How Risk Assessments Are Used In Business Continuity
A Risk Assessment is a survey which assists in analyzing potential threats, determining the impacts of those threats and identifying controls that are in place to minimize the impact of the threat.
When we work with some of the departments/campuses at the University on the risk assessment survey for their area, it's hard for them to see the real benefit of this assessment. This tool can be used for multiple purposes. The Risk Assessment:- provides insight to which threat is most probable and will have the largest impact on in areas such as employees, facilities and operations of critical services.
- presents a "gap analysis" of what mitigation controls exists vs. the lack of mitigation controls
- assists in defining which of these threats should be used in table top exercise scenarios for recovery plans.
- presents a "gap analysis" of what mitigation controls exists vs. the lack of mitigation controls
By using information provided by our insurance company, departments and campuses at Penn State are able to determine the impact based on the probability and severity of both environmental and man-made threats.
Environmental threats include anything that is produced by a force of nature and include flood, ice storms, earthquakes, etc. Man-made threats are self-explanatory and examples are fire in buildings, civil unrest, chemical spill, etc.
After the impact of threats are determined and identification of mitigation controls is complete, the most challenging piece is how to use this information in business continuity planning. Management needs to determine how they will handle each of the threats. Management should use the information gathered to:- List the threats in greatest probability and impact order.
- Determine what the risks would be if they chose to do nothing to mitigate or lessen the threat or impact
- Determine how to deal with the threat
- Mitigation - implement a procedure or infrastructure that lessens the probability or impact of a threat
- Avoidance - stop performing an activity or operation that carries the threat
- Acceptance - accept the risk and do nothing to mitigate the threat or lessen the impact
- Transference - transfer the risk to another group
- Avoidance - stop performing an activity or operation that carries the threat
Perform cost benefit analysis to ensure the decision makes sense from a business standpoint
- Determine what the risks would be if they chose to do nothing to mitigate or lessen the threat or impact
If mitigation controls already exist, they should be analyzed. Both from the standpoint of how does the mitigation control that exists today helps in minimizing the possibility of the threat or lessens the impact and identify if any new mitigation controls could be utilized which could be more efficient or more economical. If the mitigation control costs money (depending on the amount), a cost benefit analysis should be performed to determine whether implementing the new change is worthwhile.
At Penn State, we encourage departments and campuses to complete the Risk Assessment at the same time as the Business Impact Analysis (BIA). It is important to identify the critical business functions the University provides using the BIA and identifying what could cause an outage of those business functions. We use a standard survey for all units going through the business continuity planning process, but the probability of environmental and man-made threats vary based on the location of the participant.
Once the Risk Assessment and BIA are complete, the management team from the department and campus will analyze the results to make recommendations for recovery strategies in Phase 3 of our planning process.
1 TrackBacks
Listed below are links to blogs that reference this entry: How Risk Assessments Are Used In Business Continuity.
TrackBack URL for this entry: https://blogs.psu.edu/mt4/mt-tb.cgi/3585
data recovery electronic paper. Read More
I've always been a proponent of giving the customer as much data as possible with the RA. Most departments do not understand nor know where to get relevant data for doing threat probability, so I do the field work and hand it to them (at least for the environmental threats). I don't like handing over the man-made threats as this gets a department to reach out to various support services. The support services appreciate the involvement and give excellent ideas for mitigation. This work also is a ground level building block in getting an organization focused on BC. My two cents...