The risk assessment in business continuity planning helps you focus your time and resources. Hopefully, the risk assessment will lead you, as a Colorado banker, to devote more energy in preparing for blizzards than preparing for hurricanes. If not, it means you forgot to revise the plan you borrowed from your pal in Florida.
A risk assessment prioritizes the bank’s business processes (business processes are identified during the first step, Business Impact Analysis.) and defines what could disrupt them. The goal is to be sure the Business Continuity Plan (BCP) addresses the most important things first.
Is that a Threat?
All risk assessments start with identifying threats to business. The FFIEC Business Continuity Planning handbook (March 2008) describes "threat scenarios" and "threat impact." Do you know the difference? You have to understand and address both to develop an effective risk assessment for business continuity planning.
A threat scenario is a specific unavoidable event or circumstance. Blizzards, tornadoes, floods, lightning, bombs, pandemics, hurricanes, etc., are all threat scenarios. The handbook encourages you to develop an extensive list of threat scenarios to make sure you don’t overlook events which could be catastrophic to your business.
To get you started, the handbook includes threat suggestions in the appendicesi or you could use the list of "reasonably foreseeable threats"ii already compiled for the risk assessment of your Information Security Program. Using one risk assessment to fulfill the requirements of the Information Security Program as well as the BCP can simplify your compliance work. (Note: Be sure to reference the Information Security risk assessment in your BCP so it will be apparent to bank staff, auditors and examiners.)
The handbook says: "Where possible, institutions should analyze a threat by using non-specific, all-risk planning that focuses on the impact of the threat instead of the nature of the threat."iii One way to understand the impact of a threat is to think in terms of "loss." Examples of threat impact include things like loss of personnel, loss of facilities, loss of power, loss of telecommunications, loss of management, loss of systems, loss of data, loss of records (paper files), etc.
To develop your list of threat impacts, work through your threat scenarios and list the impacts from the threat. You will find any given threat may impact the bank in various ways. Take a blizzard for example. Possible impact from a blizzard includes loss of electricity, loss of telecommunications, loss of personnel (staff can't commute to work) and others.
You will also find many different scenarios all result in the same impact. For instance, a hurricane, tornado, blizzard, flood, bomb, fire, disgruntled employee, civil disturbance, industrial accident, etc., could all cause the loss of electricity. (Note: If you like the idea of using one risk assessment for the BCP and Information Security Program, be sure you indicate the relationship of the threat scenarios to threat impacts.)
Risk levels are derived by considering the probability of a disruption and its impact on operations. If we continue with our "loss of electricity" example, the probability is high since many threat scenarios can cause the loss of electricity. Any high-priority business process which can be disrupted by the loss of electricity is judged to be a high risk for business continuity.
The final part of the risk assessment is gap analysis. It occurs as you compare the outcome of the risk assessment to an existing BCP. The gap is the policies and procedures which need to be added to the BCP to address new threats or risks which have changed. High-priority business processes (identified in BIAs) which are at high risk for disruption (identified in the risk assessment) become the top priorities of your new BCP.
i FFIEC IT Examination Handbook, Business Continuity Planning, March 2008 - Appendix C: "Internal and External Threats" and Appendix D: "Pandemic Planning"
ii Interagency Guidelines Establishing Information Security Standards, III B (Assess Risk)
iii FFIEC IT Examination Handbook, Business Continuity Planning, March 2008, page 11.