What is the purpose of a risk assessment?
The Disaster Recovery Institute International (DRII) states the purpose of a risk assessment is "to determine events, probabilities and environmental surroundings that can adversely affect the organization and its facilities with disruption and disaster and the controls needed to prevent or minimize the effects of potential loss."
One thing to keep in mind is there is a great deal of subjective analysis that is part of the impact or risk assessment. In other words, risk assessments should be reviewed by a team possessing knowledge about both the organization and the business continuity plan.
Steps should be taken to avoid risks once they have been identified in the impact assessment. For example, once the probability of occurrence and the level of impact have been determined, you can directly address the risk posed and try to eliminate the risk. If the risk is somewhat unpredictable, such as a natural disaster, it's advised to at least try and reduce the impact of the risk. And although it's not advised, you can also ignore the risk and accept the consequences. But addressing risks is often not complicated. A sufficient response to a risk or threat may be as simple as purchasing uninterruptible power supply (UPS) units and generators on standby to address electrical power issues found during a risk assessment.
Steps for putting together a business risk assessment
Putting together a business risk assessment is simple. Most organizations use a spreadsheet to compile and present the risks in their organization, and these can be found from vendors or internet sites. For example, two resources for natural threats are NOAA and FEMA.
The first step for putting together an IT risk assessment is to identify as many threats as are applicable to your organization. For example, natural threats in the Midwest may include tornados, while organizations along the East Coast are more concerned about hurricanes. Once threats are identified, the next step is to estimate the probability of occurrence for each threat (this will most likely be subjective), followed by the business impact on the organization. The impact threshold is labeled either low, medium, or high according to the impact it could have on the organization.
Below is an example of identifying a risk:
Sample worksheet showing how to identify a risk to your business
|Threat||Probability||Impact||Measures to be taken|
|Power outage||0.1||High||Obtain UPS or generator for essential areas|
In this example, the threat of a power outage has a 10% likelihood of occurring, however, if it does occur the impact to the organization is high. To reduce this risk, one can obtain UPS units or a generator. The probability of this threat occurring would still be 10%, but the impact would be reduced to low. The next step is to sort your list from low, medium and high impacts to your organization. Then you can begin to address the risk assessment process for threats as appropriate.
The risk assessments can be completed by an individual, but there are many subjective values involved, so it may be advantageous to have a small group involved to eliminate bias. The team should consist of IT, operations and finance at the very least. IT should be included for obvious reasons, operations and finance to ensure the impacts of the outages are viable. The team leader must be someone who can ensure the rest of the team takes this task and schedule seriously. The team should start by looking at natural threats, then progress to other possible threats such as safety and access in the facility. To do this, walk through the facility and look for safety related issues, blocked walkways, hot plates, storage facilities, or anything that could create issues of safety, entry and egress. Above all, to perform adequate risk assessment, you must be honest and objective when reviewing these issues, especially those relating to workplace violence, disgruntled employees, or data access.
Risk assessments and disaster recovery sites
One issue that does not get the attention it deserves is the fact that the disaster recovery site itself should go through its own business risk assessment because it's an additional facility that not only is a place to back up your technologies, but also, the activity that goes on there can also greatly affect your organization if an incident occurs If you are using a third-party vendor, such as IBM Corp., SunGard or some other facility, look at who is assigned space close to you. Some sites will review the nearby tenants and discuss location with you.
Risk assessments at disaster recovery sites should be similar to the original site. Some issues to look for include: What is the policy for vendors and visitors? Are there sufficient rest rooms for all staff and dining facilities? Is there a further need for credentialing? Most disaster recovery sites are in more remote areas, but is it as accessible as the main site? Are the roads passable in bad weather? All the threats associated with the main DR site should be reviewed and applied to the DR site. You must realize that the disaster recovery plan and disaster recovery site may be expected to be the operations site for a period of time. That duration is uncertain and could be for an extended period of time, depending on the incident.
Review your business risk assessment regularly
A business risk assessment should be reviewed as often as the disaster recovery plan itself. Even if there are no changes to be made, you should review your risk assessment once a year at the very least. The team leader should ensure not only that the plan is reviewed but that the plan is presented and accepted by the executive level. A vigorous risk assessment is not expensive to execute, but you do need an objective view and knowledge of what to look for. Both the DRII and Business Continuity Institute (BCI) agree that the risk assessment should come before the Business Impact Assessment. This seems logical when you consider that before you look at operating functions, you must look at the overall risks to the organization in general.
About this author: Harvey Betan is a certified business continuity (BC) planning consultant with experience in disaster recovery (DR) in both technology and business functions. He migrated to BC after the restoration of a large insurance company with a major presence in the World Trade Center on Sept. 11. His career has spanned a dozen years in business continuity after a 15-year career as a senior manager in information technology for the financial, insurance and nonprofit sectors.
This was first published in February 2010