Business Continuity Management Reporting Series
BCM Ai Gen_1

Report and Present Risk Analysis and Review Findings to Executive Management

This section is part of the BCM-5000 Module 3 Pre-reading List. It is in preparation for compiling and presenting the Risk Analysis and Review (RAR) report to Executive Management.

When you complete the BCM-300/ BCM-5000 Module 2, you have the competency of a BU BCM Coordinator as you have completed the RAR questionnaire.

You have also understood the objectives and challenges of achieving the RAR Questionnaires at the business unit level. 

In Modules 3 and 4, you assume an Organization BCM Coordinator role and must analyse and present the RAR report to Executive Management for approval.

The content is extracted from the BCM Planning Series: Analysing & Reviewing the Risks for Business Continuity Planning.

Moh Heng Goh
Business Continuity Management Certified Planner-Specialist-Expert

IC_BCM_Module 3Reporting and Presenting Risk Analysis Findings to Executive Management


IC_RAR AssessmentAs part of the BCM-5000 Module 3 Pre-reading List, this section prepares you to compile and present the Risk Analysis and Review (RAR) Report to Executive Management—a critical step in ensuring your organization’s risk landscape is well understood and proactively managed.

Upon completing BCM-300 or BCM-5000 Module 2, you will have gained the competencies of a Business Unit (BU) BCM Coordinator, including hands-on experience with the RAR questionnaire.

This process allows you to identify potential threats, assess their impact, and understand the risk assessment challenges at the business unit level.

In Modules 3 and 4, your role expands to that of an Organisation BCM Coordinator. You must consolidate, analyse, and effectively present the RAR findings in a structured report for Executive Management’s review and approval.

This content is adapted from the BCM Planning Series: Analysing & Reviewing the Risks for Business Continuity Planning. It provides a structured approach to risk analysis and presents best practices.

 

Managing Risk and Review

Report on RAR Findings

New call-to-actionBCMPedia Risk Analysis and ReviewThe outcome of the Risk Analysis and Review (RAR) phase should be presented systematically and analytically.

It is imperative that the Executive Management understands the risks and can allocate resources to reduce and correct potential losses.

 
The biggest challenge in writing a RAR report is to bridge the gap between the jargon used in the RAR phase and those that the Executive Management can understand and use for decision-making.
 
As a rule, the Executive Management will focus on summary information and only refer to actual details if needed to support a decision or make a choice between recommendations.
 
The RAR report, when reviewed by the Executive Management, should:
  • Serve as the vehicle for presenting the findings of the RAR process and recommendations
  • Provide the organisation with the information needed to make intelligent and well-informed decisions about the threat issues.

These are some actions that must be taken when handling the report. The RAR report and related documentation should:
  • Be forwarded to the Executive Management for prompt review, approval and action
  • Include only the summary information
  • Contain working papers and detailed analyses that support the findings and recommendations outlined in the report for reference purposes and as a resource for future RAR exercises.
  • Be considered sensitive information and be protected accordingly
  • Not be intended for general distribution

The design layout of a RAR report as per instruction from the BCM Team

Report Preparation & Distribution


The initial steps in preparing the RAR report are:
  • BCMPedia Business Unit (BU) BCM CoordinatorPrepare a draft report containing initial findings and issues
  • Issue draft report to participating BU BCM Coordinators and BU Heads for their feedback
  • Schedule a meeting and/or workshop to discuss the initial findings

Circulation of Draft Report


One of the success factors to delivering a good RA report is to share the report with BU Heads and BU BCM Coordinators. It is essential that the BU Heads and BU BCM Coordinators:
  • Be allowed to review the materials during the preparation of the report
  • Confirm that the content is accurate
  • Review the organisational-wide information and recommendations
  • See how each piece of the organization is interdependent
  • Allow them to become familiar with the information
  • Feel ownership
  • Provide input on how to present this report to Executive Management best

BCMPedia Organization BCM CoordinatorThis report should also be available to the BCM team members and BCM Steering Committee. This step is essential to the Organisation BCM Coordinator and the organisation's long-term success.

It is crucial to distribute the RAR report because the action items, controls, and most of its elements are the responsibility of many different areas of the organization. Those responsible should be kept informed early in the report's writing.

tipAs an Organisation BCM Coordinator, you do not want to assume anything. Confirm with the team the most effective approach to ensure all participants and their BU Heads have reviewed the information.

This may be as simple as a follow-up meeting to discuss feedback, suggestions, and edits or as complex as conducting a facilitated session with the team.

The key deliverables are the sign-off and consensus on the RAR findings and the subsequent report that will be submitted to the decision-makers.

