Business Continuity Planning

This continues the “DO: Operation” session
Institute for Business Continuity Training www.IBCT.com 1

Risk Assessments
In Business Continuity, we tend
to use the
Business Unit Risk
Assessment method.
2Institute for Business Continuity Training www.IBCT.com
Overlooking a serious risk
can be dangerous

Threats to Key Business Activities
 If we are only going to look at the negative effects of risk
(threats), then we do not actually need to conduct a
traditional risk assessment at all. Instead, we need to
perform a more focused vulnerability/threat assessment.
This means that we focus only on those potentially
disruptive incidents that could have a negative impact on
our operations, and only as they apply to that subset of
business operations known as our key business activities.
There is a very short list of such threats and most of
them are common to all organizations.

 Using an “all hazards” approach, we focus only on those
potentially disruptive incidents that could have a negative effect
on our business processes.
 And we look only as they apply to that subset of business
operations known as our key business activities (20/80 rule).
 Essentially, all such events will be caused by either a loss of
key property (e.g. buildings, equipment, etc.), a loss of key
people, a loss of key processes, or possibly two or three
simultaneously
All Hazards Approach to Risk Assessment

P
R
O
C
E
S
S
TECHNOLOGIES

Loss of Key People
- Loss of key staff
(unable or unwilling
to work)
- Can be short-term,
long-term, or
permanent
P
R
O
C
E
S
S
TECHNOLOGIES

P
R
O
C
E
S
S
TECHNOLOGIES
Loss of Key
Process Resources
 Key vendor
services
 Financials
 Contractuals
 Can be triggered
by local, area, or
regional event
 Can be short-
term, long-term,
or permanent

P
R
O
C
E
S
S
TECHNOLOGIES
Loss of Key
Property
 Technology
 Work Facilities
 Inventory
 Data Center
 Equipment
 Can be short-term,
long-term, or
permanent

 In the BIA, we identified the resources each key business
activity is dependent upon for normal operation
 Key resources may include:
 Trained staff
 Office facilities
 Plant facilities
 Workstations
 Computer systems
 Electronic data
 Hard copy data
 Voice communication
systems
 External network
connectivity
 Specialized equipment
 Materials and supplies
 Key suppliers, etc.
 We need to determine the vulnerability of these key resources (people,
process, or technology) – their risk exposure or residual risk - which
could result in disruption to key business activities
Conducting a Business Unit Risk Assessment

An example of this approach to risk:
Hazard Risk to Service
Data stolen/lost
Data loss
Destruction of paper files
Failure of back up or failsafe
HHD Failure
Temporary loss of connection
Damage to internal telephone network
ICT Failure
Damage to the data network
Destruction of active directory
Localised hardware failure
Loss of major application
Loss of minor application
Loss of mobile/telephone phone networks
Loss of switchboard
Server failure

Contamination
Loss of operating premises
Disruption to direct medical gas
Disruption to water supplies
Electric Supply Disruption
Failure of fixed equipment
Fire
Flooding
Introduction of cordon
Loss of heating/cooling
Structural defect/failure

Mass layoff notices
Key Staffing Shortage
Epidemic illness
Industrial Action
Pandemic illness
School closures
Sudden onset demand
Transport disruption
Contamination/product quality
Supplier Failure
Contract Breach
Failure to fund/supply
Strike action by drivers
Strike action by key supplier
Key supplier goes out of business
Supply chain collapse

Protective measures may include:
 Cross-training of staff
 Building security
 Alternate work locations
 Backup computer systems
 Off-site data backups
 In-bound call redirection
 Redundant communication links
 Regular equipment maintenance
 Backup power systems
 Alternate suppliers, etc.
Step 1
Deliverables:
• Updated matrix with resource
protection ratings, and each key
activity’s ‘Risk Exposure’
• Ranking of Key Activities by
vulnerability, and ranking of
threats by overall extent of
potential business interruption
Conduct workshops with Business
Unit SME’s, IT, facilities, etc. to:
•Review measures in place to
protect key resources from loss
•Assess the level of protection
for each resource and assign a
percentage rating

POTENTIAL THREATS SEVERITY COVERAGE (measures in place) RISK
n/a L M H 0% 20% 40% 60% 80% 100% EXPOSURE
1. Loss of key staff 4 4 40
2. Loss of office facilities 4 4 100
3. Loss of AS/400 systems 4 4 60
4. Loss of AS/400 data 4 4 40
5. Loss of PC/LAN systems 4 4 20
6. Loss of PC/LAN data 4 4 2
7. Loss of hardcopy records 4 4 2
8.
Loss of phone system
(voice)
4 4 100
9. Loss of voicemail system 4 4 6
10.
Loss of external data/fax
links
4 4 80
11.
Loss of mail delivery
service
4 4 2
12.
Loss of other external
services
4 4 100
Severity Levels: High = 100,
Moderate = 50, Low = 10
Risk Exposure: Severity Level x
(100% - Coverage%)
Key Business Activity: Call Center

