Welcome to Rothstein Publishing!

Enterprise Risk Assessment and Business Impact Analysis

$69.99

This book is your guide to best practices in understanding enterprise risk and business impact. It provides you with essential guidance for the identification, management and control of risks confronting businesses. What might happen? How will our enterprise be affected? What will the impact be? Answering these questions accurately and objectively is essential to Business Continuity Management, business success – and even business survival.

Description

Your definitive enterprise risk assessment guide

More than ever, the basic lesson for business managers and for business continuity professionals is: anything can happen!

This book by Andrew Hiles is your guide to best practices in understanding risk assessment and business impact analysis. It provides essential guidance for the identification, management and control of risks confronting businesses. What might happen? How will our enterprise be affected? What will the impact be? Answering these questions accurately and objectively is essential to Business Continuity Management, business success – and even business survival.

The helpful examples all have their roots in real cases and come heavily laden with pragmatism. Over fifteen years experience in blue chip environments, large and small, public and private, has gone into developing the methods described. Others come with a respected pedigree from a variety of industries.Your own right way for risk management means picking, matching and tailoring from the cases, guidance and examples provided, and building on existing best practice within your organization.

Why This Book on Enterprise Risk Assessment and Business Impact Analysis?

I was founder and Chairman of Survive, the first international user group for business continuity management. Survive gave birth to the Business Continuity Institute (the industry’s professional association). Both bodies were concerned with the issues of recovering from business disasters. Typically the recovery involved doing something different: alternate locations, operations, equipment, IT and telecommunications facility. It all implied a hiatus – an interruption, a period of uncertainty and disruption, before a semblance of normality was restored.

The Business Continuity profession included the disciplines of risk management and an understanding of the impact on the business, should those risks actually occur. But then, so did many other functions within the business. Maybe the IT Disaster Recovery function was separate from business contingency planning. Operational Risk Management then had a fairly narrow role, typically looking at specific operational functions. Insurance was something else, often the remit of the Finance Director or someone called a Risk Manager who was, in fact, mainly concerned with insurance aspects. There was usually someone else responsible for compliance issues, while yet another person was accountable for health and safety issues. An audit function was responsible for fraud. Typically, the organization had no overall view of risk and no individual with overall responsibility for it: fragmentation was normal.

Then, a few years ago, there appeared an emerging tide of acknowledgment that these risk-related functions should be brought together. The reason may not always have been logic: sometimes, it stemmed from downsizing and a putting together of these functions for productivity, rather than strategic reasons. For some, Y2K projects created a sense of urgency and an impetus that promoted this as pragmatic logic. Some companies had the vision to take a holistic approach to risk management and to create what we have come to call Enterprise Risk Management.

We have been privileged to help a number of companies through this process and facilitate the creation or enhancement of their risk resilience: in short, helping them move from an expectation of disruption and subsequent recovery to a position where effective risk management all but eliminates the disruption.

Several years ago, I was presenting a workshop on disaster recovery planning to an international audience and a German in the front row was looking increasingly puzzled. At the coffee break, I asked him if, perhaps, I was using unfamiliar terms or whether I was not making myself clear. “No,” he said. “I understand perfectly what you say. It’s just that, in Germany, we are not allowed to have a disaster.” Now, many years later, it is evident that he had a point. While we cannot legislate disasters, we can seek to minimize them. Of course, the unimaginable can always happen (as we have learned from recent horrific events) and we have to be prepared to deal with the human and business consequences of it. But increasingly foresight can prevent many situations that previously may have become unexpected disasters.

This book results from a wish to share risk management best practice – not from the perspective of a theorist, but from a practitioner’s viewpoint.

A classic title from Rothstein Publishing (2002), by Andrew Hiles, Hon FBCI.

PURCHASE PRINT OR eBOOK FROM GOOGLE BOOKS

 

Additional information

Weight 2 lbs
Dimensions 11 × 9 × 1 in

PREFACE……………………………………………………………………………………………………………………………………………………. 13

Foreword……………………………………………………………………………………………………………………………………………………… 17

How To Use This Book……………………………………………………………………………………………………………………………….. 19

 

Section One: Introduction………………………………………………………………………………………………………………………….. 21

1.1      What is Risk Management?…………………………………………………………………………………………………………… 21

1.2      Why Risk Management…………………………………………………………………………………………………………………. 22

1.3      Why This Book?……………………………………………………………………………………………………………………………. 23

1.4      Risk Management and Quality………………………………………………………………………………………………………. 24

Category 1  Leadership…………………………………………………………………………………………………………………………. 24

Category 2 Business Information Management & Analysis…………………………………………………………………. 25

