I am a Business Continuity Manager ... and I want to identify risks!

Risk management is often associated to Business Continuity Management. Discipline origins, mix of functions and dealing with threats could explain that.

I understand as a BCMer I could be required to assess some risks, because no one else is doing it for example ... In the ISO 22301, the BCMS required a risk assessment too. And frankly, knowing risks is an interesting part of our job and our general understanding of our organization, but study and manage them is another story.

Risk management is about identifying, mitigating risk through the implementation of controls, and monitoring them. In our field, we “need” the risk to occur in order to execute a recovery strategy. Many time Business Continuity plans or strategies are considered themselves as controls to mitigate a risk. Still, it doesn’t make BCM a part of Risk Management.

So, if we are willing or due to, what can we do to identify risks?

First make sure you are not doing the job of someone else, and I mean by that a Risk Management Department. The ISO 22301 (Chap. 8.2.3) is not saying a BCMer has to do it, if not that the risk assessment must be executed in the organization. Some banks have literally entire departments dedicated to that task. Why would you do it too? Use their work to validate some risks you are interested in. Check their matrix if some risks have been well identified and evaluated.

Now let’s focus on the first step of an assessment: identify a risk. If we are doing it ourselves, we need to understand what we are analyzing. Is it a process? A product? A building? A team? It makes a strong difference.

Assessing a risk will require to identify all the threats that can affect the “asset” and understand what the impact could be. List the threats in a table (matrix). Group them by categories if possible or necessary (Natural hazards, cybersecurity, man-made disaster, etc.). An earthquake might be difficult to occur in a region while hurricanes might be much possible. Make it obvious. Don’t speak about winter storm in the Caribbean.

Identify all direct impacts on the asset. We are not talking about indirect impacts or consequences in 5 years, I would strongly recommend focusing on direct impacts such as system not running, factory or production shut down or reputation affectation.

To perform a risk assessment, and according to good practices it is recommended to define the risk, not just mentioning a bunch of threats. For example, you could use a cause and an impact to identify a risk regarding a system or an IT asset: “Unavailability of the system due to an energy black out”.

Also, don’t confuse the cause with the vulnerability. The energy black out caused the failure of the system. The lack of redundancy or maintenance is the vulnerability, but it’s not the original cause of the failure, the power crash is. Vulnerabilities (most of the time) start with “lack of” or “absence of”.

In other chapters we will deal with risk evaluation and the controls, but the construction of a risk assessment matrix must be easy to read and to understand.

Identifying risk is key in a risk management. Knowing them will serve your job as a BCMer. If doing a risk assessment is part of your journey, be sure to understand what the object of the evaluation is. Don’t list a bunch of threats but try to clearly define what the risk is with cause and consequences. It will help for the evaluation and especially with the implementation of controls which will be more specific.