Business continuity planning: Preparing to conduct the risk assessment

In Part 8 of our Business Continuity Planning series, we wrapped up our discussion of the Business Impact Analysis (BIA) stage. To recap, after BIA interviews have been conducted, the responsible analysts should take the following steps:

• Analyze the data collected during the interviews

• Determine business processes priorities

• Work with their IT team to ensure the proposed RTO and RPO can reasonably support critical business processes 

• Prepare a report to the committee for their review and acceptance.

Moving on from the BIA stage, the next logical step in developing a business continuity plan is to conduct a risk assessment. In the following article, we’ll outline how to prepare for this step.

Why assess BCP risks? 

Conducting a risk assessment will enable you to identify the risks associated with your businesses' processes, information, people and technology, and ultimately address them to improve the odds of restoring the business from a disaster. Risk assessments are also important from a regulatory compliance perspective. Depending on your field, regulators may expect your organization to align with an industry risk management standard, such as ISO 21300 in which conducting Risk Assessment is a mandatory step. 

When you are working to restore your critical business processes after a disaster, a risk that materializes and has potential to impact your organization more than it should, could spell doom for your business. 

A business continuity plan without consideration to organizational resiliency threats may look perfect on paper, but may not be effective when attempting to restore your business after a disaster.

Choosing a risk assessment team

Ideally, you should partner with the risk professionals within your organization to conduct the risk assessment. If that is not possible, then your next best choice should be hiring a professional service. If both the above options  aren’t possible, a third option is to use the same team and resources from your BIA. In this situation, we highly recommend equipping them with risk analysis workshops to help them identify, classify, assess and report risks in alignment with your enterprise risk framework.Using a non qualified resource to conduct the risk assessment should be your last resort. 

Standards and frameworks

The risk assessment for the business continuity plan should use the same frameworks that are used by your enterprise risk management team. If you are an organization that does not have a formal risk management practice, we strongly recommend you implement one before proceeding with a risk assessment. Such a framework does not have to be an extensive one — it can be as simple as adopting the ISO 31000 as the standard and framework, complemented by a matrix that reflects your organization’s risk tolerance.

We will include a few resources for organizations that do not have a risk management practice in our premium toolkit, when it’s made available. Subscribe to our portal for updates.

Context and scope

The risk assessment phase of the business continuity planning must have a clearly defined context and scope. The context to use when identifying and assessing risks is Business Continuity. Specifying this context will help you make sure the assessment only evaluates risks that are related to organizational resiliency and highlighted in your business impact analysis report.

In the previous stage (the BIA), you will have already identified the critical business processes and associated resources, their dependencies, the critical technologies and the overall impact of a disaster on your processes. During the risk assessment stage, you need to identify the risks associated with the gaps and the potential risks that should be mitigated during or after a disaster. 

Keep in mind that mitigation of risks might take anywhere from a few weeks to many years and your objective is to identify them and ensure your business recovery strategy is designed with these unmitigated risks in mind. Managing the mitigation of these risks will eventually be transferred to the departmental or enterprise risk registers and tracked using your organizational risk management processes. If you do not have a formal risk management process, tracking of the risk mitigations should be formally agreed with your committee before moving to the next phase.

Once the context is established, you need to define the scope within which you will conduct the risk assessment. In general, the scope for conducting a risk assessment is the same as the scope for the business continuity plan development. However, if you discover any changes in scope specific to the risk assessment, you must discuss them with the committee before proceeding. There are also situations where the risk assessment might extend beyond the scoped organization. For example, you might determine it’s important to evaluate the risks associated with your dependency on an external third party. . 

Another thing to make sure of ahead of the risk assessment is that you have collected all the necessary information. Below is a non-exhaustive list of things your organization should likely know before getting too far :

• A list of risks that are tracked at the enterprise risk register that are specific to the organization’s resiliency

• Consolidated business impact analysis interview data and the associated report

• A risk assessment spreadsheet (or automated system)

• Risk assessment guidelines

• Risk reporting templates

Discuss with the enterprise risk management team

Before implementing the risk assessment plan, the working team should have a formal discussion with the enterprise risk management team to discuss the below items:

• Scope and context of the risk assessment

• List of risks in the enterprise risk register that are relevant to the Business continuity planning

• Use of standards and frameworks

• Use of the templates that are developed by the risk management teams (or acknowledgement to use the template you have developed for this stage)

• Risk identification, assessment and classification methodology

• Documenting and reporting of the risks

• Transferring the tracking of the risk mitigation tracking

The above applies whether you retain the same team and resources from your BIA stage, use risk analysts, or hire an external service provider. It’s important to discuss and agree on transferring the monitoring and tracking of the risks to the enterprise risk register. Business continuity planning, even when it is operational, does not track risks — these should instead be continually tracked by the enterprise risk management team, but provided with an update to the Business Continuity Management (operational) team so that the business recovery plan can always be kept up to date.

Communicating the plan

Once the preparation is completed, the business continuity steering committee must be notified by the program team about the commencement of the risk assessment. This can be done via an email or in meetings. Either way the committee needs to be given insight into what the working team will be doing in the risk assessment phase. Anyone responsible for implementation must be included in the communication or the meeting. 

As you identify the risks, you will have to prepare the champions. You should set up meetings with them to discuss and come up with the mitigation plans. You can have a single meeting or email communication to all the stakeholders involved. We would recommend developing a presentation with a few slides to provide some details on the scope, framework, methodology, team, schedule and the expected outcome of the assessment. These slides should then be presented in a meeting with all relevant stakeholders. Additionally, it is good to send out some updates to any staff members that aren’t directly involved, just so they’re informed about the progress and can continue to be mindful of the business continuity planning.

Conclusion

Once the business impact reporting is done, preparation to conduct risk assessment must commence. The scope and context for the risk assessment must be defined and the analysts must be identified. A framework to conduct the risk assessment must be developed or adopted, depending on the availability of such a framework in your organization. Then you need to conduct a workshop with the risk management team to discuss your plan, incorporate their feedback and then present the strategy for this phase of the program to the committee and the champions.