[BCM] [HH] [E2] [C3] Risk Analysis and Review

Chapter 3

As Part of the BCM Planning Methodology for HopeHouse

Purpose of Chapter

The Risk Analysis and Review (RAR) phase is the second critical stage in the Business Continuity Management (BCM) Planning Methodology adopted by HopeHouse.

As a non-profit organisation providing residential care and rehabilitative support for at-risk youth, HopeHouse operates in a dynamic and sensitive environment where even minor disruptions can have a significant impact on the well-being and safety of its residents.

Through this phase, HopeHouse gains a deeper understanding of potential threats and vulnerabilities that could interrupt its services.

This knowledge enables proactive risk mitigation strategies, ensuring resilience, compassion, and continuity in the face of disruptions.

Overview of the Risk Analysis and Review (RAR) Phase

The RAR phase comprises three key steps:

1. Identify Threats and Vulnerabilities
2. Assess Likelihood and Impact
3. Establish Risk Mitigation and Controls

This phase lays the groundwork for developing robust continuity strategies by translating abstract risks into actionable priorities.

It also ensures a strong alignment between operational risks and strategic business objectives.

Identifying Risks and Vulnerabilities in the HopeHouse Context

HopeHouse began the RAR phase by conducting structured risk identification sessions with staff, volunteers, and management.

This exercise focused on uncovering both internal and external threats that could affect day-to-day operations and long-term service delivery.

Examples of Identified Risks at HopeHouse:

• Fire Hazards: Due to communal living and shared kitchen facilities, accidental fires posed a real threat.
• Pandemic Outbreaks: Following the experience with COVID-19, the risk of infectious disease outbreaks remains a significant concern, particularly in residential settings.
• Power Failures: Disruption of electricity could affect security systems, lighting, refrigeration for food, and medication storage.
• Cybersecurity Breaches: As client data is stored digitally, the risk of a data breach is significant.
• Volunteer Shortage: As a volunteer-reliant organisation, a sudden drop in available personnel during crises could disrupt programme delivery.

This step also included a review of previous incident reports, audits, and environmental scans to ensure that emerging risks—such as rising utility costs or increased mental health needs—were not overlooked.

Assessing Likelihood and Impact

Each identified risk was evaluated based on two dimensions:

• Likelihood (How probable is the risk?)
• Impact (How severe would the consequences be if the risk occurred?)

A risk matrix was developed to prioritise threats. For example:

Establishing Risk Mitigation and Controls

Based on the risk assessment, mitigation strategies were tailored to the needs and capacity of HopeHouse. The objective was not to eliminate all risks—an impossible task—but to reduce them to an acceptable and manageable level.

Examples of Risk Mitigation at HopeHouse:

• Fire Hazards: Installation of smoke detectors, fire extinguishers, and conducting regular fire drills with residents and staff.
• Pandemic Preparedness: Stockpiling of masks and sanitisation supplies, enforcing visitor protocols, and establishing quarantine rooms.
• Power Outages: Equipping the premises with portable generators and an uninterruptible power supply (UPS) for critical systems.
• Cybersecurity: Implementing secure password protocols, regular data backups, and staff training on phishing and digital hygiene.
• Volunteer Shortage: Creating a backup pool of on-call volunteers and cross-training staff for critical roles.

These measures were carefully documented and integrated into the Business Continuity Plan to ensure consistency in implementation and review.

Continuous Review

Risk analysis is not a one-time activity. The environment in which HopeHouse operates is constantly evolving.

Changes in regulatory requirements, economic shifts, social trends, and community needs demand ongoing vigilance.

HopeHouse instituted a quarterly risk review process, involving both the Programme Management and Operations teams. Key triggers for ad hoc reviews include:

• Introduction of new services or programmes.
• Renovation or relocation of facilities.
• Changes in government guidelines, such as those related to social services or pandemic responses.
• Major incidents (e.g., near-miss fires or data breaches) that require updates to risk controls.

This ongoing review ensures that the risk profile remains current and relevant, reinforcing HopeHouse’s capacity to deliver uninterrupted, compassionate care.

Summing Up ...

Implementing the Risk Analysis and Review phase has empowered HopeHouse to understand its vulnerabilities and take preemptive action.

By embedding risk awareness into daily operations and cultivating a culture of vigilance, HopeHouse strengthens its ability to safeguard both people and purpose.

In the context of BCM, this phase is foundational, providing the insights necessary to develop robust business continuity strategies and ensuring that HopeHouse continues to serve with resilience and compassion, even in the face of disruption.

Continuity with Compassion: Implementing BCM at HopeHouse
eBook 2: Implementing BCM Planning Methodology

More Information About Business Continuity Management Courses

To learn more about the course and schedule, click the buttons below for the  BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].

	Please feel free to send us a note if you have any questions.