Category 3. Business Planning……………………………………………………………………………………………………………… 26

Category 4. Human Resource Development and Management…………………………………………………………….. 26

Category 5. Process Management…………………………………………………………………………………………………………. 26

Category 6. Customer and Market Focus……………………………………………………………………………………………… 27

Category 7.  Business Results……………………………………………………………………………………………………………….. 28

1.5      The Importance of Business Leadership……………………………………………………………………………………….. 28

1.6      Enterprise Risk Management………………………………………………………………………………………………………… 28

 

Section Two: Risk Evaluation & Control………………………………………………………………………………………………….. 31

2.0  Introduction………………………………………………………………………………………………………………………………………… 31

2.1      DRII/ BCI Unit 2…………………………………………………………………………………………………………………………… 31

2.2      Definitions: Hazards, Threats, Risks and Assets…………………………………………………………………………… 32

2.3      Risk Assessment – The Need………………………………………………………………………………………………………… 32

2.4    System Safety Programs and HAZOP……………………………………………………………………………………………… 33

2.5      Health & Safety – Risk Assessment………………………………………………………………………………………………. 34

2.6      Control of Major Accident Hazards Regulations 1999 (COMAH)……………………………………………….. 35

2.7      Risk Management for Finance and the Finance Sector – Compliance Issues………………………………… 36

2.8      Gramm-Leach-Bliley Reports……………………………………………………………………………………………………….. 39

2.9      Food and Drugs Administration (FDA) Compliance…………………………………………………………………….. 39

2.10    Risk Assessment in the Food Industry…………………………………………………………………………………………… 40

2.11: Health Care………………………………………………………………………………………………………………………………………. 40

2.12    Risk Assessment in Other Industries……………………………………………………………………………………………… 40

Table 2.1 Risk Guidance and Compliance…………………………………………………………………………………………….. 41

2.13    Risk Assessment: Statutory Requirement and Duty of Care…………………………………………………………. 42

2.14    Project Risk…………………………………………………………………………………………………………………………………… 43

2.14.1 Project Risk Factors……………………………………………………………………………………………………………………. 43

Figure 2.1: The Project in Context……………………………………………………………………………………………………….. 46

2.14.2 Project Management Organization Structure……………………………………………………………………………… 47

2.14.3  Project Roles……………………………………………………………………………………………………………………………… 48

2.14.4  Project Management Methodology……………………………………………………………………………………………. 51

Figure 2.2: Example of Project Management Methodology…………………………………………………………………. 51

2.14.5: Why Projects Fail……………………………………………………………………………………………………………………… 52

Figure 2.3: Causes of Project Failure…………………………………………………………………………………………………… 52

2.15    Example of Risk Assessment Guidelines: The Turnbull Report……………………………………………………. 53

2.15.1 What is Turnbull?  Why?……………………………………………………………………………………………………………. 53

2.15.2 The Turnbull Process…………………………………………………………………………………………………………………. 54

2.15.3  Making Progress……………………………………………………………………………………………………………………….. 54

2.16    Risk Requirements in Germany…………………………………………………………………………………………………….. 55

2.17    Risk Assessment – The Process…………………………………………………………………………………………………….. 55

Figure 2.4 Schematic of Risk Assessment Process………………………………………………………………………………… 56

