Training-led Implementation Series
Blog_Jan_Ban.jpg

Assessing Your Risk: Risk Rating and Risk Level

Risk Analysis and Review (RAR) phase is one of the first step undertaken in the BCM plan development cycle. The BCM plan includes business continuity plan, crisis management plan, crisis communication plan and IT disaster recovery plan [BC | CM | CC | ITDR].  This is the first of the "New BCM Manager" series on RAR attempts to clarify and answer some common questions you may have before starting the RAR phase of your project.
Moh Heng Goh

2_Risk Analysis and ReviewBefore developing a business continuity management (BCM) program, a New Manager responsible for business continuity (BC), crisis management (CM), crisis communication (CC) and IT disaster recovery (ITDR) or moving to the Business Unit (BU) unit especially for the BC planning, the BU BCM Coordinator, should first conduct a risk assessment to obtain a risk profile of the organization. 

The risk profile provides a context to the kinds of threats faced by the organization, and gives the New [BC | CM | CC | ITDR] Manager or BU Coordinator an idea of what he is up against. The risk profile is also important for deciding the type of BC, CM, CC or IT DR plan to develop.

There are various ways risk assessment can be approached in BCM, CM, CC and IT DR.  The current approach is to abide by the ISO22301 BCM Standards.  Another common way is the one presented in the ISO 31000 Risk Management Standard. This is a generic risk management standard that can also be used to assess risk in BCM.

You may want to know how Risk Analysis and Review phase fit into the Planning Methodology.  What is the Planning Methodology?

Risk Analysis Process

Only when we have sufficiently understood the organization would now begin to identify possible threats that could possibly cause a disruption in the organisation. It is often advantageous to assemble a group of subject matter experts and poll them for their views, based on facts and hardcore experience.

Meanwhile, as we speak, there is a risk management standard that is published by the International Standard Organisation or better known by its acronym as ISO.  The published ISO 31000 standard is auditable.  Hence, it will be good for related disciplines to be aligned to this standard.

While identifying threats, the "New Manager" or at BU level, the BU Coordinator would at the same time collect information from the subject matter experts on the likelihood of occurrence of the threat, and its potential impact should it occur.

Risk Analysis and Review Process-1

This process of estimating risk likelihood and risk impact is called risk analysis. To properly implement this step, the "New Manager" should ideally have developed a rating scale for likelihood as well as for impact. It is generally good practice to use a 5-level scale for higher granularity.

While doing this, keep in mind the organisation’s risk appetite. The scale for impact may also be used in the business impact analysis phase.

Risk Ratings and Risks Levels

The product of risk likelihood and risk impact results in a risk rating value that is indicative of how high or low the risk of a threat is. A high risk rating would no doubt point to a high risk of disruption. This determination of the “risky-ness” the threat is called risk evaluation.

It often makes sense to group risk rating values to give risk levels so that threats falling within the same risk level grouping can be assigned the same level of important and priority for treatment. The higher the risk level, the more priority would be given to treat the threat.

Next articles on Assessing Your Risk will discuss about Treating Your Risk.

Reminder

In this reading, you are introduced to the following terminology.

 

Risk_Likelihood Risk_Impact Risk_Rating Risk_Level Risk_Appetite
Risk Likelihood Risk Impact Risk Rating Risk Level Risk Appetite

 

Learn More About Business Continuity Management (BC-CM-CC-ITDR-Audit)

 

  [BL-3-Catalog] What Specialist Level Blended Learning Courses that are Available? [BL-5-Catalog] What Expert Level Blended Learning Courses that are Available?  

You may want to know more about business continuity management courses.

CTA KMA Know More About BCMCTA KMA Know More About Crisis ManagementCTA KMA Know More About CCKnow More About ITDR

      

 

 

 

For our Singapore colleagues, funding are available under the CITREP+ and WSQ program

 

New call-to-action New call-to-action [SSG-F][BL-DR-5] What Funding Is Available?
 


Find out more about Blended Learning BCM-5000 [BL-B-5]

BL-B-5 View Schedule BL-B-5 Blended Learning Tell Me More BL-B-5 Register Now
 
 
  FAQ BL-B-5 BCM-5000Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org

 

For Your Comments

More Posts

New Call-to-action