Threat and Risk Analysis

Managing disaster recovery and business continuity risks involves:

  • Understanding the environment, vulnerabilities and critical assetsĀ of the organization.
  • Identifying the nature and source of potential disruption events that pose business continuity risks, both positive and negative, to the organization.
  • Understanding the consequences of these events in terms of their impact on the business.
  • Implementing strategies to mitigate, or benefit from, the occurrence of the risk.
  • Recognizing that disruption events may occur that have not been considered through formal risk assessment.
  • Requiring that business continuity and disaster recovery plans maintain a high degree of flexibility.

When tackling a Threat and Risk Analysis assessment, you may consider the following approach:

  • An examination of the risks and their context.
  • A consideration of the organization’s vulnerabilities to those risks.
  • Identification and provision of resources and infrastructure to support the critical functions of the business.
  • Determine the communication requirements before, during and after a disruption.

Eight key business disruption categories have been listed below. It is important to note that there is an almost indefinite number of potential threats, with varying levels of likelihood, that could result in a severe disruption to your normal business operations.

However, the results or impacts of the vast majority of threats can be categorised within the following eight risk areas:

  • Loss of precinct (loss of access to the business premises and surrounding area)
  • Loss of building
  • Denial of access to building for a limited time
  • Loss of Information Technology service (data)
  • Loss of Information Technology services (voice)
  • Loss of vital records (non electronic)
  • Loss of key staff
  • Loss of key dependencies

An example of a risk assessment tool is locate below.

The risk assessment tool acts as a guide to help you determine an appropriate rating for each risk. It is important to note that risk is subjective and therefore any ratings applied should be considered in this context.

Likelihood Consequences
Insignificant Minor Moderate Major Catastrophic
Almost certain(e.g. >90% chance) High High Extreme Extreme Extreme
(e.g. between 50% and 90% chance)
Moderate High High Extreme Extreme
(e.g. between 10% and 50% chance)
Low Moderate High Extreme Extreme
(e.g. between 3% and 10% chance)
Low Low Moderate High Extreme
(e.g. <3% chance)
Low Low Moderate High High

The table below shows an example of the eight risk items that were considered. The table also includes a current and target consequence and likelihood rating.

The column on the far right lists the end risk rating. The art of cost effective business continuity planning is applying controls to reduce the risk rating (residual risk) to an acceptable level.

ID Risk Consequence Likelihood Rating
Current Target Current Target Level of Risk
1 Loss of IT (data) Major Insignificant Moderate Unlikely Extreme
2 Loss of Precinct Major Minor Rare Rare High
3 Loss of Building Major Minor Unlikely Unlikely High
4 Denial of Access to Building Major Minor Unlikely Unlikely High
5 Loss of Key Dependencies Major Minor Unlikely Unlikely High
6 Loss of Vital Records Major Insignificant Unlikely Rare High
7 Loss of Key Staff Moderate Minor Unlikely Unlikely Low
8 Loss of IT (voice) Minor Insignificant Unlikely Unlikely Low

This table will be used as an example in the next section – developing Recovery Strategies.