This section is part of the BL-B-5 Module 3 Pre-reading List. This is in preparation of the compilation and presentation of the Risk Analysis and Review (RAR) report to Executive Management.
When you completed the BL-B-3 Module 2, you have the competency of a BU BCM Coordinator as you have completed the RAR questionnaire. You have also understood the objectives and challenges of completing the RAR Questionnaires at the business unit level. In Module 3 and 4, you are assuming the role of an Organization BCM Coordinator and is required to analyse and present the RAR report to Executive Management for approval.
The content is extracted from the BCM Planning Series: Analyzing & Reviewing the Risks for Business Continuity Planning.
Report and Present Risk Analysis and Review (RAR) Findings to Executive Management
Report on RAR Findings
The outcome of the Risk Analysis and Review (RAR) phase should be presented in a systematic and analytical manner. It is imperative that the Executive Management understands the risks and can allocate resources to reduce and correct potential losses.
- Serve as the vehicle for presenting the findings of the RAR process and recommendations
- Provide the organization with the information needed to make intelligent and well informed decisions related to the threats issues
These are some of the actions that must be taken when handling the report. The RAR report and related documentation should:
- Be forwarded to the Executive Management for prompt review, approval and action
- Include only the summary information
- Contain working papers and detailed analyses that support the findings and recommendations outlined in the report for reference purposes and as a resource for future RAR exercises
- Be considered sensitive information and be protected accordingly
- Not be intended for general distribution
The design layout of a RAR report as per instruction from Program Administration Team
Report Preparation & Distribution
The initial steps in preparing the RAR report are:
- Prepare draft report containing initial findings and issues
- Issue draft report to participating BU BCM Coordinators and BU Heads for their feedbacks
- Schedule a meeting and/or workshop to discuss initial findings
Circulation of Draft Report
One of the success factors to delivering a good RA report is to share the report with BU Heads and BU BCM Coordinators. It is essential that the BU Heads and BU BCM Coordinators:
- Be given the opportunity to review the materials during the preparation of the report
- Confirm that the content is accurate
- Review the organizational wide information and recommendations
- See how each piece of the organization is interdependent
- Allow them to become familiar with the information
- Feel ownership
- Provide input on how to best present this report to Executive Management
This report should also be made available to the BC team members and BC Steering Committee. This step is essential to the Organization BCM Coordinator’s and the organizational long-term success.
It is important to distribute the RAR report because the action items, controls and majority of the elements of this report are the responsibility of many different areas of the organization. Those responsible should be kept informed early during the writing of the report.
As an Organization BCM Coordinator, you do not want to assume anything. Confirm with the team the most effective approach to ensure that all of the participants and their BU Heads have reviewed the information.
This may be as simple as a follow-up meeting to discuss feedback, suggestions, and edit, or as complex as conducting a facilitated session with the team. The key deliverable is sign off and consensus on the RAR findings and the subsequent report that will be submitted to the decision makers.
Report Design
The RAR report should be designed to answer the following:
- What is the mission?
- What are the organization’s objectives?
- What are the deliverables?
- What are the RAR planning assumptions?
- What is the organization protecting?
- What are the outage Risk Level?
- How to establish support to get the RAR recommendations implemented?
In the documentation of the BIA report, it is important to note that granular information is not required in the executive summary, but should be contained in the detailed text or appendices of the reports.
One of the key outcomes of the RAR report is to identify the organization’s assets and areas of concern. The RAR report should also address the following.
Risk Consequence of the Threat
The consequence of a risk or a threat should the organization’s assets be compromised or be rendered unavailable
Participation of Stakeholders
The findings report should summarize the configuration of the involvement of any team or key personnel in the research and data analysis effort.
It is important to be able to convey that these stakeholders participated in the entire process including their support to the findings and final report.
Layout of Report
When writing the report, it is imperative that the report be presented in an “effective” manner. The Organization BCM Coordinator needs to be cognizant of the organizational culture and what works best for them. This information is provided as an aid to the beginner and intermediate level Organization BCM Coordinator. The information is designed to be a thought provoker and it is not meant to be followed strictly.
Executive Overview
It is important to have an executive summary or overview on top of the report. This summary should convey the entire set of RAR activities in a few pages. The summary is targeted at the Executive Management who will only read a couple of pages at most. Following the executive summary, the report should contain details of the:
- Scope
- Objectives
- Approach taken
It is essential to summarize the data that were gathered, analyzed, and reviewed by the Steering Committee, BU Heads, BU Coordinators and BC Team.
Priority of Presentation
When preparing the report, the more significant Risk Level should be stated first before proceeding in order of magnitude to medium and lesser Risk Level. Both quantitative and qualitative Risk Level should be included in a manner to convey the difference and not confuse the target audience.
There should also be two sections explaining both the quantitative and qualitative Risk Level on a scale of greatest to the least.
Conclusion
The conclusion should include:
- A realistic review and commentary, supported by the Executive Management’s input that clearly recognizes positive capabilities, competencies, and efforts already in place.
- A cross reference to similar projects that the BC Team had discovered through the RAR data gathering efforts. These should be limited to projects, activities, or efforts that are similar to, complementary to, or associated with the BCM program.
- Specific areas of concern that need attention and are not current areas of strength for the organization.
Recommendation
One of the key components of this section is to provide varying alternatives. During the RAR process, the Organization BCM Coordinator should have obtained a variety of solutions to areas of concern including the following:
- Provide alternatives
- Costing of alternatives
If there is specific costing of completed alternatives or solutions that was encountered, these should be included or referred to in the RA report.
Priority Action Items
If there are action items that require the decision makers’ approval, these should also be specifically identified.
Areas of Concern
If there is a BC Team that is examining an area of concern that was discovered during the RAR, this should be specifically included in the RA report.
When briefing decision makers, the Organization BCM Coordinator must confirm that there is an exposure and it has been or is in the process of being addressed.Next Steps
This section needs to include the logical and agreed upon action items as approved by the Executive Management.
- Acceptance of RAR findings
- Approval to conduct the BIA phase (if it is not completed)
- Approval to proceed with any identified action items or requested controls
Appendices
The appendices of the RAR report may include the following:
- List of participants who had participated in the RA exercise
- Consolidated recommendations list
- Detailed research notes (optional if the content is too complicated to be presented as a report)
RAR Presentation
The presentation to the Executive Management is the final and the most important stage of the RAR process. It is here that approval is obtained to proceed with the RAR implementation and start the next BC planning phase.
Follow-up After the Report
After presentation is completed, it is not uncommon that specific enhancements or additional controls need to be identified and its costing worked out. The reason is that the Executive Management has considered the comprehensive implications and elements associated with the BC planning effort.
Find out more about Blended Learning BCM-5000 [BL-B-5]
![FAQ [BL-B-3]](https://no-cache.hubspot.com/cta/default/3893111/b3824ba1-7aa1-4eb6-bef8-94f57121c5ae.png)
 |
