Assessing Your Risk: Risk Analysis

Before developing a business continuity management (BCM) program, a New Manager responsible for business continuity (BC), crisis management (CM), crisis communication (CC), and IT disaster recovery (ITDR) or moving to the Business Unit (BU) unit, especially for BC planning, the BU BCM Coordinator should first conduct a risk assessment to obtain an organization's risk profile. 

The risk profile provides context for the kinds of threats faced by the organization and gives the New [BC | CM | CC | ITDR] Manager or BU Coordinator an idea of what he is up against. The risk profile is also important for deciding the type of BC, CM, CC, or IT DR plan to develop.

There are various ways to approach risk assessment in BCM, CM, CC, and IT DR. The current approach is to abide by the ISO22301 BCM Standards. Another common way is the one presented in the ISO 31000 Risk Management Standard. This generic risk management standard can also be used to assess risk in BCM.

You may want to know how the Risk Analysis and Review phase fits into the Planning Methodology.  What is the Planning Methodology?

Risk Analysis Process

Only when we have sufficiently understood the organization would we begin to identify possible threats that could disrupt the organisation. It is often advantageous to assemble a group of subject matter experts and poll them for their views based on facts and hardcore experience.

Meanwhile, as we speak, there is a risk management standard published by the International Standard Organisation, better known by its acronym ISO. The published ISO 31000 standard is auditable. Hence, it will be good for related disciplines to align with this standard.

While identifying threats, the "New Manager" or, at the BU level, the BU Coordinator would also collect information from the subject matter experts on the likelihood of the threat's occurrence and its potential impact should it occur.

This process of estimating risk likelihood and risk impact is called risk analysis. To properly implement this step, the "New Manager" should ideally have developed a rating scale for likelihood and impact. It is generally good practice to use a 5-level scale for higher granularity.

While doing this, keep in mind the organisation’s risk appetite. The scale for impact may also be used in the business impact analysis phase.

The product of risk likelihood and risk impact results in a risk rating value that indicates how high or low a threat's risk is. A high-risk rating would undoubtedly indicate a high risk of disruption. This determination of the threat's “riskiness” is called risk evaluation.

It often makes sense to group risk rating values to give risk levels so that threats falling within the same risk level grouping can be assigned the same importance and priority for treatment.

The higher the risk level, the more priority would be given to treating the threat.

The following articles on Assessing Your Risk will discuss Treating Your Risk.

Reminder

In this reading, you are introduced to the following terminology.

Risk Likelihood	Risk Impact	Risk Rating	Risk Level	Risk Appetite

Learn More About Business Continuity Management (BC-CM-CC-ITDR-Audit)

Funding is available for our Singapore colleagues under the SkillsFuture Funding and WSQ program.

More Information About BCM-5000 [B-5] or BCM-300 [B-3]

To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [B-3] course and the BCM-5000 Business Continuity Management Expert Implementer [B-5] course.

	If you have any questions, click to contact us.