Report Design


The RAR report should be designed to answer the following:
  • What is the mission?
    • What are the organisation’s objectives?
    • What are the deliverables?
    • What are the RAR planning assumptions?
  • BCMPedia Risk LevelWhat is the organisation protecting?
  • What is the outage Risk Level?
  • How do we establish support for implementing the RAR recommendations?

In the documentation of the BIA report, it is essential to note that granular information is not required in the executive summary but should be contained in the detailed text or appendices of the reports.

One of the key outcomes of the RAR report is identifying the organization’s assets and areas of concern. The RAR report should also address the following.

Risk Consequence of the Threat

The consequence of a risk or a threat should the organization’s assets be compromised or be rendered unavailable.

Participation of Stakeholders

The findings report should summarize the configuration of the involvement of any team or key personnel in the research and data analysis effort.

It is essential to convey that these stakeholders participated in the entire process, including supporting the findings and final report.

Layout of Report


When writing the report, it must be presented in an “effective” manner.
 
The Organisation BCM Coordinator needs to know the organisational culture and what works best for them.
 
This information is provided as an aid to the beginner—and intermediate-level Organisation BCM Coordinator. It is designed to provoke thought and is not meant to be followed strictly.
Executive Overview

It is important to have an executive summary or overview at the top of the report. This summary should convey the entire set of RAR activities in a few pages.
 
The summary targets the executive management, who will only read a few pages. Following the executive summary, the report should contain details of the following:
  • Scope
  • Objectives
  • Approach taken

It is essential to summarize the data gathered, analyzed, and reviewed by the Steering Committee, BU Heads, BU Coordinators, and BC Team.
Priority of Presentation

When preparing the report, the most significant Risk Level should be stated first before proceeding in order of magnitude to the medium and lesser Risk Levels. Quantitative and qualitative Risk Levels should be included to convey the difference and not confuse the target audience.

Two sections should also explain the quantitative and qualitative Risk Levels on a scale of most significant to least.

Conclusion


The conclusion should include the following:
  • A realistic review and commentary, supported by the input of the executive management, recognises the positive capabilities, competencies, and efforts already in place.
  • A cross-reference to similar projects discovered by the BCM Team through the RAR data gathering efforts. These should be limited to projects, activities, or efforts similar to, complementary to, or associated with the BCM program.
  • Specific areas of concern that need attention are not current areas of strength for the organization.
Recommendation

One of the key components of this section is to provide varying alternatives. During the RAR process, the Organisation BCM Coordinator should have obtained a variety of solutions to areas of concern, including the following:
  • Provide alternatives
  • Costing of alternatives

If specific costs for completed alternatives or solutions were encountered, these should be included or referred to in the RAr report.
Priority Action Items

If action items require the decision makers’ approval, these should also be specifically identified.
Areas of Concern

If a BCm Team examines an area of concern discovered during the RAR, this should be included explicitly in the RA report.

tipWhen briefing decision makers, the Organisation's BCM Coordinator must confirm that there is an exposure and that it has been addressed or is being addressed.
 
Make sure that this information is apparent. In many cases, this RAR report will be the vehicle for identifying necessary additional work, providing budgetary information, and providing the best estimates available based on RAR work and the input from the BCM Team.
 
As an Organisation BCM Coordinator, I usually review the implementation before handing it over to security or facility representatives.
Next Steps

This section needs to include the logical and agreed-upon action items as approved by the Executive Management.
  • Acceptance of RAR findings
  • Approval to conduct the BIA phase (if it is not completed)
  • Approval to proceed with any identified action items or requested controls
Appendices

The appendices of the RAR report may include the following:
  • List of participants who had participated in the RA exercise
  • Consolidated recommendations list
  • Detailed research notes (optional if the content is too complicated to be presented as a report)

Analyzing & Reviewing the Risks for Business Continuity PlanningRAR Presentation


The presentation to Executive Management is the final and most important stage of the RAR process.
 
Here, approval is obtained to proceed with the RAR implementation and start the next BC planning phase.
Follow-up After the Report

After the presentation is completed, it is not uncommon for specific enhancements or additional controls to need to be identified and their costs worked out. Executive Management has considered the comprehensive implications and elements associated with the BC planning effort.
 
The executive management must be comfortable with the BC team's review of everything. This is also an excellent opportunity for the Executive Management to agree on delegated levels of authority and approval limits.
 
 

More Information About Business Continuity Management Courses

 

To learn more about the course and schedule, click the buttons below for the  BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].

 

New call-to-action  New call-to-action Register [BL-B-3]*
New call-to-action New call-to-action New call-to-action
FAQ [BL-B-3]

Please feel free to send us a note if you have any questions.

Email to Sales Team [BCM Institute]

 FAQ BL-B-5 BCM-5000
New call-to-action New call-to-action New call-to-action
 

Your Comments Here:

More Posts

New Call-to-action
BCMIWhiteLogoSmall.png
All rights reserved. Copyright 2025