Managing disaster recovery and business continuity risks involves:
- Understanding the environment, vulnerabilities and critical assets of the organization.
- Identifying the nature and source of potential disruption events that pose business continuity risks, both positive and negative, to the organization.
- Understanding the consequences of these events in terms of their impact on the business.
- Implementing strategies to mitigate, or benefit from, the occurrence of the risk.
- Recognizing that disruption events may occur that have not been considered through formal risk assessment.
- Requiring that business continuity and disaster recovery plans maintain a high degree of flexibility.
When tackling a Threat and Risk Analysis assessment, you may consider the following approach:
- An examination of the risks and their context.
- A consideration of the organization’s vulnerabilities to those risks.
- Identification and provision of resources and infrastructure to support the critical functions of the business.
- Determine the communication requirements before, during and after a disruption.
Eight key business disruption categories have been listed below. It is important to note that there is an almost indefinite number of potential threats, with varying levels of likelihood, that could result in a severe disruption to your normal business operations.
However, the results or impacts of the vast majority of threats can be categorised within the following eight risk areas:
- Loss of precinct (loss of access to the business premises and surrounding area)
- Loss of building
- Denial of access to building for a limited time
- Loss of Information Technology service (data)
- Loss of Information Technology services (voice)
- Loss of vital records (non electronic)
- Loss of key staff
- Loss of key dependencies
An example of a risk assessment tool is locate below.
The risk assessment tool acts as a guide to help you determine an appropriate rating for each risk. It is important to note that risk is subjective and therefore any ratings applied should be considered in this context.
|Almost certain(e.g. >90% chance)||High||High||Extreme||Extreme||Extreme|
(e.g. between 50% and 90% chance)
(e.g. between 10% and 50% chance)
(e.g. between 3% and 10% chance)
(e.g. <3% chance)
The table below shows an example of the eight risk items that were considered. The table also includes a current and target consequence and likelihood rating.
The column on the far right lists the end risk rating. The art of cost effective business continuity planning is applying controls to reduce the risk rating (residual risk) to an acceptable level.
|Current||Target||Current||Target||Level of Risk|
|1||Loss of IT (data)||Major||Insignificant||Moderate||Unlikely||Extreme|
|2||Loss of Precinct||Major||Minor||Rare||Rare||High|
|3||Loss of Building||Major||Minor||Unlikely||Unlikely||High|
|4||Denial of Access to Building||Major||Minor||Unlikely||Unlikely||High|
|5||Loss of Key Dependencies||Major||Minor||Unlikely||Unlikely||High|
|6||Loss of Vital Records||Major||Insignificant||Unlikely||Rare||High|
|7||Loss of Key Staff||Moderate||Minor||Unlikely||Unlikely||Low|
|8||Loss of IT (voice)||Minor||Insignificant||Unlikely||Unlikely||Low|
This table will be used as an example in the next section – developing Recovery Strategies.