Fire, flood, swine flu, power loss, severe storms, workplace violence, supplier loss, and a myriad of other events threaten the very existence of organizations large and small. Risk management and business continuity professionals are challenged with addressing these threats, with an equal focus on mitigation and continuity planning. Today’s executive demands an equal focus on proactive risk mitigation, as opposed to an exclusive focus on reactive response and recovery planning. A proper, value-added risk assessment process provides a method to bring structure, clarity and focus to the mitigation aspect of the risk management effort. This article aims to make the case for risk assessment process execution and the role it plays in building the foundation of solid risk management, as well as some of the more common risk assessment pitfalls to avoid.
A Recommended Risk Assessment Methodology
The concept of risk assessment is relatively straightforward and an important part of a business continuity program. However, there are many variations in both methodology and the conclusions delivered. Avalution’s team has found that executives respond best to a risk assessment that focuses on business risks as opposed to threats. For example:
|The Situation The Organization Wishes to Avoid||Key Current-State Controls||Control Recommendations|
|A loss of Building X, which houses the organization’s primary call center, thus impacting 30%of order capture.||
This example, when prioritized with other recommendations based on likelihood and severity ratings, is far more actionable when compared to rank ordering events (i.e. tornado, fire, vandalism, etc.).
An approach that meets this expectation is the Failure Modes and Effects Analysis (FMEA), a core process found within Six Sigma methodology. This type of analysis evaluates the likelihood of occurrence and the potential severity of the failure based on the organization’s current processes to manage that risk – generally referred to as “controls”. The following graphic is one way to display the outcome of such an analysis. The weighting of the measurements can be either qualitative (i.e. insignificant, minor, moderate) or based on percentages. The controls are not incorporated into the x/y axis below because they will directly affect either the likelihood or the severity of an incident. Thus, controls are accounted for in the relative rating of a particular risk.
Why perform a risk assessment? The main value of a risk assessment is the consistent structure and process that it provides the organization to prioritize risk mitigation efforts. Simply put, a risk assessment assists management in prioritizing the application of limited resources toward the mitigation of highly likely or potentially significant risks. It also provides a useful benchmark for the organization to effectively track the benefits of mitigation strategies implemented over time.
Aside from setting priorities and benchmarking, the risk assessment provides a “menu” of scenarios and events to use as examples for planning purposes. It is best practice to develop plans with an “all-hazard” approach, but it is always beneficial to have some example scenarios when developing response and recovery plan documentation.
The risk assessment process also provides a list of possible exercise scenarios (and even ideas for exercise injects). It goes without saying that an organization benefits the most when personnel have participated in exercises before a similar event occurs. Conducting exercises around the most likely scenarios not only keeps participants engaged, but it drastically improves preparation since exercise lessons learned can be applied to strategies, plan documentation and awareness materials.
Lastly, for those organizations seeking organization certification, a risk assessment is a requirement in many standards such as BS 25999.
Pitfalls (and Recommended Solutions)
Once an organization understands the value and purpose, it is important to avoid a few common pitfalls when executing or updating a risk assessment.
A common problem that limits both value and efficiency of a risk assessment is over analyzing. Organizations can easily find themselves in a state of “analysis paralysis” if they begin to evaluate every minute threat, probability metric, historical detail and control. Instead, cover the full scope of threats by breaking the assessment up into manageable components such as risks to a particular technology, facility, or group of employees. Some basic research and/or participation by subject matter experts (with knowledge of the organization) should provide the requirements needed to develop a sufficient analysis.
Another common pitfall is inaccurate or speculative data. This is often associated with analysts who are either unfamiliar with the organization or in a position where there is significant pressure to bend the facts to justify a pre-established purpose. The solution is relatively simple: ensure that those performing the analysis have the proper experience and are independent of the outcomes.
Inconsistent ratings are another common issue. Delegating assessment responsibilities amongst too many people, changing analysts from year to year, or failing to implement a consistent rating scale provides opportunity for increased variance in conclusions. From threat to threat and year to year, consistent methods and criteria are needed. The following are some example strategies to enable consistent data:
- Develop a clear risk assessment plan that defines the methodology, rating scale and provides example content;
- Use fewer analysts to minimize inconsistent application of rating scales and risk assessment techniques; and
- Ensure analysts collaborate and share their data and conclusions so similar threats and vulnerabilities have similar ratings and controls can be shared where applicable.
Proactively managing threats in both small and large organizations can be an intimidating task, but these threats can become manageable with a pragmatic approach supported by executive management. Organizations that select the appropriate risk assessment methodology, consistently communicate the rationale behind the assessment, and avoid the common pitfalls of analysis will find themselves with a solid foundation to build a value-added approach that proactively manages risk and is a perfect complement to “traditional” response and recovery strategies.