2.18        Options for Risk Management…………………………………………………………………………………………………… 57

2.19    The Turnbull Approach to Risk Assessment…………………………………………………………………………………. 57

2.20    Critical Component Failure Analysis……………………………………………………………………………………………. 58

2.21  A Swedish Approach………………………………………………………………………………………………………………………… 59

2.22    Operational Risk Management………………………………………………………………………………………………………. 62

2.23    An Output Approach to Risk…………………………………………………………………………………………………………. 63

2.23    Security and Siting – Risk Areas…………………………………………………………………………………………………… 63

2.26    Supplier and Outsourcing Risk……………………………………………………………………………………………………… 65

2.26.1 The Increasing Supply-Side Risk……………………………………………………………………………………………….. 65

2.26.2 Outsourcing Issues……………………………………………………………………………………………………………………… 66

2.26.3 Getting Outsourcing Right…………………………………………………………………………………………………………. 67

2.26.4     The Importance of Service Level Agreements………………………………………………………………………. 68

2.26.5     Vendor Evaluation Criteria……………………………………………………………………………………………………. 69

2.26.6 Relating Contract Type to Service……………………………………………………………………………………………… 70

Figure 2.5 Contract Relationships………………………………………………………………………………………………………… 71

2.26.7 Lessons from Experience……………………………………………………………………………………………………………. 71

2.28    Condition Assessment & Financial Condition Assessment…………………………………………………………… 73

2.28.1     What is Condition Assessment?…………………………………………………………………………………………….. 73

2.28.2     Financial Risk Assessment in the Insurance Industry……………………………………………………………. 73

2.29  US Banks: Risk-Based Assessment System……………………………………………………………………………………… 76

2.30    Causes of Business Interruption…………………………………………………………………………………………………….. 76

Figure 2.6: Analysis of Business Interruptions……………………………………………………………………………………… 77

2.31    Automating Risk Management……………………………………………………………………………………………………… 77

2.32    Summary……………………………………………………………………………………………………………………………………….. 78

Appendix A to Section Two: Possible Threats………………………………………………………………………………………….. 79

Appendix B to Section Two: Example of a Simple Risk Analysis…………………………………………………………… 82

Appendix C to Section Two: Example Health & Safety Risk Checklist…………………………………………………. 96

Appendix D to Section Two: The E-Bomb – The New Threat……………………………………………………………….. 105

What is an E-Bomb?……………………………………………………………………………………………………………………………….. 105

History…………………………………………………………………………………………………………………………………………………….. 106

The Technology………………………………………………………………………………………………………………………………………. 107

Defense Against E-Bombs………………………………………………………………………………………………………………………. 108

References……………………………………………………………………………………………………………………………………………….. 109

Appendix E to Section Two: Theft…………………………………………………………………………………………………………… 110

Introduction…………………………………………………………………………………………………………………………………………….. 110

The Cost of Theft…………………………………………………………………………………………………………………………………….. 110

The Impact of Theft………………………………………………………………………………………………………………………………… 111

Summary…………………………………………………………………………………………………………………………………………………. 111

Appendix F to Section Two: Risk Analysis in IT Projects…………………………………………………………………….. 112

Background……………………………………………………………………………………………………………………………………………… 112

Controlling Projects: Development…………………………………………………………………………………………………………. 113

Lessons from Experience………………………………………………………………………………………………………………………… 114

Annex 1 to Appendix F: IT Project Risk Assessment…………………………………………………………………………….. 116

Symptom of  High Risk………………………………………………………………………………………………………………………. 116

Appendix G to Section Two: Infrastructure Project Risk Management Framework…………………………. 118

Introduction…………………………………………………………………………………………………………………………………………….. 118

Method……………………………………………………………………………………………………………………………………………………. 120

Market Comparisons……………………………………………………………………………………………………………………………….. 121

Risk Management Approaches……………………………………………………………………………………………………………….. 123

Risk Management & Business Continuity Strategy………………………………………………………………………………… 124

Infrastructure Project Risks…………………………………………………………………………………………………………………….. 124

Risk types………………………………………………………………………………………………………………………………………………… 125

Figure 1:  Basic Risk Matrix……………………………………………………………………………………………………………….. 126

Multiple dimensions of Risk Matrix……………………………………………………………………………………………………….. 128

Figure 2: Risk Matrix………………………………………………………………………………………………………………………….. 128

The Framework……………………………………………………………………………………………………………………………………….. 129

Figure 3: Framework………………………………………………………………………………………………………………………….. 129

Conclusion………………………………………………………………………………………………………………………………………………. 131

The Way Forward……………………………………………………………………………………………………………………………………. 131

Annex 1 to Appendix G: Example High Level Risks for an Infrastructure Project………………………………… 133

Annex 2 to Appendix G: A Major Infrastructure Company Approach……………………………………………………. 135

Figure 4: Risk Process Flow……………………………………………………………………………………………………………….. 137

Appendix H to Section Two: Cost Items to Consider in Financial Authority……………………………………… 138

Equipment etc…………………………………………………………………………………………………………………………………… 138

Documentation / manuals……………………………………………………………………………………………………………….. 139

Staff Costs…………………………………………………………………………………………………………………………………………. 139

Contractors………………………………………………………………………………………………………………………………………… 139

Travel and subsistence…………………………………………………………………………………………………………………….. 139

Environmental Costs………………………………………………………………………………………………………………………… 139

Risk Management…………………………………………………………………………………………………………………………….. 140

Insurance……………………………………………………………………………………………………………………………………………. 140

Cost of off-site storage…………………………………………………………………………………………………………………….. 140

Ongoing Costs………………………………………………………………………………………………………………………………….. 140

Finance Option…………………………………………………………………………………………………………………………………. 141

Write off of items to be disposed of………………………………………………………………………………………………. 141

Is the depreciation period of the project reasonable?………………………………………………………………….. 141

