Risk Analysis In Business Continuity Management

Jeremy WongSenior Vice President GMH Continuity Architects

GMH Continuity Architects

• A leading consultancy focusing on business continuity, disaster recovery and crisis management in Asia Pacific since 1999.

• Our core business is in safeguarding our clients’ businesses through the sound application of proven, business-oriented business continuity methodologies.

* GMH is an accredited partner of BCM Institute.

Jeremy Wong

http://www.bcmpedia.org/wiki/Jeremy_Wong

Prior Appointments

Nomura– Head of BCM, South Asia

United Overseas Bank– Head of BCM

Bax Global

J P Morgan

Andersen Consulting

BCM Planning Methodology

Source: Goh, Moh Heng (2008): Managing Your Business Continuity Planning Project 2nd Edition ISBN: 978-981-05-9767-2

Risk Analysis & Review

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

Identify Assets & Threats

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

• Identify Organisational Assets

• Identify Threats

Identify Organisational Assets

• Assets essential to carry out mission• Examples: – Facilities– People– Data– Software– Applications– Equipment

Identify Threats

Natural• Tornado (wind storm)• Thunderstorm and hail storm• Lightning and electrical storm• Snow and winter ice storm• Typhoon and hurricane• Flood and other water-based

incident• Earthquake• Mudslide• Volcanic eruption and ash

fallout• Tsunami• Large natural fire• Epidemic and pandemic

Man-Made• Toxic and radioactive contamination• Sabotage (both external and internal)• Riot, civil disorder and coup• Fraud and embezzlement• Accidental explosion (on and offsite)• Water leak and plumbing failure• Workplace violence• Terrorism• Aircraft crash• Vandalism• Arson• Physical asset theft• Misuse of resources• Building and physical security

weakness• Fire

Identify Threats

Business• Power outage• Labor dispute• Employee turnover and

single point of failure• Unavailability of key

personnel• Human error• Gas outage• Water outage• Loss of transportation• Single source suppliers

Information Technology

• Voice and data telecommunication failure

• IT equipment failure• Human error from

programmers and users• Security vulnerability• Data and software

sabotage• In-house developed

application failure• HVAC failure• Defective software

Analyse Risks

• Identify impact or consequence of the threat materializing

• Estimate the likelihood of occurrence

• Determine risk level

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

Risk Analysis Process

ImpactImpact

How does the threat affect

business operations?

What are the adverse events that can occur?

What is the likelihood that the threat will adversely affect

business operations?

What is the effects on people, infrastructure,

facilities, and systems?

What is the effects on people, infrastructure,

facilities, and systems?

What is the potential loss exposures to

business?

What is the potential loss exposures to

business?

What is cost for the Controls to be implemented?

What is cost for the Controls to be implemented?

What Controls are in place?

What Controls are in place?

Risk Level Matrix

High

Impact Medium

Low

Low Medium High

Likelihood

Fire

Pandemic

Risk Evaluation

• Assess risk rating and prioritized for further treatment

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

Evaluation Criteria

• Criteria Examples:– People– Processes– Infrastructure

• Weighting for different criteria

1504-

Risk Evaluation

High

Impact Medium

Low

Low Medium High

Likelihood

Fire

Pandemic

Risk Treatment

• Explore Treatment Strategies for risks deemed unacceptable

• Document reasons for selection of strategy for each risk treatment

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

Risk Treatment Strategies

• Risk Avoidance

• Risk Reduction

• Risk Transfer

• Risk Acceptance

Risk Treatment Strategies

High

Impact Medium

Low

Low Medium High

Likelihood

Transfer

Accept

Reduce / Active Control

Reduce (if Cost Justifiable)

Avoid

Risk Reduction

High

Impact Medium

Low

Low Medium High

Likelihood

Fire

Pandemic

Business Continuity Plan (BCP)

Risk Analysis and Business Continuity Planning

Risk Analysis

Identification

Analysis

Evaluation

Treatment

Avoidance

Reduction BC Planning

Business Impact

Analysis

Recovery Strategy

Plan Development

Testing and Exercising

Program Management

Transfer

Acceptance

Monitoring

Treatment for risks that could potentially interrupt business operations

Risk Treatment Strategies

Process

Implement & Monitor

• Present Recommendations to management for approval

• Implement recommendations

• Monitor results

• Adjust as necessary

IDENTIFY

ANALYSE

EVALUATETREAT

IMPLEMENT & MONITOR

Risk Analysis Process

Identify

Analyse

EvaluateTreat

Implement & Monitor

Thank You

jeremy@gmhasia.com