In Part 9 of our Business Continuity Planning series, we discussed the steps an organization needs to take to conduct the risk assessment. In this article, we will outline how to  conduct the risk assessment, how to discuss and finalize mitigation plans and how to report the resulting data to program stakeholders.

Identifying the risks

Risk assessments are a very broad topic which require expertise to properly execute. As such, we recommend conducting risk assessments with dedicated risk professionals or at least a team that receives mentorship from risk professionals. Without getting too far into the nitty gritty details of conducting risk assessments, we will introduce them in the context of business continuity planning.

First, you need to identify and concisely describe the risks that your organization would benefit from mitigating. When it comes to determining the kind of risks you want to identify; focus on the ones that have the potential to disrupt your business recovery process during a disaster. You need to prioritize identifying risks associated with processes that are essential to your organization’s recovery process. 

Below are some of the criteria you would want to use to identifying the applicable risks:

• Business processes that are heavily dependant on a limited number of third party vendors

• Important hardware resources that are expensive to retain in your inventory, due to their cost of maintenance and/or the degradation in their reliability due to a prolonged storage period

• Organizational attrition rate that could impact executing the business processes that are accepted as vital to the business even during a disaster

• Lack of backup skilled manpower resources to execute critical processes during a disaster (when your primary manpower resources are not available)

• Physical risks for people when a disaster strike the building

• Risks for important business processes due to the unavailability of information systems

• Vulnerability of business information and associated processes against a malware or ransomware attack

Performing the analysis

Once the risks are identified, you need to determine:

• the likelihood of such risks occurring in your organization

• which events initiate the risks, 

• the complexity of the risks

• The potential impact on your business

• the consequences of not mitigating them (including financial consequences) and 

• the current controls that are in place to prevent or reduce the impact of such risks. 

Note: you are not responsible for anticipating unforeseeable risks.

Another key consideration you should make during the above processes is whether or not the risks you’ve identified are closely related enough to overall business continuity. For example, when you are evaluating the risks associated with lack of cross skilled training among the staff, it is easy to venture into human resources risks such as lack of succession planning or learning management. Poor succession planning is certainly a risk because when an executive leaves the organization, you may not find the replacement within a short span of time, leading to a gap in the organization’s management function and eventually challenges in business operations, but this concern is  not necessarily related to the business continuity. However, having a lack of staff who have been cross-trained in eliminating single points of failure is definitely a relevant risk.

Evaluating the risks

Once you are done with the analysis, you need to compare the result with your organization’s risk tolerance, so that you can provide recommendations to the respective stakeholders. Together you’ll then be able to determine whether you're comfortable with the risk levels or if new mitigation measures need to be implemented.

You should venture outside the scope of your risk assessment only to find information to support your evaluation. For example, if you identify that you are dependent on one supplier to deliver expensive spare parts to your machines, you need to analyze whether the supplier has enough protection to continue delivering the spare part during a disaster. Additionally, you need to see whether your organization has effective inventory and enterprise asset management systems that enable you to predict the potential wear and tear to the machines. This analysis will provide you with enough information to recommend additional vendors that can supply parts during an emergency or improve your enterprise asset management systems so that they’re less likely to face a hardware failure during a disaster.

A thorough evaluation will ultimately help your  businesses to make the right decisions when selecting mitigation controls that justify the investment to mitigate and hence, we would recommend you to be informative and yet concise in your report.

Workshops with the risk team

During your identification, analysis and evaluation, we would advise you to have many workshops with the enterprise risk team to test your articulation of risks — especially if you are using resources that are not part of the enterprise risk management team. This will help you ensure your assessment methodologies are in line with the enterprise risk methodology and that you “speak the same language” with your stakeholders and your enterprise risk team. 

If your organization is already used to discussing risks with your risk team, there is a good chance that they are tuned to a certain way of articulating and reporting risks. By changing that process, you are likely to  receive pushback, which can put strain on your team and take the focus away from the analysis, since these deviations will have to be explained and justified to your stakeholders. 

Having constant workshops with your risk team as you endeavour on this stage of the business continuity plan will help you minimize these issues, while also  ensuring the analysis reflects the correct context and scope. This will all also be beneficial to your team in regards to the  development of a  business recovery strategy.

Once you are satisfied and get the endorsement of your stakeholders, you need to put your findings into a report format they are familiar with. To avoid confusion, use the same templates your enterprise risk team uses.

Discussing with the department heads

Once you have finalized the draft report, send out meeting invites to the department heads (or champions) to discuss the findings potential responses to identified risks. If your analysts are not part of the enterprise risk team, then it will be a good idea to have one of them to be part of these discussions with the department heads . The department heads will provide you with their decision and a plan to mitigate the risks if they have to.

Once you have completed the discussion with the department heads, provide a high-level update to the steering committee, review the report with your GRC or the enterprise risk management team andand then finalize your report. 

Finalizing and presenting to the committee

When all of the above is complete,  prepare an executive summary to present at a meeting with the steering committee. 

During the presentation, go throught the executive summary and then move to the highlights of the risk findings. Keep the context and scope of the discussion directly related to your  business continuity planning, to maximise your time on the subject. Most of the committee members are likely the seniors in your organization and depending on how risks are selected and included in your enterprise risk register, the committee might suggest changes. If your organization has GRC or a dedicated enterprise risk management team, the changes that the committee might suggest will be very minimal since the GRC or your ERM team understand the organization’s risk tolerance. If the findings must be presented to the directors, the committee would let you know.

If you do not have an GRC or ERM, the committee might suggest larger changes. For example, the risk of not executing Payroll due to a system not being available might have been rated “high” during your conversation with an HR department head, but the committee or the directors might say otherwise — even if the process was also rated as “high”in your BIA.

Next steps

When the discussions with all the relevant stakeholders are complete, as agreed with your ERM earlier, transfer the monitoring and tracking of the risks to them. The outcome of the assessment will be a valuable input in designing the business recovery strategy which will be the next step in the program.

Conclusion

Once your team has prepared for the risk assessment phase, you should identify the risks to the key processes (and their dependencies, including manpower, office, information and hardware). Once identified, these risks should be analyzed and ultimately their severity and likelihood should be evaluated. 
By conducting frequent workshops with your enterprise risk management team, your organization will be able to ensure it isn alignment with enterprise risk management practices — you’ll also be able to package your findings in a way the organization understands. These findings should then be discussed with department heads, presented to the applicable committee(s) and transferred to your enterprise risk management team for tracking.