Risk Analysis and Review
Example BoK RAR #1
1. What was performed?
The risk assessment process for business continuity and disaster recovery to identify the various threats and risks to the organization and its impact on the business.
2. When was it done?
December 20x1 ended mid-May 20x9 and
3. How was it carried out?
I have explained my involvement in the Risk assessment stage through the following heads.
Risk identification
- I had conducted three rounds of discussions with respective process/ project leads, business unit heads, representatives of other departments to identify the threats and risks to the organisation which may disrupt our operation or business.
- I have classified those risks into different types and identified the likelihood of occurrences and impact on people and operations.
Report Preparation
- I had documented the results of the risk assessment in a report. Taken inputs from IT, Admin and other teams and evaluated the existing control measures and additional requirement
Management approval
- I had completed the prioritisation of risks with the team and documented and submitted the list of threats and risks to management. As a result, it had been accepted by the management, and an acceptable level of risks had been decided.
- With the help of Account BU, IT and other BU project lead, I prepared the budgetary and took approval from management (head of division/director).
Improvement and risk re-assessment
- Over time I had suggested much improvement in the risk assessment process. I supervise the risk reassessment activity that happens at yearly intervals. Several versions of the risk assessment reports have been released.
- I am a member of the DRP Committee and Management Review Committee and am actively involved in management review meetings regarding risk-related activity and mitigation plans.
- I am actively involved in internal audits, clients audit and external audits regarding our risk assessment methodology and results.
- We are currently involved with one of our major client’s business continuity teams for the last 30 days in reassessing risks by clients for the existing critical processes.