Project Costs for:……………………………………………………………………………………………………………………………… 141

Appendix I to Section Two: Example of a Risk Management Database………………………………………………. 142

Introduction…………………………………………………………………………………………………………………………………………….. 142

Possible Requirements…………………………………………………………………………………………………………………………….. 142

Appendix J to Section Two: Example Assets………………………………………………………………………………………….. 146

Appendix J to Section Two: Example Assets………………………………………………………………………………………….. 147

Appendix K to Section Two: Murphy Rules!………………………………………………………………………………………….. 149

 

Section Three: Business Impact Analysis………………………………………………………………………………………………… 151

3.1      DRII/BCI Unit 3………………………………………………………………………………………………………………………….. 151

3.2      What is BIA?……………………………………………………………………………………………………………………………….. 152

3.3      The BIA Project…………………………………………………………………………………………………………………………… 152

3.4      BIA Data Collection Methods…………………………………………………………………………………………………….. 153

3.5      Critical Success Factors: Definitions…………………………………………………………………………………………… 154

Figure 3.1: Critical Success Factor / Business Process Matrix………………………………………………………….. 156

3.6      Key Performance Indicators………………………………………………………………………………………………………… 157

3.7      Process Flows……………………………………………………………………………………………………………………………… 157

3.8      Outputs & Deliverables……………………………………………………………………………………………………………….. 158

3.9      Activity Categorization……………………………………………………………………………………………………………….. 158

3.10    Desk Review of Documentation………………………………………………………………………………………………….. 158

3.11        Questionnaires…………………………………………………………………………………………………………………………. 159

3.12    Interviews……………………………………………………………………………………………………………………………………. 162

Figure 3.2: Summary of BIA Interview Data………………………………………………………………………………………. 164

3.13        Workshops………………………………………………………………………………………………………………………………. 165

3.14    Observation…………………………………………………………………………………………………………………………………. 165

3.15    Business Impact Analysis – Financial Justification for BCM……………………………………………………… 165

3.16        Grounds for Justification…………………………………………………………………………………………………………. 166

3.17    Life and Safety…………………………………………………………………………………………………………………………….. 166

3.18    Marketing……………………………………………………………………………………………………………………………………. 166

3.19    Financial……………………………………………………………………………………………………………………………………… 168

Figure 3.3 Average Normalized Share price Variation % Following a Disaster……………………………….. 169

3.20    Compliance / Legal Requirements………………………………………………………………………………………………. 170

3.21        Quality…………………………………………………………………………………………………………………………………….. 171

3.22    Summary: Financial Loss……………………………………………………………………………………………………………. 171

Table 3.1:  Cost of Disaster – Causes………………………………………………………………………………………………….. 172

3.23    Designing an Impact Matrix………………………………………………………………………………………………………… 173

Table 3.2: Simplified Impact Analysis…………………………………………………………………………………………………. 175

Premises………………………………………………………………………………………………………………………………………………. 175

3.24    Time Window for Recovery………………………………………………………………………………………………………… 176

Figure 3.4: Risks and Outage……………………………………………………………………………………………………………… 177

Figure 3.5: Time Window for Recovery………………………………………………………………………………………………. 177

3.25    Resource Requirements……………………………………………………………………………………………………………….. 179

Figure 3.6: Effect of Coincident Workload Peaks………………………………………………………………………………. 179

Figure 3.7 The Backlog Build-up………………………………………………………………………………………………………… 180

3.26 Summary…………………………………………………………………………………………………………………………………………. 181

Appendix A to Section Three: Resource & Timescale for Provisioning……………………………………………….. 182

Appendix B to Section Three: Example of Risk & Impact Analysis…………………………………………………….. 184

Background……………………………………………………………………………………………………………………………………………… 184

Risk Description………………………………………………………………………………………………………………………………….. 184

Appendix C to Section Three: Marketing Protection…………………………………………………………………………….. 188

