Stelios Aronis ISO 22301 BCMS Implementation and Sharing of BCM Best Practice...
Risk Analysis In Business Continuity Management - Jeremy Wong
1. Risk Analysis In Business Continuity Management Jeremy WongSenior Vice President GMH Continuity Architects
2. GMH Continuity Architects A leading consultancy focusing on business continuity, disaster recovery and crisis management in Asia Pacific since 1999. Our core business is in safeguarding our clients’ businesses through the sound application of proven, business-oriented business continuity methodologies. * GMH is an accredited partner of BCM Institute.
10. Identify Threats Man-Made Toxic and radioactive contamination Sabotage (both external and internal) Riot, civil disorder and coup Fraud and embezzlement Accidental explosion (on and offsite) Water leak and plumbing failure Workplace violence Terrorism Aircraft crash Vandalism Arson Physical asset theft Misuse of resources Building and physical security weakness Fire Natural Tornado (wind storm) Thunderstorm and hail storm Lightning and electrical storm Snow and winter ice storm Typhoon and hurricane Flood and other water-based incident Earthquake Mudslide Volcanic eruption and ash fallout Tsunami Large natural fire Epidemic and pandemic
11. Identify Threats Business Power outage Labor dispute Employee turnover and single point of failure Unavailability of key personnel Human error Gas outage Water outage Loss of transportation Single source suppliers Information Technology Voice and data telecommunication failure IT equipment failure Human error from programmers and users Security vulnerability Data and software sabotage In-house developed application failure HVAC failure Defective software
12. Analyse Risks Identify impact or consequence of the threat materializing Estimate the likelihood of occurrence Determine risk level
13. Risk Analysis Process Controls What is cost for the Controls to be implemented? What Controls are in place? Risk What is the potential loss exposures to business? How does the threat affect business operations? Potential for Loss What is the likelihood that the threat will adversely affect business operations? Threats Likelihood What is the effects on people, infrastructure, facilities, and systems? Impact What are the adverse events that can occur?
23. Risk Analysis and Business Continuity Planning Process Risk Treatment Strategies Treatment for risks that could potentially interrupt business operations
24. Implement & Monitor Present Recommendations to management for approval Implement recommendations Monitor results Adjust as necessary
Good afternoon Ladies and Gentlemen, I’m Jeremy Wong, and I am very pleased to be here this afternoon to share with you on how Risk Analysis can be conducted for BCM.
First, a quick introduction. I am currently the Senior Vice President of GMH Continuity Architects. GMH is a consulting firm focusing on Business Continuity Management, Disaster Recovery and Crisis Management. Our core business is to help organisations plan and execute their business continuity plans, and I am happy to say that so far we have been very successful in doing just that. We have implemented BCP for organisations, not only in Singapore, but also around the region, in Malaysia, Brunei, Thailand and Philippines. As part of our consulting approach, we help equip clients with the knowledge and skills to continue the BC programme even after we leave. That is why we partner with BCM Institute on education and certification programmes.
Before the break, Dr Goh presented you with a short but concise description of each phase in the BCM Planning Methodology. In the short time we have together this afternoon, I would like to focus on just one particular phase of the BCM Lifecycle – what many of you know as Risk Analysis or Risk Assessment. At this point, we are concerned with gathering and analysing information, and not into drawing up BC plans yet. That comes later in the recovery strategy and plan development phases.In Risk Analysis and Review, we examine the external environment for threats that can negatively impact the organisation. We then look for cost-effective ways to mitigate the risks posed by those threats.
To simplify, we can breakdown the risk analysis and review process into 5 stages– Identify, Analyse, Evaluate, Treat, and Implement & Monitor. Let’s look at each of these stages...
First, Identify. Before anything can be done about the risks, we first must be able to identify – the assets we have that we want to protect, and the potentials threats that could severely affect those assets.
Examples of organisational assets would be facilities, people, data, software, applications and equipment. The outcome is an inventory list of assets.In addition to physical assets, the list may also contain intangible assets like reputation, business relationships.
