Threats, Impacts, BCPs

Within Business Continuity circles there is ongoing debate about the relevance and role of Risk Assessment in developing a BCM program. Having been in the industry for more than 20 years, I understand the issue from both the sides.

Traditional, formalized Risk Assessment aims to identify the threats to which our organization is vulnerable. Once this threat-vulnerability pairing is identified, the next step is to assign a probability of such an occurrence – based on experience or other external source material.  Next, the impact of the threat happening must be assessed.  The combination of Probability and Impact – Low Probability/High Impact vs. High Probability/Low Impact (and other options in between) provides the ability to stratify risks.

Once risks have been assessed, strategies can be developed to mitigate or reduce their potential impact on our operations. This is the risk mitigation approach in a nut-shell.

My problem with this approach is that there are never enough monies or resources available to mitigate all possible exposures; there will always be residual risks.

The rationale for developing Business Continuity Plans (BCPs) is that in the event of a disruption – regardless of the threat – those Plans exist to ensure the continued delivery of critical products and services to our customers.  So, BCPs are supposed to address any disruption – whether or not a particular risk has been assessed!

A formalized Risk Assessment helps identify potential disruptive threats. In the Planning phase those threats influence the formulation of resumption strategies, and subsequent development of BCPs. For example, since an earthquake could disrupt operations in California locations, an Earthquake Response Plan might be necessary.

However, in a program focused on the ability to respond to any disruption, response planning is based on impacted assets rather than the threat or cause of disruption. In the previous example, if an earthquake (threat) occurs, the response will be based on which sites (assets) are impacted.

If your program methodology calls for a formalized Risks assessment, go ahead and knock yourself out. But as for me, while building my BCM program, I’m going to create BCPs that are focused on restoring critical Services -regardless of what may cause a disruption.

Ramesh Warrier

Ramesh Warrier

eBRP Founder and Chief Designer of eBRP Suite, Ramesh is a proponent of constant change, a visionary who believes that the practice of Business Continuity can deliver improved operational efficiency. Ramesh, B.Tech in Electrical Engineering, has nearly 30 years experience in Business & Technology roles. His thoughts are expressed in blogs, white-papers, frequent webcasts and speaking engagements at industry conferences.

Related Posts

Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…
The BCM Challenge: Executive Buy-In

The BCM Challenge: Executive Buy-In

As a Business Continuity Management (BCM) solution provider, the first…
DR Plans – The What, When & Who

DR Plans - The What, When & Who

As a Business Continuity practitioner with more than 20 years…
Disaster Recovery – Exercised

Disaster Recovery - Exercised

As part of its Resiliency program, one of our clients…