Introduction…………………………………………………………………………………………………………………………………………….. 188

What is Marketing Protection?………………………………………………………………………………………………………………… 189

Brand Value…………………………………………………………………………………………………………………………………………….. 189

The World’s Top Ten Brands………………………………………………………………………………………………………………. 191

Advertising and Marketing……………………………………………………………………………………………………………………… 192

The Halo Effect……………………………………………………………………………………………………………………………………….. 194

The Downside of Advertising…………………………………………………………………………………………………………………. 194

Risk Management Spend in a Marketing Context…………………………………………………………………………………… 196

Summary…………………………………………………………………………………………………………………………………………………. 196

Appendix D to Section Three: The Cost of Lost Data……………………………………………………………………………. 197

The Background………………………………………………………………………………………………………………………………………. 197

The Cost………………………………………………………………………………………………………………………………………………….. 198

The Implications……………………………………………………………………………………………………………………………………… 198

Statistics………………………………………………………………………………………………………………………………………………….. 199

Summary…………………………………………………………………………………………………………………………………………………. 199

Appendix E to Section Three:………………………………………………………………………………………………………………….. 200

e-Commerce Risk and Impact………………………………………………………………………………………………………………….. 200

Business Risk and e-Commerce………………………………………………………………………………………………………………. 200

Table 1: Cost of Downtime…………………………………………………………………………………………………………………. 202

How IT Projects are Changing………………………………………………………………………………………………………………… 203

Risk Management Principles: Working with e-Commerce Projects……………………………………………………….. 204

The Balance Between Speed and Risk: Solutions…………………………………………………………………………………… 205

Summary…………………………………………………………………………………………………………………………………………………. 207

Appendix F to Section Two: Background Information for BIA……………………………………………………………. 209

Information Requirements………………………………………………………………………………………………………………………. 209

General……………………………………………………………………………………………………………………………………………………. 209

Procedures and Standards……………………………………………………………………………………………………………………….. 210

Risk Management and Insurance…………………………………………………………………………………………………………….. 210

Contracts and Licences……………………………………………………………………………………………………………………………. 210

Technical Documentation……………………………………………………………………………………………………………………….. 211

 

Section Four: Risk & Continuity Theory & Strategies………………………………………………………………………….. 213

4.1      Introduction…………………………………………………………………………………………………………………………………. 213

4.2      Valuation of Risk and Flexibility………………………………………………………………………………………………… 214

Risk……………………………………………………………………………………………………………………………………………………… 214

Flexibility……………………………………………………………………………………………………………………………………………. 214

4.3      Techniques for Valuing Risk and Flexibility………………………………………………………………………………. 215

4.4 Stochastic Processes………………………………………………………………………………………………………………………….. 216

4.5 General Risk Theory…………………………………………………………………………………………………………………………. 217

4.6  Investment Risk……………………………………………………………………………………………………………………………….. 217

4.7  Random Finite Abstract Sets (RFAS) Theory………………………………………………………………………………….. 218

4.8      Sensitivity Analysis…………………………………………………………………………………………………………………….. 218

4.9 Quantitative Risk Analysis………………………………………………………………………………………………………………… 218

4.10  Qualitative Risk Analysis……………………………………………………………………………………………………………….. 219

4.11    Boolean Simulation……………………………………………………………………………………………………………………… 219

4.12 Bayes Theorem……………………………………………………………………………………………………………………………….. 220

4.13    Monte Carlo Simulation………………………………………………………………………………………………………………. 220

Figure 4.1: Example of Monte Carlo Model……………………………………………………………………………………….. 222

Table 4.2: Contacts for Monte Carlo Analysis Tools………………………………………………………………………….. 223

4.14    Decision Tree Analysis……………………………………………………………………………………………………………….. 223

Figure 4.3 Example of Decision Tree Analysis…………………………………………………………………………………… 225

4.15    Dependency Modelling……………………………………………………………………………………………………………….. 226

4.16    Computer Risk Assessment and Management Methodology (CRAMM)……………………………………. 228

Figure 4.4: CRAMM Principles.…………………………………………………………………………………………………………. 229

4.17    Value at Risk……………………………………………………………………………………………………………………………….. 230

4.18    Risk Methods and Techniques: Conclusion………………………………………………………………………………… 231

4.19    Recovery Strategies…………………………………………………………………………………………………………………….. 231

4.20    Recovery Strategies: Summary……………………………………………………………………………………………………. 236

 

Section Five: A Brief Guide to Insurance……………………………………………………………………………………………….. 237