We will also need to identify the various threats that might affect our organisations. Here I have listed down 4 categories of threats that you might want to consider. For Natural Threats we have typhoons, floods, earthquakes and pandemics. One of these threats could cause major problems, a combination could be quite devastating. If you recall, in Indonesia last year we had a volcanic eruption and earthquake occuring very close to each other, and that caused huge problems for Indonesia. Natural Threat is a threat resulting from the effect of nature that may cause a disruptive impact to an organization. Man-made Threats are threats resulting from human interventions.
Business and Information Technology related threats may overlap with “man-made” threats.Information Technology related threats, specifically relate to the failure in IT and infrastructure components.And there could also combinations of threats from 2 or more categories. For example, most of you will remember the Icelandic vulcanic eruption in March last year. Iceland is right across the globe, but because of ash clouds halted hundreds of flights, the effects were felt even in Singapore. Supply chains were disrupted and businesses from many parts of the world were affected.There are many ways you can carry out threat identification. They are : through “walkaround observation”, checklists, research into historical records, brainstorming. At the threat identification stage, you would have narrowed the list down to about 10-15 threats that are most relevant to the organisation.Audits or physical inspections.Accident / Incident reports.Brainstorming.Decision trees.History.Interview / focus groups.Personal or organisational experience.Scenario analysis.Strengths, weaknesses, opportunities and threats (SWOT) analysis.Survey or questionnaires.The purpose of this stage is so that the project team is able to narrow down the list of threats to the relevant handful that is more manageable.
Once we have listed down the most probable threats, we would then be able to dissect each threat and examine the Impact and likelihood of occurrence.
We first determine the existing controls and with these controls in mind, we estimate the impact and likelihood of the threats occurring and arrive at a risk level for each threat. For easy reference, we can map the risk level into a matrix. Risk Analysis is the process to identify the risks to an organization; to define the controls in place so as to reduce organization exposure; and to evaluate the cost for the controls to be implemented. Identify the threats.Identify the likelihood of the threat occurring.Estimate the impact on people (both the staff & the customers), assets and information.Identify the threat, likelihood and impact.Identify the controls to be implemented.
Here I have put in Fire and Pandemic for illustration. Remember that we have already taken into account the existing controls when developing this risk level matrix, so what you see here represents the residual risk after the existing controls have been applied.Some organisations prefer more detail and go for a 5 x 5 matrix rather than the 3 x 3 matrix shown here. That’s fine so long as the organisation is comfortable with the level of complexity.
Once we are able to locate each threat, we move into the Evaluation stage which is A Screening Process – risks are reviewed against a pre-defined set of criteria and adjusted. Categories of risk may arise which require different responses. You may find that many of the more minor risks are filtered out after due consideration. This screening process helps the organisation focus on the most important risks to tackle. In other words, the Evaluation stage helps us prioritize our risks.This stage may be relatively simple for companies that have just a few threats, but may be more involved for companies that are big, and have more at stake should a major operational disruption occur.
To do a proper evaluation or prioritization of risk, we need a set of evaluation criteria. The list shows several examples of criteria that can be used to assess and further refine the risk level. To differentiate the significance or importance of criteria, some companies may want to introduce a weighting system, although often this does not contribute much in producing a more accurate analysis.
In practice, we use a template to collect the information to do this mapping. What you see on the screen is a sample template used to collect risk information.
So in our illustration, we have 3 risk rating zones – the high risk zone in Red, the low risk zone in green, and the medium risk zone in amber. Not surprisingly, companies would want to tackle the red high risk zone first. Only after that do they work on the medium risk zone.
Once we have identified and prioritized our risks, we now need to find suitable ways of dealing with these risks.
There are generally 4 strategies that can be used to treat risk – acceptance, avoidance, transfer and reduction.
Some reasons why a risk may be acceptable include: The level of RISK IS SO LOW that specific treatment in not suitable given the available resources.There is NO TREATMENT AVAILABLE.The COST OF TREATMENT SO HIGH outweighs the benefit.OPPORTUNITIES PRESENTED OUTWEIGH the threats to such an extent that the risk is acceptable.
Looking at Risk Reduction in greater detail, we see that there are actually 2 ways to go – we could either reduce the likelihood of a risk occurring (like putting in preventive controls) , or we could reduce the impact of the risk. This is where having a BCP plays an important part in limiting the downside of a disaster and implementing recovery.