Risk Assessments have always been a ‘best practice’ in Business Continuity Management. That classic legacy approach has required a thorough examination of threats & vulnerabilities, probability & impacts – resulting in some manifestation of risk index.
But at the end of the day, Business Continuity Planning is about the ability to respond to disruptions. Does a Risk Assessment really provide any assistance in developing the ability to respond? From my 15+ years of BC/DR experience, I’d say the answer is: No.
From an organization perspective, Operational Risk (OR) assessment is important and an integral component of everyday operational management. Constantly evaluating organizational vulnerability against threats, single-points-of-failure and gaps helps to identify opportunities for improved operational efficiencies. Why repeat the same process, albeit in a formalized manner, within the BCM program?
Business Continuity planning is about the ability to respond to any interruption that impacts the ability to deliver products & services. Does it matter what caused the interruption? Or what was the probability of that disruption occurring? If we have planned to recover the impacted assets, the cause and the risk index for it are totally irrelevant. The only reason the Risk Assessment could be relevant is if we choose to plan to recover from specific risks (a hurricane plan, an earthquake plan, a zombie attack, etc.). But the results of those scenarios are all the same: impacted assets. If we plan to recover assets (focusing on the impact, rather than the cause), then not only are scenario plans irrelevant, but so is the Risk Assessment that prompted them.
Then, of course there are BCM professionals who argue endlessly about whether the Risk Assessment should happen before or after the Business Impact Analysis. That’s a waste of time and energy hopping down a bunny trail leading nowhere. Time that could be better spent on creating asset-based recovery plans!
Business Continuity and Disaster Recovery are about impact. What is impacted? What else might be impacted downstream? What is the casualty chain (the sequence of events in which failure of one event causes the next to fail)? Is the impact caused by a 100-year flood plain? Is it due to a SQL injection? Does it result from a denial of service, an explosion, a sprinkler leak, or viral social media exposure? Does it matter? At the time of the incident nobody cares about the risk assessment or the risk index. There is only one important question: what is impacted?
The sole purpose of Business Continuity Planning is (or should be) to improve our capability to respond to a disruption in a timely fashion, in order to meet the objectives of the business. We must assure that key products get delivered to critical customers. We plan to ensure services are resumed within agreed upon Service Level Agreements. Our customers are not really concerned about what caused the disruption – only if we can deliver as if the disruption never occurred. If we cannot measure up to the agreed upon SLA, those customers may source from other suppliers. So our Business Continuity planning needs to focus on recovering the assets that enable us to meet customer demands.
Our Business Continuity Plans need only focus on how to respond; what tasks needs to get done in the event of a disruption. If we’ve done our planning properly, we should know which products and services are critical to our business. We should know which assets (facilities, people, technology, business processes and supply chains) are critical to delivering those products and services. So we should be able to plan for the recovery, replacement or continuity of those assets – regardless of what disrupted them.
When a disruption occurs, Incident Managers need to understand what’s been impacted, what plans are in place to address those impacted assets, and who needs to be notified to implement those plans. No risk assessment is needed.
Risk Assessment lives in the operational GRC realm and, from an Incident Response point of view, adds little or no value to the BCM program. So why do we continue to waste precious time on Risk Assessments for BCM? As the old adage* says, “If you always do what you always did, you will always get what you always got.”
(*Whether Einstein, Mark Twain or even Tony Robbins said it is irrelevant – just like performing a Risk Assessment as part of your Business Continuity planning)