5.1      Introduction…………………………………………………………………………………………………………………………………. 237

5.2  Insurance Issues……………………………………………………………………………………………………………………………….. 237

5.3      Insurance Definitions…………………………………………………………………………………………………………………… 238

5.4      Self-Insurance……………………………………………………………………………………………………………………………… 239

5.5      Asset Value…………………………………………………………………………………………………………………………………. 239

5.6      Insurance Cover…………………………………………………………………………………………………………………………… 240

5.7 Losses and Events……………………………………………………………………………………………………………………………… 242

5.8 Proof of Loss…………………………………………………………………………………………………………………………………….. 243

5.9      Indemnity Period…………………………………………………………………………………………………………………………. 244

5.10    Insurance Relationships………………………………………………………………………………………………………………. 244

Figure 5.1 Insurance Relationships…………………………………………………………………………………………………….. 245

5.11        Summary…………………………………………………………………………………………………………………………………. 245

 

Section Six: Writing the Risk Assessment & Business Impact Analysis Report………………………………….. 247

6.1      Introduction…………………………………………………………………………………………………………………………………. 247

6.2      The Report: Typography and Layout…………………………………………………………………………………………… 249

6.3      Document Format……………………………………………………………………………………………………………………….. 249

6.4      Revision and Editing…………………………………………………………………………………………………………………… 252

6.5      The Presentation………………………………………………………………………………………………………………………….. 253

6.6      Summary……………………………………………………………………………………………………………………………………… 253

 

Section Seven: Sources of Help………………………………………………………………………………………………………………… 255

7.1      Introduction…………………………………………………………………………………………………………………………………. 255

7.2      Checklists……………………………………………………………………………………………………………………………………. 256

Associations………………………………………………………………………………………………………………………………………… 257

Banking Risk Management…………………………………………………………………………………………………………………. 257

Farm Succession…………………………………………………………………………………………………………………………………. 258

Lightning…………………………………………………………………………………………………………………………………………….. 258

Market Risk Management…………………………………………………………………………………………………………………… 258

Project Management Checklist……………………………………………………………………………………………………………. 259

Site Selection………………………………………………………………………………………………………………………………………. 259

7.3      Associations………………………………………………………………………………………………………………………………… 259

American Risk and Insurance Association………………………………………………………………………………………….. 259

The Association of Insurance and Risk Managers………………………………………………………………………………. 259

Australian Institute of Risk Management……………………………………………………………………………………………. 260

The Business Continuity Institute……………………………………………………………………………………………………….. 260

Risk Assessment & Policy Association………………………………………………………………………………………………. 260

Risk and Insurance Management Society, Inc…………………………………………………………………………………….. 260

The Society for Risk Analysis (SRA)…………………………………………………………………………………………………. 261

The Society for Judgment and Decision Making………………………………………………………………………………… 261

7.4      Web Sites…………………………………………………………………………………………………………………………………….. 261

Federal Emergency Management Agency (FEMA)……………………………………………………………………………. 261

Dependency Modeling………………………………………………………………………………………………………………………… 263

International Risk Management Institute…………………………………………………………………………………………….. 263

International Institute of Risk and Safety Management………………………………………………………………………. 263

Institute for Crisis, Disaster, And Risk Management………………………………………………………………………….. 263

The Institute of Risk Management………………………………………………………………………………………………………. 263

IRMA………………………………………………………………………………………………………………………………………………….. 264

Project Management Institute Risk Management Special Interest Group…………………………………………… 264

RiskWorld…………………………………………………………………………………………………………………………………………… 264

RISKANAL Discussion Group…………………………………………………………………………………………………………… 264

Statistics………………………………………………………………………………………………………………………………………………. 265

Survive………………………………………………………………………………………………………………………………………………… 265

Summit Systems, Inc…………………………………………………………………………………………………………………………… 265

7.5      Processing and Collating Information…………………………………………………………………………………………. 265

7.6: Summary………………………………………………………………………………………………………………………………………….. 266

 

Section Eight: Risk Assessment & Management & Dependency Modelling Tools……………………………… 267

