Enterprise risk management and business continuity primer

Enterprise risk management is an important aspect of BC planning. This tip will help you understand risks, threats and vulnerabilities to build a foundation for your work.

What you will learn in this tip: Enterprise risk management is an important aspect of business continuity (BC) planning. Understanding risks, threats and vulnerabilities, and the risk management process provide an essential foundation for your work as a BC professional.

Any discussion of risk management and business continuity should begin with a definition of risk. Risk has many different definitions, but it usually comes back to the fact that in virtually any activity there is the potential for something to go wrong. The probability or likelihood of something happening becomes the risk associated with that activity. If an activity was always successful and never had any problems or issues, the probability of failure (the risk) could be considered zero. But when we think realistically, the probability or likelihood of something, no matter how insignificant, happening with an event or process is somewhere between zero and one or 100%.

For example, if a specific disruptive incident (e.g., a power outage lasting less than one hour) has a one in five chance of occurring (based on insurance or actuarial statistics), the risk likelihood (or probability) would be 0.2 or 20%; a one in three chance of occurrence gives a probability of 0.33 or 33%. By contrast, the probability of a wayward asteroid hitting the Earth is probably closer to zero, whereas the probability of someone being sick from work due to a cold will probably be closer to one. 

When we examine risks, we analyze the likelihood of an event occurring, the potential severity of the event (e.g., damage to the desired process), and also the vulnerability of the situation (e.g., a weakness that helps the event occur). From this we analyze risks as a product of the likelihood of the event occurring  times the potential severity times the vulnerability.

In other words, the formula for risks in business continuity works as follows:

Risk = Likelihood x Severity x Vulnerability

We can map this formula with a simple table as shown below (data listed are examples):





Calculated Risk
















Virus attack










Likelihood: 0 = Not likely to 1 = 100% likely to occur

Severity: 0 = No impact to 1 = Total destruction

Vulnerability: 0 = None to 1 = Totally vulnerable

What the calculated risk figure means in the “fire” example is that there’s a four in 10 chance of a fire occurring that causes significant damage, based on the existing vulnerability to fire. From the completed table you can identify and prioritize risks for further action.While we have assigned arbitrary figures to each category in this example, many of these figures can be obtained from risk tables, which themselves are based on historical data and analyses of specific events and their outcomes.

As a business continuity professional, be sure to perform a risk assessment, as we have done above, to identify situations that could occur to your organization. Once you have an agreed-upon set of risks, you can begin a business impact analysis (BIA) to determine the financial and operational effects of the identified risks to your organization.

Risk treatment

In enterprise risk management, once you have identified risks, you then need to decide how to address them. There are four basic approaches:

  1. Avoidance: Deciding to not perform an activity that carries risk
  2. Reduction: Using various approaches to reduce or mitigate the severity of the risk; you are not eliminating the risk; rather you are reducing its potential impact
  3. Sharing: Identifying and engaging another entity to absorb a portion of the risk; using insurance is often considered a risk sharing option
  4. Retention: Willingness to accept the risk and its potential outcomes

These options can be factored into your business continuity/disaster recovery planning strategies.

Risk management in the business continuity process

Where would we place risk management in a process flow for business continuity? Let’s consider the following diagram, which depicts a typical event sequence for a business continuity/disaster recovery program:

Event sequence for a business continuity program

As you can see, risk management activities occur very early in the process. We can’t begin to develop strategies, plans or anything else until we know where the organization is at risk.

Risk management standards and professional associations

The global risk management standard is ISO 31000, Risk Management – Principles and Guidelines on Implementation, which was released in November 2009 by the International Organization for Standardization (ISO). Another useful standard is ISO 31010:2009, Risk Management – Risk Assessment Techniques, which provides guidance on how to organize and conduct a risk assessment. In the U.S., an excellent risk management standard is SP 800-30, developed by National Institute for Standards and Technology (NIST). When working on a risk management project, be sure to have these standards available for reference and advice.

Perhaps the most prominent risk organization in the U.S. is RIMS (The Risk Management Society), which addresses the entire risk management spectrum through educational programs, professional accreditations, conferences, publications, risk-related information and networking among fellow risk professionals.

Enterprise risk management is a key part of the business continuity process. Examine any of the current business continuity/disaster recovery standards, such as BS 25999 Part 2 or NFPA 1600:2010, and you’ll see references to risk management.

If your organization is large enough, it may have a risk management department or function. Be sure to contact the group and engage them early on in your business continuity/disaster recovery initiatives. Include the risk team with all your business continuity/disaster recovery efforts to share ideas and experience and reduce potential confusion during business continuity/disaster recovery plan development.

About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at [email protected].

Dig Deeper on Disaster recovery planning - management