Business Continuity Management
BCM BB_V2_10

[BCM] [P2] [RAR] [2] Frequently Asked Questions for Risk Analysis & Review

New call-to-actionRisk Analysis & Review (RAR) aims to identify the existing risks and threats to which the organisation or business unit is exposed, particularly in its geographical location, area topology, and proximity to potential natural or man-made hazards, and thereafter to minimise their impact.

Moh Heng Goh
Business Continuity Management Certified Planner-Specialist-Expert

Managing Risk and Review-1

Frequently Asked Questions for Risk Analysis & Review

Introduction


This blog highlights some frequently asked questions about the RA process. I find it useful to address some readers’ queries before this book begins.


BIA Versus RA


RA is about identifying the most probable threats to an organisation and analysing the related vulnerabilities of the organisation to those threats.

In addition, it involves assessing the adequacy of controls relative to the organisation's potential threats.

BIA involves identifying the critical business functions within the organisation and determining the impact of not performing the business function beyond the maximum acceptable outage.

The types of criteria that can be used to evaluate the impact include:

  • Customer service
  • Internal operations
  • Legal/statutory and financial requirements


From an RA Perspective

All potential threats must be identified. Thereafter, an assessment must be made to determine the likelihood of such threats occurring and their impact on the organisation’s assets. 

Prioritising risks and evaluating the organisation’s vulnerabilities and controls will improve understanding of how those threats affect the organisation.

In doing so, the Organisation BCM Coordinator establishes the link among threats, vulnerabilities, risks and controls.

In short, the Organisation BCM Coordinator will have identified the organisation's threat and risk profile.


During the BIA Approach


Critical assets will be identified, and their impact assessed and prioritised. RA may be performed to identify threats and the magnitude of the risks against these critical assets.

By doing so, the Organisation BCM Coordinator establishes the link among asset criticality, the impact of their unavailability, the cost of unavailability, and the level of risk.

In short, the Organisation BCM Coordinator understands the organisation’s critical assets and follows up with an RA to identify threats and risks that contribute to the impact identified in the BIA study.


Why Manage Risks?


There are various reasons an organisation would want to manage risks during the BCM planning. They are:

  • Regulations & Standards
    Many government regulators, such as Central Banks, issue BCM Guidelines for financial institutions.
  • Business Drivers
    Existing customers may want the organisation’s assurance regarding the continuity of supply of goods or services under all circumstances.
  • Reputation
    The adverse publicity from an organisation’s suppliers, customers and potential customers should it be unprepared for the threat.
  • Loss Mitigation
    If the primary premises have a history of flooding, what is the likelihood it will happen again? What is the current safeguard (control) that the organisation has to mitigate the risk to an acceptable level?


Why Should RA Be Conducted?


The Executive Management is charged with showing that “due diligence” is performed during decision-making processes for any organisation. RA:

  • Provides the documentation to show that due diligence has been performed.
  • Allows the organisation to take control of its own destiny.

 

With an effective RA process in place, the necessary controls and safeguards will be implemented.


What Can an RA Analyse?


By learning the basic RA concepts, the organisation can then use them to determine:

  • What could go wrong?
  • How could it affect the organisation?
  • How likely is it to happen?
  • What can I do about it?


What Can the Results of an RA Tell an Organisation?


The result of the RA exercise enables the Executive Management to examine all currently identified threats and concerns, prioritise vulnerability levels, and then select an appropriate level of control or accept the risk.

The goal of RA is not to eliminate all risks but to provide management with a tool to reduce risks to an acceptable level. The greatest benefit of an RA is to determine whether it is prudent to proceed.


When & How to Start an RA?

Before an organisation starts its RA, it will need to ascertain the following:

  • If this is the first RA exercise to be conducted in the organisation, it will be used:
    •  As a means of providing decision makers with information needed to understand factors that can negatively influence operations and outcomes.
    • To make informed judgments concerning the extent of actions needed to reduce risks.
  •  If this is not the first RA attempt, it is used to reassess risks and to reconsider the appropriateness and effectiveness of the policies and the controls implemented.


