The risk profile provides a context to the kinds of threats faced by the organization, and gives the New [BC | CM | CC | ITDR] Manager or BU Coordinator an idea of what he is up against. The risk profile is also important for deciding the type of BC, CM, CC or IT DR plan to develop.
There are various ways risk assessment can be approached in BCM, CM, CC and IT DR. The current approach is to abide by the ISO22301 BCM Standards. Another common way is the one presented in the ISO 31000 Risk Management Standard. This is a generic risk management standard that can also be used to assess risk in BCM.
You may want to know how Risk Analysis and Review phase fit into the Planning Methodology. What is the Planning Methodology?
Only when we have sufficiently understood the organization would now begin to identify possible threats that could possibly cause a disruption in the organisation. It is often advantageous to assemble a group of subject matter experts and poll them for their views, based on facts and hardcore experience.
Meanwhile, as we speak, there is a risk management standard that is published by the International Standard Organisation or better known by its acronym as ISO. The published ISO 31000 standard is auditable. Hence, it will be good for related disciplines to be aligned to this standard.
While identifying threats, the "New Manager" or at BU level, the BU Coordinator would at the same time collect information from the subject matter experts on the likelihood of occurrence of the threat, and its potential impact should it occur.
This process of estimating risk likelihood and risk impact is called risk analysis. To properly implement this step, the "New Manager" should ideally have developed a rating scale for likelihood as well as for impact. It is generally good practice to use a 5-level scale for higher granularity.
While doing this, keep in mind the organisation’s risk appetite. The scale for impact may also be used in the business impact analysis phase.
The product of risk likelihood and risk impact results in a risk rating value that is indicative of how high or low the risk of a threat is. A high risk rating would no doubt point to a high risk of disruption. This determination of the “risky-ness” the threat is called risk evaluation.
It often makes sense to group risk rating values to give risk levels so that threats falling within the same risk level grouping can be assigned the same level of important and priority for treatment. The higher the risk level, the more priority would be given to treat the threat.
Next articles on Assessing Your Risk will discuss about Treating Your Risk.
In this reading, you are introduced to the following terminology.
Risk Likelihood | Risk Impact | Risk Rating | Risk Level | Risk Appetite |
You may want to know more about business continuity management courses.
For our Singapore colleagues, funding are available under the CITREP+ and WSQ program