions before they occur. Obviously, certain types of disruptive events are more easily monitored than others. Weather, for example, can be monitored closely via the National Weather Service, Accuweather and other sources. Most major storms are predicted in advance, enabling close monitoring by BCM teams. Similarly, floods and fire warnings are often weather-related and threat levels can be monitored closely.

Company reputation is another threat that is easily monitored via social media, traditional media and call center feedback. Many organizations keep their finger on the pulse of these channels to determine when and how to respond to situations as they arise.

Civil unrest is another threat factor that can be monitored even though it is difficult to predict when general unrest may erupt into a disruptive event. Various governmental organizations publish threat status within regions around the world that can be used to gauge potential for disruptions.

Network monitoring is used to signal and respond to potential IT outages although these solutions may not provide significant lead time for BCM planning teams.

Finally, epidemics don’t arise overnight and are closely monitored by world health organizations and in the U.S. by the Center for Disease control. BCM teams that are concerned about potential impacts from wide-scale disease threats need to monitor these reports closely.

Many types of threats can be predicted ahead of time giving business continuity teams additional time to assess impact and determine appropriate response plans. For these early warning systems to work, there needs to be clear ownership as to whose role it is to monitor each threat type and at what point they should involve a wider team to assess impact.

Event-Specific Risk Assessment

Whether we’ve used an official color coding system in our jobs or not, everyone is familiar with the term “Code Red”. After 9/11, the U.S. Department of Homeland Security rolled out a controversial threat assessment system modeled after the U.S. Forest Fire color coding system with five color coded threat levels:

  • Severe (red): severe risk
  • High (orange): high risk
  • Elevated (yellow): significant risk
  • Guarded (blue): general risk
  • Low (green): low risk

While this system was replaced by a new two-level National Terrorism Advisory System in 2011, both systems are in place to assess risk and determine at what point additional security measures are needed. These are good examples of an event-specific risk assessment process in action.

Whether signaled by early warning systems or not, when a new event is forming, it is critical for business continuity teams to assemble to assess risk. Hopefully, business continuity plans have been created that will form a guideline for determining the business impact based on the severity of a specific event – the threat scenarios.

Risk Versus Probability Assessment

Response plans are formulated weighing the impact of the event on business operations against the probability of the event occurring. For example, if a storm is predicted to bring 12-24 inches of snow in a 24 hour period, the team would need to assess travel restrictions and employee safety concerns to determine if office closures, delivery cancellations, and/or manufacturing slowdowns are merited. The difficulty is to assess the accuracy of the forecast and determine exactly when decisions to adjust scheduling should be issued. See the model following for a framework on how to weigh risk vs. probability:

risk versus probability assessment

Most events are not black and white – so this process of weighing the threat scenario against the probability of the event occurring forms the crux of the risk assessment process. The more information your teams can collect to assess event severity and probability of occurrence, the better equipped they will be to establish the best response plan.

How to Use This Information

Being ready for risk is the key to any successful BCM plan. While a lot of disruptions are unplanned, you can still weigh the risks and probability of events. And, if crisis should hit, having an effective incident management system in place is critical. Call us at 312-445-8811 or schedule an online demonstration.