How does RA Get Started?

  • As a Phase Within The BCM Planning Process
    The RA is conducted as part of the BCM planning process after the initial Project Management phase.
  • An Independent RA Project
    The second situation is where the organisation initiates an RA project to assess the threats, vulnerabilities, and risks of its organisation or critical assets, and to evaluate the controls implemented to make an informed judgment on their mitigating effectiveness.


Key Components of RA

RA is an examination of the interrelationships among assets, threats, vulnerabilities, and controls (countermeasures) to determine the current level of risk.

Residual risk is the level of risk that remains after considering all controls in place, vulnerability levels, and related threats.

Ultimately, the residual risk must be accepted as is or reduced to an acceptable level.

When a given threat is poised to exploit a vulnerability, controls must be in place to reduce vulnerability because the asset is what needs to be protected. The impact will then result from threat activity through residual risk.


What is the cause-and-effect relationship?

Risk assessment can be viewed from a simple cause-and-effect perspective. In Figure 2-2, threats are the “Cause”, vulnerability the “probability”, and risk the “Effect” on the organisation’s assets. The terms used are explained below:

  • Threat is an event that causes a risk to become an actual loss to an organisation’s assets.
  • Vulnerability is the exposure to an event that can cause actual loss to an organisation’s assets.
  • Probability is the likelihood of an event occurring.
  • Risk is a hazard or chance of bad consequence or loss. It is an effect of the threat on the asset.

There are three types of threats used to demonstrate the three vulnerability levels: high, medium, and low.

  • High Vulnerability
    If an organisation is highly vulnerable to sabotage, the threat will definitely pose a risk to its organisational assets.
  • Medium Vulnerability
    If an organisation is moderately vulnerable to, say, a power outage, there will still be a moderate risk to the organisational asset.
  • Low Vulnerability
    If the vulnerability is minimal, for example, it is highly unlikely that a Tsunami would strike, as there is little or no risk of loss of organisational assets from this threat.

 

Should BIA be Conducted before RA?


This is a common question because one international BC institute lists it as the 2nd Subject Area of the professional practices, while another lists it as the 3rd.

The argument over whether RA or BIA should come first reflects a lack of understanding of the practical aspects of implementing BC plans, since the quest to determine their correct sequencing is purely academic.

One may want to consider performing RA first if no such review has ever been conducted before.

In most situations I have encountered, established organisations have conducted some form of risk analysis through IT security reviews, physical security reviews, or as part of the enterprise risk management exercise.

BIA should be conducted first when there is an urgent need to determine the financial and non-financial impacts on an organisation to justify the implementation of the BC project.

 

Reference

Analyzing & Reviewing the Risks for Business Continuity PlanningGoh, M. H. (2021). Analyzing & Reviewing the Risks for Business Continuity Planning. Business Continuity Management Planning Series (3rd ed.). Singapore: GMH Pte Ltd.

Extracted from "Chapter 2: Frequently Asked Questions for Risk Analysis & Review"

More Information About Blended Learning BCM-5000 [BL-B-5]

To know more about our blended learning program and when the next course is scheduled, feel free to contact our friendly course consultant colleagues via sales.ap@bcm-institute.org.  They are the BL-B-3 Blended Learning BCM-300 ISO22301 BCMS Implementer and the BL-B-5 Blended Learning BCM-5000 ISO22301 BCMS Expert Implementer.

New call-to-action
New call-to-action Register [BL-B-3]*
New call-to-action New call-to-action New call-to-action
FAQ [BL-B-3]

Please feel free to send us a note if you have any questions.

Email to Sales Team [BCM Institute]

 FAQ BL-B-5 BCM-5000
New call-to-action New call-to-action New call-to-action
 
 
 

Your Comments Here :

More Posts

New Call-to-action