Risk Management – when preparing a Business Continuity Plan, should you focus on the Risks and Threats to your business, and how they impact your critical processes or… identify the critical processes and the potential threats that could disrupt these?
Feedback from BCP Builder Community on LinkedIn:
Preparing for the unknown
- Keep improving your plan, and include Risk and Threats as they becomes apparent when you test or by analyzing a real incident. You can always prepare yourself for known risks and threats based on your proactive assessments. However, there are unknowns which you also need to be prepared for. A simple example is an undersea cable cut – you may have a plan on how to mitigate it at the surface level, but what will you do when your fail over depends on the same cable. This is a black box as carriers do not provide all the details. Your preparations, tests and post incident analysis makes your plans well-rounded.
- It really comes down to desired project outcome. Are they trying to “harden” a business or a given set of processes? Are they trying to catalog risk and then look at mitigation?
- You need to know what you can and cannot control. The risk gets higher when it’s not within your control. Knowing that is important so that you can manage the impact when it occurs. There are so many outside factors which can impact your processes. The more you know, the better you can manage them. Holding your third party vendors accountable for their assessments is equally important to your own and marrying them together gives better and well-rounded insights on your recovery capability.
Effect rather than cause
- Focus on the impact, rather than thinking of how to reduce probability (which can typically be the approach when addressing operational risks and when it makes sense to brainstorm risk factors that could lead to materialization). In other words, ‘forget why your employees can’t log into the system (or get to their workplace) and focus on what to do in this scenario’.
- The Business Impact Analysis will determine critical processes and the impact of stopping them. The Risk Assessment will determine the probability of specific threats in causing them to stop. Ultimately, Business Continuity needs to cater for low and high probability events and therefore the Plan needs to address how to mitigate impact to people, premises, technology and supply chain regardless of cause. The Risk Assessment and Business Impact Analysis will however be useful in setting risk appetite and determining the level of budget and resource to point at particular elements of the Plan.
- The Business Continuity Management program should not be risk based, but should focus on your resources. For example, what is your plan when your building, people, processes, technology, etc. is not available, never mind what the reason for the incident was.
- Whilst there might be an array of risks and threats it will be nearly impossible to determine responses to each one. However, focusing on dealing with the outcomes and defining certain undesirable outcomes provides a platform to plan responses to risks.
Starting with the Business Impact Analysis
- Identify critical processes and functions first and then associate the risks/threats to come up with different categories. Define the plan to recover your critical processes within the Recovery Time Objective in case of impact.
- Identify your core business structure and processes to best identify what possible threats to be prepared to combat. It is impossible to prepare a defense if you do not know exactly what you are protecting.
- Know your critical processes, who carry these out, where they carry them out and who supports them. Only then can you start to understand the potential risks and look at how you mitigate them.
- First step: identify the assets. What are you trying to protect? “Your business” is too generic and obvious. Start there. Once you know what’s at stake you can identify threats and go from there.
- Identify as a first step what would be impacted. If it risks to assets, first do an inventory of assets, similarly for critical process.
Starting with Risk Management
- Understand the threats to the business objectives, expressed as risks through the risk register and horizon scan reports. Then set the scope and reduce processes by reducing priority products and services. Then assess impacts over time down to operational activity level. Then threat and risk assess priority activities and design risk mitigations. Business Continuity solutions should be designed in conjunction with risk mitigations.
When Risk Management Fails
- Your Business Continuity Plans kicks in when your Risk Management program fails. This is why some people believe it is not a good idea to combine Risk Management and Business Continuity.
- Some things you just can’t control, probability, impact and velocity are just out of your reach. So not necessarily a failure in Risk Management, but certainly a limitation. A crisis happens after Risk Management, meaning, you are now dealing with an issue, no longer a risk. Risk Management can help map some sources and support the drafting of certain pre-made crisis protocols. But, if a crisis ensues, that’s because Risk Management either failed or couldn’t do anything about the risk factor. It is bad when Risk Management fails to even consider the risk factors that trigger the crisis and Business Continuity responses.
- Business Continuity professionals can see from their perspective hidden threats in Business Impact Analysis/ Risk Assessment not addressed by Enterprise Risk Management.
Movie Plot Risks
- This is attributed to an article published by Bruce Schneier about counter-terrorism (https://www.wired.com/2005/09/terrorists-dont-do-movie-plots-2/). It’s the tendency of people to focus on the high-profile, but unlikely risks, rather than those “slow creep” ones which actually pose a threat to productivity. The mental shift from “but what if this happens…” to “how do we protect this process…” is key.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.