Business Continuity Management (3): Threat and Risk Assessment

Tony Blunden

Accelerate your Basel II Operational Risk Management programme

Business Continuity Management Consultancy

BCM (4): Strategy and Planning

The previous article on Business Impact Analysis (BIA) has outlined an approach to looking at your organisation in a way that makes the recovery priorities clear. Firstly by quantifying the potential losses of failing to deliver a particular service or product and secondly by identifying all of the systems, staff, equipment that need to be in place to deliver it.

This article looks at what you are protecting your organisation against; those incidents that are serious enough to completely stop your organisation from functioning, usually referred to as Business Continuity Incidents.

Embedding BCM in the Organisation's Culture
(click to see enlarged view).

Before they actually happen these incidents are called threats and each is a type of risk with a likelihood of occurrence and a potential impact if it does.

Typical threats include those that tend to:

Damage property such as fire, flood and earthquakes.
Stop all or the majority of staff from working such as sickness, strikes, transport stoppage or syndicate lottery wins.
Put staff and property at risk such as terrorist actions and threats.
Stop the organisation being able to process work such as the loss of systems, networks and the failure of key suppliers.

Each organisation will need to determine the set of threats which it believes have both sufficient impact to be worth considering and are just likely enough to possibly occur at some point. This list needs regular reviewing to check the current assessment of likelihood and to add newly identified threats. For example, five years ago few organisations in the UK would have been worried about infectious diseases as a business continuity event. Then came SARS which organisations with major operations in the Far East had to treat as a threat, and then Avian Flu which potentially affects everyone.

If your organisation has an Operational Risk function, then all these risks will usually sit at the extreme end of their spectrum in the low likelihood, catastrophic impact section. If the likelihood of the threat occurring is considered to be greater than ‘low‘ then it probably needs to be a hot topic in your organisation, making sure that all preventative measures possible are put in place as quickly as possible and that operational readiness for recovery is fully tested.

Each of these identified threats needs to be risk assessed to determine whether it is worth taking preventative action against. This is usually done by assessing the likelihood (probability of occurrence) and the potential impact separately on a four or six step scale from low to high. e.g. Low, Medium Low, Medium High, High. The even number of steps prevents assessors from sitting on the middle number fence. Both the likelihood and the impact should be assessed on the inherent risk. That is, the risk without taking account of any preventative or mitigating controls that may have been put in place. Most Business Continuity Incidents are completely outside an organisation’s control, but where controls can make a difference, the incident is likely to happen when those controls have failed.

Once the list of threats has been identified it is tempting to jump into designing business continuity solutions for each one. There is a danger in this approach that you will end up with a slew of different strategies and plans and will drown in detail. A more structured approach is to consider a set of ‘response triggers’. This is a set of events, which, if and when they happen, you can plan against. Each response trigger could be ‘triggered’ by a number of different incidents or threats. Similarly each incident or threat could ‘trigger’ a number of these response triggers.

As an example consider the impacts during the morning commute either of a transport strike or a burst water mains that has cordoned off an organisation’s main premises. Both would have triggers along the lines of:

Prevention of staff access to the organisation’s premises.

Prevention of staff access to the recovery site.

Example of a typical set of threats, response triggers and corresponding controls
(click to see enlarged view)

Usually organisations can boil down their list of response triggers to half a dozen or so, that are typically variations on loss of premises, staff, equipment, systems or key suppliers. Whenever a new threat is identified, it should be broken down into the existing triggers and any potentially new ones. The likelihood of the trigger response being required is the sum of the likelihood of all the threats it is associated with.

The importance of each trigger can be determined using the results of the BIA in order to assess its impact on all of the critical processes in the organisation.

Determining how your organisation should respond to each of the triggers will cover you against all of the threats you have identified and essentially define your business continuity strategy.

It will also give you a structure for defining the controls that your organisation could put in place for mitigating either:

the likelihood
the impact

of a business continuity incident.

If you would like to comment on this or any other Chase Cooper article, please contact us at .