In this tutorial, you learn how to conduct a basic but meaningful risk assessment for business continuity management purposes. There are many approaches to conducting a risk assessment. The method described in this tutorial does not require in-depth risk management knowledge, is specifically designed for business continuity purposes and is ISO 22301 compliant.
Risk Assessment according to ISO 22301
According to the ISO 22301 (2019) the purpose of the risk assessment is “to enable the organization to assess the risks of prioritized activities being disrupted so that it can take appropriate action to address these risks.”
The ISO standard states that the risk assessment should answer the following 4 key questions: what could happen, what is the likelihood of it or them happening, what could be the consequences and is there anything that could mitigate the consequences or reduce the likelihood?
ISO 22301 does not explain how the risk assessment should be conducted or what the end result should look like.
Risk Assessment according to BCI GPG
The BCI Good Practice Guidelines (2018) describe in greater detail the objective of the business continuity risk assessment, the process to be followed, and what the output should be.
According to the BCI, the business continuity risk assessment is used to identify unacceptable levels of risk and single points of failure. It follows the ISO definition and regards a risk assessment as the overall process of risk identification, risk analysis, and risk evaluation.
BCI advises taking an 8 step approach when conducting a business continuity risk assessment. The approach starts with listing the known and anticipated internal and external threats. The second step is to estimate the impact of each threat on the organization. The third step is to determine the probability of disruption for each threat. The fourth step includes calculating the risk score of each threat by combining the scores for impact and probability. The fifth step is to prioritize the threats based on the risk score for the prioritized activities. The sixth step involves identifying unacceptable areas of risk, which may include single points of failure. The seventh step is to share the outcomes with the relevant interested parties. The final step is to use the information resulting from the risk and threat assessment when designing the business continuity solutions.
The 8 step approach as outlined in the Good Practice Guidelines already provides direction but is still somewhat abstract, verbose, and generic.
What are the 5 steps for conducting a risk assessment
The following 5 steps will help you develop a meaningful risk assessment for business continuity purposes:
- Step 1: Gather expertise
- Step 2: Identify threats
- Step 3: Determine risk levels
- Step 3: Prioritise risks
- Step 5: Draft action plan
This tutorial assumes that the scope and approach of the risk assessment have been approved by senior management.
Step 1: Gather expertise
The first step of conducting a business continuity risk assessment is to gather expertise within and outside the organization and to obtain relevant data. This step is essential to ensure that the risk assessment results are reliable and supported by management and other relevant stakeholders.
Larger organizations usually have dedicated departments or teams for some of the threats that you need to assess. For instance, many organizations have a Chief Information Security Office dealing with cyber security threats. Likewise, the Procurement team might be able to provide insight into the supply chain and third-party threats. Therefore, it is key to identify the relevant threat categories (e.g. cyber, physical security, supply chain) and assign threat owners (i.e. the departments or teams responsible for each of these threats). Their expertise is required to identify the relevant threats, determine risk levels, and get an understanding of the (effectiveness of the) implemented mitigating controls.
If you work in a smaller organization, you have to rely on your own professional judgment in conjunction with using external expertise and relevant data.
External expertise is valuable in several ways. It helps to prevent internal tunnel vision and supports the timely identification of emerging threats. External expertise can be obtained by interviewing subject matter experts such as scholars or external consultants. Industry peer groups can also be used as an external source of expertise.
In addition to internal and external expertise, relevant data needs to be obtained to inform decision-making during the risk assessment process. Some examples of relevant data which could be used:
- Open sources threat reports such as the BCI Horizon Scan report or the Global Risk Report of the World Economic Forum;
- Data on previous incidents can be helpful to understand the threats that are relevant to your business including the effectiveness or non-existence of mitigating controls
Step 2: Identify threats
The second step is to identify relevant threats. Threats can be identified during one or more workshops with the identified threat owners.
After the threat identification phase, you might want to categorize the threats per business continuity loss scenario (e.g. loss of IT, loss of third parties, loss of staff and, loss of premises).
The majority of companies need assets such as people, information technology, third parties, utilities, a building, and other property to run their business. A loss of one or more of these assets could result in major business disruption. Conducting a business context analysis might help to get a good understanding of the assets that are relevant to your organization.
Step 3: Determine risk levels
The third step is to determine the risk level by assessing the likelihood and impact of the threat. This can be done during the workshops with the threat owners. You might want to assess two types of risk: the inherent risk level (i.e. the level of risk without any mitigating measure applied) and the residual risk level (i.e. the level of risk that exists after implementation of mitigating measures).
The easiest way to do this is to use a risk rating table or risk matrix. It should be noted that from a scientific and practitioner's point of view the value of risk tables is contested. For BCM purposes, the usage of a risk matrix table can be justified as its main purpose is to prioritize risks and to determine what risks will get the most attention in the BCM program.
There are many different risk matrix tables available on the internet. Make sure that you use a risk matrix that quantifies what e.g. a 'major impact' or a 'possible likelihood' means. This improves the repeatability of the assessment process.
Again, if you are working in a smaller organization, you need to rely on your own professional judgment when determining the risk levels. Preferably subject matter experts are involved.
When determining the risk levels, you might want to add how certain you are of the assigned impact and likelihood levels. If you do not have much data to support your assessment or there is no consensus amongst experts, then the results should be treated with more care. This should be added to the risk assessment result table.
Step 4: Prioritize risks
The fourth step is to prioritize the identified risks. Risk prioritization may be needed in case of many high and critical residual risks or if there are not sufficient resources to mitigate or transfer the identified risks. Risk prioritization also helps to determine for what scenarios response plans need to be developed.
Step 5: Draft action plan
The final step is to draft a plan in which you describe what you will do with the risks identified. There are four key risk response strategies: risk avoidance (e.g. not taking the risk by not outsourcing critical activities to third parties) risk acceptance (e.g. risk is accepted by management), risk transfer (e.g. risk is covered by insurance), and risk mitigation (e.g. risk is reduced by additional measures). In the action plan, you describe the strategy per prioritized risk and assign action owners and due dates. The risk assessment results and action plan need to be submitted to management for sign-off.