Upload
bcm-institute
View
1.770
Download
0
Embed Size (px)
Citation preview
Risk Analysis In Business Continuity Management
Jeremy WongSenior Vice President GMH Continuity Architects
GMH Continuity Architects
• A leading consultancy focusing on business continuity, disaster recovery and crisis management in Asia Pacific since 1999.
• Our core business is in safeguarding our clients’ businesses through the sound application of proven, business-oriented business continuity methodologies.
* GMH is an accredited partner of BCM Institute.
Jeremy Wong
http://www.bcmpedia.org/wiki/Jeremy_Wong
Prior Appointments
Nomura– Head of BCM, South Asia
United Overseas Bank– Head of BCM
Bax Global
J P Morgan
Andersen Consulting
BCM Planning Methodology
Source: Goh, Moh Heng (2008): Managing Your Business Continuity Planning Project 2nd Edition ISBN: 978-981-05-9767-2
Risk Analysis & Review
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
Identify Assets & Threats
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
• Identify Organisational Assets
• Identify Threats
Identify Organisational Assets
• Assets essential to carry out mission• Examples: – Facilities– People– Data– Software– Applications– Equipment
Identify Threats
Natural• Tornado (wind storm)• Thunderstorm and hail storm• Lightning and electrical storm• Snow and winter ice storm• Typhoon and hurricane• Flood and other water-based
incident• Earthquake• Mudslide• Volcanic eruption and ash
fallout• Tsunami• Large natural fire• Epidemic and pandemic
Man-Made• Toxic and radioactive contamination• Sabotage (both external and internal)• Riot, civil disorder and coup• Fraud and embezzlement• Accidental explosion (on and offsite)• Water leak and plumbing failure• Workplace violence• Terrorism• Aircraft crash• Vandalism• Arson• Physical asset theft• Misuse of resources• Building and physical security
weakness• Fire
Identify Threats
Business• Power outage• Labor dispute• Employee turnover and
single point of failure• Unavailability of key
personnel• Human error• Gas outage• Water outage• Loss of transportation• Single source suppliers
Information Technology
• Voice and data telecommunication failure
• IT equipment failure• Human error from
programmers and users• Security vulnerability• Data and software
sabotage• In-house developed
application failure• HVAC failure• Defective software
Analyse Risks
• Identify impact or consequence of the threat materializing
• Estimate the likelihood of occurrence
• Determine risk level
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
Risk Analysis Process
ImpactImpact
How does the threat affect
business operations?
What are the adverse events that can occur?
What is the likelihood that the threat will adversely affect
business operations?
What is the effects on people, infrastructure,
facilities, and systems?
What is the effects on people, infrastructure,
facilities, and systems?
What is the potential loss exposures to
business?
What is the potential loss exposures to
business?
What is cost for the Controls to be implemented?
What is cost for the Controls to be implemented?
What Controls are in place?
What Controls are in place?
Risk Level Matrix
High
Impact Medium
Low
Low Medium High
Likelihood
Fire
Pandemic
Risk Evaluation
• Assess risk rating and prioritized for further treatment
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
Evaluation Criteria
• Criteria Examples:– People– Processes– Infrastructure
• Weighting for different criteria
1504-
Risk Evaluation
High
Impact Medium
Low
Low Medium High
Likelihood
Fire
Pandemic
Risk Treatment
• Explore Treatment Strategies for risks deemed unacceptable
• Document reasons for selection of strategy for each risk treatment
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
Risk Treatment Strategies
• Risk Avoidance
• Risk Reduction
• Risk Transfer
• Risk Acceptance
Risk Treatment Strategies
High
Impact Medium
Low
Low Medium High
Likelihood
Transfer
Accept
Reduce / Active Control
Reduce (if Cost Justifiable)
Avoid
Risk Reduction
High
Impact Medium
Low
Low Medium High
Likelihood
Fire
Pandemic
Business Continuity Plan (BCP)
Risk Analysis and Business Continuity Planning
Risk Analysis
Identification
Analysis
Evaluation
Treatment
Avoidance
Reduction BC Planning
Business Impact
Analysis
Recovery Strategy
Plan Development
Testing and Exercising
Program Management
Transfer
Acceptance
Monitoring
Treatment for risks that could potentially interrupt business operations
Risk Treatment Strategies
Process
Implement & Monitor
• Present Recommendations to management for approval
• Implement recommendations
• Monitor results
• Adjust as necessary
IDENTIFY
ANALYSE
EVALUATETREAT
IMPLEMENT & MONITOR
Risk Analysis Process
Identify
Analyse
EvaluateTreat
Implement & Monitor
Thank You