8.1      Tools: Introduction……………………………………………………………………………………………………………………… 267

8.2      Tools: Examples………………………………………………………………………………………………………………………….. 267

Assessing Risk – Internal Audit Tool Kit……………………………………………………………………………………………. 268

The BUDDY SYSTEM………………………………………………………………………………………………………………………. 268

CAMEO………………………………………………………………………………………………………………………………………………. 269

CORA (Cost of Risk Analysis)…………………………………………………………………………………………………………… 269

Crystal Ball®………………………………………………………………………………………………………………………………………. 269

DATA Decision Tree software……………………………………………………………………………………………………………. 270

Defender……………………………………………………………………………………………………………………………………………… 270

designsafe……………………………………………………………………………………………………………………………………………. 271

HealthCalc Network……………………………………………………………………………………………………………………………. 271

iDecide………………………………………………………………………………………………………………………………………………… 271

Orbit……………………………………………………………………………………………………………………………………………………. 271

PetroVR………………………………………………………………………………………………………………………………………………. 272

REALBIZ……………………………………………………………………………………………………………………………………………. 272

RI$K……………………………………………………………………………………………………………………………………………………. 272

Risk Alert……………………………………………………………………………………………………………………………………………. 273

Risk Assessment Software and Consulting…………………………………………………………………………………………. 273

RISKMASTER……………………………………………………………………………………………………………………………………. 273

RiskFolio…………………………………………………………………………………………………………………………………………….. 273

Risk+…………………………………………………………………………………………………………………………………………………… 274

TRIMS………………………………………………………………………………………………………………………………………………… 274

 

Acknowledgements……………………………………………………………………………………………………………………………………. 276

Bibliography………………………………………………………………………………………………………………………………………………. 277

About the Author………………………………………………………………………………………………………………………………………. 281

About The Publisher…………………………………………………………………………………………………………………………………. 282

 

Risk Analysis and Business Impact Assessment is an area of Business Continuity Management that evokes a lot of discussion and misunderstandings.

For many years, Andrew Hiles and Philip Jan Rothstein have talked about the need for a detailed book on this subject. Finally, their collaboration is meeting that need.

Several years ago, I was an integral part of the group that developed the Common Body of Knowledge that was ultimately adopted jointly by the Disaster Recovery Institute International (DRII) and Business Continuity Institute (BCI). Subject Areas 2 and 3 of their Professional Practices deal specifically with Risk Analysis and Business Impact Assessment. This book relates directly to those sections as well as to Section 3-3: Hazard Identification and Risk Assessment in the National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs.

When I was asked to write this Preface, I did not anticipate any problems in accomplishing that task. However, I must admit that the exercise turned out to be more difficult than I had anticipated. The major problem was that the tragic events of September 11th, 2001, including the destruction of the World Trade Center and the cascading impact on not only Manhattan but the entire world, caused me to think, along with many other business continuity practitioners, whether any risk or business impact assessment could have anticipated such an incident and its impact. If it could not, then why should we bother to conduct such an analysis?

I have heard others questioning the need for such an analysis. Having thought about this for some time, I am firmly convinced that the need remains as much as ever. While I certainly would not want to second-guess any analysis conducted prior to September 11th, I do believe we need to learn the harsh lessons from that event that apply to both Risk Analysis and Business Impact Assessment.

The basic lesson for business continuity professionals is: anything could happen. The local impact could be catastrophic, and the cascade effect could be overwhelming. Is that really any different from what business continuity practitioners have always preached? Probably not, but it was often something that was not appreciated by senior management. Now, regrettably, we have the evidence to support this lesson.

Perhaps the problem was not that people refused to believe that such catastrophic events could occur – after all, we have experienced other, recent catastrophic events such as earthquakes in the USA (Northridge), Taiwan and Turkey. Maybe it was more the case that the appropriate information and evidence was not developed and presented in a way that made it truly believable.

I hear a lot of talk about worst-case scenarios, and that cold be part of this problem. Many business continuity practitioners concentrate on the worst case as a single event, but then the question becomes, “is that really the true worst-case scenario?” Or, because a single event is being considered, perhaps it is not extrapolated to the full extent, since to take it that far might strain its credibility.

If a range of scenarios are used from the most likely in both type of incident and impact, through to the absolutely worst case, you can build for senior management a better and more believable understanding of what can happen.

The other aspect in connection with risk analysis and worst-case scenarios is to make sure that you have the in-depth information necessary to support your points on what could happen. Too often, that in-depth aspect is missing and does not support the Risk Analysis findings.

Another possible problem I often hear is constant reference to financial impact. While financial impact is important, it is not the only impact which must be considered. There are several others, such as public credibility, legal and regulatory issues, or credibility within the financial community, all of which should also be addressed. Many of these impacts will be difficult, if not impossible to quantify. This means that such impacts need to be qualified rather than quantified.

