Within Business Continuity circles there is ongoing debate about the relevance and role of Risk Assessment in developing a BCM program. Having been in the industry for more than 20 years, I understand the issue from both the sides.
Traditional, formalized Risk Assessment aims to identify the threats to which our organization is vulnerable. Once this threat-vulnerability pairing is identified, the next step is to assign a probability of such an occurrence – based on experience or other external source material. Next, the impact of the threat happening must be assessed. The combination of Probability and Impact – Low Probability/High Impact vs. High Probability/Low Impact (and other options in between) provides the ability to stratify risks.
Once risks have been assessed, strategies can be developed to mitigate or reduce their potential impact on our operations. This is the risk mitigation approach in a nut-shell.
My problem with this approach is that there are never enough monies or resources available to mitigate all possible exposures; there will always be residual risks.
The rationale for developing Business Continuity Plans (BCPs) is that in the event of a disruption – regardless of the threat – those Plans exist to ensure the continued delivery of critical products and services to our customers. So, BCPs are supposed to address any disruption – whether or not a particular risk has been assessed!
A formalized Risk Assessment helps identify potential disruptive threats. In the Planning phase those threats influence the formulation of resumption strategies, and subsequent development of BCPs. For example, since an earthquake could disrupt operations in California locations, an Earthquake Response Plan might be necessary.
However, in a program focused on the ability to respond to any disruption, response planning is based on impacted assets rather than the threat or cause of disruption. In the previous example, if an earthquake (threat) occurs, the response will be based on which sites (assets) are impacted.
If your program methodology calls for a formalized Risks assessment, go ahead and knock yourself out. But as for me, while building my BCM program, I’m going to create BCPs that are focused on restoring critical Services -regardless of what may cause a disruption.