Potential Threat Scenarios
 A ‘Potential Threat Scenario’ is a specific situation, resulting from any internal
or external event, which may cause widespread interruption in the
organization’s operations for an extended period of time
 Such a scenario could be a catastrophic incident, such as destruction of a
building, or a relatively minor incident, such as failure of a single piece of key
equipment
Step 2
Deliverables:
• List of Potential Threat Scenarios
showing the Key Business
Resources that are at greatest
risk
Based on the results of the BIA/RA,
identify the ‘Threat Scenarios’ for
which business continuity
strategies should be developed

0 200 400 600 800 1000 1200 1400 1600
Loss of key personnel
Loss of office facility
Loss of AS/400 systems
Loss of AS/400 data
Loss of PC/LAN systems
Loss of PC/LAN data
Loss of hardcopy records
Loss of phone system (voice)
Loss of voicemail system
Loss of external data/fax links
Loss of mail delivery service
Loss of other external services
Exposureby Threat Scenario

 ‘Single points of failure’ may include:
 Key staff with specialized knowledge
 System components which cannot
readily be replaced
 Non-redundant communication links
 Critical data which is not backed up
 Telephony systems
 Specialized manufacturing
equipment
 ‘Sole source’ suppliers, etc.
 SINGLE POINTS OF FAILURE (SPOFs)
 It is exceptionally important to identify any potential ‘single points
of failure’ within the resources supporting the various business
activities
 Loss of a ‘SPOF’ can lead to the failure of a key business activity

Step 3
Presenting BIA/RA results to Management
 Getting management’s endorsement of the BIA/RA results and
recommendations is crucial
 When presenting the results to Senior Management, do not present reams of
statistics and technical details
 Present the results in a straightforward fashion that they can relate to
Deliverables:
• BIA/RA report
• Executive presentation
Prepare a report summarizing the
results and your recommendations,
and present to:
•Business Unit management (for
validation)
•Senior Management (for action)

Risk Assessment Summary
 One of the primary goals of a BCMS is to prevent avoidable
interruptions in the company’s operations
 Hence, it is essential to understand the threats to continued
operation, and the company’s vulnerability to those threats
 Identifying the KBAs’ resource dependencies and the risks facing
those resources (residual risk/risk exposure) will help in the
development of strategies and plans
 Ranking of the key business activities’ risk exposure (threat
scenarios) helps determine which activities require continuity
strategies

The Keys to Success
 Conducting a BIA/RA is not rocket science, but …
 every department must follow a consistent methodology to
ensure the results will be meaningful
 standard data collection formats and terminology must be
used to avoid misinterpretation, and facilitate analysis and
reporting
 participants must be guided through the process, not just left
to fend for themselves
 The use of templates or software tools alone will not ensure these
goals are met – you have to know what you are trying to
accomplish, and how to do it!

Activity
The Steering Committee has decided to proceed with a
Risk Assessment pilot project. Using the ‘Threat
Assessment’ template:
1. For each Business Activity in your Business Unit (or
organization), list the Potential Risks that could affect this
Activity.
2. Risks should be expressed in terms of the loss of essential
resources (e.g. loss of facilities, loss of computer equipment,
loss of specialized equipment, loss of key personnel, etc.).

Threat Assessment Worksheet
ISO 22301 Risk Assessment Company: ABC Global
27-Aug-14 Activity: Department: XYZ
POTENTIAL RISKS SEVERITY COVERAGE EXPOSURE COMMENTS
n/a L M H 0-19% 20-39% 40-59% 60-79% 80-99% 100% SCORE

Activity
1. For each Activity, rank the severity of each Risk based on how
disruptive it would be to normal operations. The severity levels
are:
 H = highly disruptive (the Activity could not be performed at
an acceptable level) = 100 points;
 M = moderately disruptive (the Activity could still be
performed but at a significantly degraded level) = 50 points;
 L = low disruption (the Activity could still be performed with
only minor degradation) = 10 points;
 N/A = not applicable (the Risk would not affect this Activity).

n/a L M H 0-19% 20-39% 40-59% 60-79% 80-99% 100% SCORE

Activity
1. For each Risk (except any that are 'not applicable'), estimate the
degree of coverage (0 - 19%, 20 - 39%, 40 - 59 %, 60 - 79%, 80 -
99%, or 100%) by checking off (x) the appropriate box.
2. This estimate should be based on the extent to which measures
are in place to deter the Risk or to ‘work around’ the loss of the
specific resource.

n/a L M H 0-19% 20-39% 40-59% 60-79% 80-99% 100% SCORE

Activity
1. For each Risk, calculate the Exposure Score
Severity - (Severity x degree of coverage) = Exposure Score.
L = 10
M = 50
H = 100

n/a L M H 0-19% 20-39% 40-59% 60-79% 80-99% 100% SCORE

 New terms:
 MTPD/MAO
 MBCO
 RTO
 RPO
 SPOFs
 A BIA/Risk Assessment enables you to:
 Identify all company business activities
 Determine the consequences of interrupting these activities
 Prioritize the time-sensitivity of these consequences
 Identify the most time-sensitive business activities (80/20 rule)
 Determine minimum resources necessary to maintain the most
time-sensitive business activities
 Identify those key business activities that are most exposed to
interruption – and need strong protective measures (strategies)
Points to Remember

The “DO: Operation” session continues in the next section.

Business Continuity Planning

More Related Content

What's hot

Similar to Business Continuity Planning

Business Continuity Planning