The purpose of a Business Impact Assessment is to provide information for both decision-making and for incorporation into the business continuity plan. Spending considerable time on quantification of impacts when qualified impacts would be just as appropriate and useful, can not only delay the development of the business continuity plan, but can also reduce the planner=s credibility with management and possibly the effectiveness of the business continuity plan.

Not only is a Business Impact Assessment a means for prioritizing functions, but also the means to identify the resources that are needed to support the functions and the priority order in which these resources should be provided. Resources range from space, people and equipment to outside services and utilities. Identification of such resources requires focusing not only on the details of the business production or service functions but also looking at the big picture of what is used outside the immediate area of such functions. Hence the need to pay just as much attention to such aspects as the supply chain, outside utilities and even the demographics and travel routes of the company staff.

This is also where the Risk Analysis and Business Impact Assessment are linked. Remember the basic premise of the Risk Analysis and Business Impact Assessment: what can happen, what will be affected, and what are the resultant effects and impact?

Having identified through the BIA the resources that will be necessary, it is then of the utmost importance to identify what could prevent the provision of these resources in the required timeframe. You may have a recovery site some distance from your primary site, but what happens if your employees cannot get there, or if both your primary and backup sites are supplied from the same electrical substation? This will require a review of your resource needs and the possible risks that could affect their availability.

It should be apparent that there can be no “cookie cutter” set of procedures for Risk Analysis and Business Impact Assessment. To try and use such an approach could be detrimental to an enterprise’s health. This is much the same as the “fill-in-the-blanks” approach to the development of a business continuity plan or the informational requests that are made for examples of plans, when the intent is really to adapt someone else’s plan for one’s own plan. Anyone thinking of this approach is doing a profound disservice for their organization and should not be reading this book.

That is the reason this book is a guide to best practices. It is intended to provide the reader with an understanding of what could be involved in conducting both a Risk Analysis and Business Impact Assessment, and providing them with a means to identify what they need to do, as well as the sources of information to facilitate the process.

Completion of an effective Risk Analysis and Business Impact Assessment necessitates:

  • clear objectives
  • delineation of:
  • the type of information that is needed;
  • the means that will be employed to collect that information;
  • the sources for the necessary information
  • the format in which the information will be presented
  • good project management.

Everyone undertaking a Risk Analysis and Business Impact Assessment seeks the silver bullet – a quick and simple way to complete the analysis. That is not possible, but the project can instead be broken down in such a way as to facilitate the analysis and start providing information quickly.

Business continuity plans are based on information. Risk Analysis and Business Impact Assessment provide that information, and form the foundation of all plans. The key is to determine what information is needed and to stick with that. If not, the project can become so broad and time-consuming that it delays the development of the business continuity plan.

Another problem is that the project is made so complicated that this same result occurs. An example is the use of probabilities or frequency. In the past much consideration was given to the chances of specific incidents occurring and the frequency of such occurrences. Since September 11, 2001, many business continuity professionals are rethinking that part of the analysis process. Many are now looking at it from the standpoint that the incident can occur and that the main concern is to determine what will be affected, and the resultant effect and impact. This ties in with the previous comments regarding quantification and qualification.

A final aspect which needs consideration is the culture and structure of the company. The Risk Analysis and Business Impact Assessment must be tailored to fit that culture, not only in the amount and extent of the information needed, but also the way that the information will be gathered and the format in which it is to be presented.

The key to a successful Risk Analysis and Business Impact Assessment is clarity in determining the objectives and the information-gathering process as well as the identification of the appropriate information sources, both internally and externally linked to a well-defined project management plan.

Andrew’s book provides the business continuity practitioner with details of what should be considered, the information sources available, and the ways to structure and manage the project.

Risk Analysis and Business Impact Assessment can be time consuming and require considerable effort, but the results can be instructive and valuable. At the end of the project you will have learned a lot more about your company – good luck!

Melvyn Musson, FBCI, CBCP, CISSP

St. Louis, Missouri, USA

Melvyn Musson has over 25 years experience in disaster recovery, business continuity and crisis management. He is a charter member of the National Fire Protection Association NFPA 1600 Disaster Management Committee, and was also involved in the founding of both Disaster Recovery Institute International (DRII) and The Business Continuity Institute (BCI). He was Chairman of the DRII Certification Board during the initial development of the Professional Practices, and he continues to work in support of both DRII and BCI in the review and maintenance of the Professional Practices. Melvyn is currently the Business Continuity Planning Manager for Edward Jones, a leading financial institution (St. Louis, Missouri).