The Fool-Proof Approach to BCP Risk Management
A huge part of continuity planning is identifying and managing your risks—what you might refer to as BCP risk management.
In truth, risks are everywhere. Your building. Your aging utility lines. The weather. The space heater under Bob’s desk. Bob himself, who has a weird propensity for opening email attachments from unknown senders. (“Not again, Bob!”)
All these things threaten your business in one way or another. Your job is to determine how and what steps must be taken to minimize those risks.
The important questions you need to ask regarding BCP risk management:
- What events could disrupt your operations?
- Which risks are unique to your business?
- What is the business impact of those events?
- How is the company already taking steps to mitigate those risks?
- What further actions must be taken?
It’s true that human error, like Bob infecting your systems with ransomware, can cause a lot of damage in a little amount of time. But you can’t blame Bob if you failed to identify the risks in the first place or if you knew the risks but never took any steps to prevent the error from occurring.
In this post, we’ll go over the right way to identify your company’s risks (and their impact) within your business continuity plan.
What is BCP risk management?
In business, risk management typically refers to the process of forecasting financial risks and “managing” them with procedures and solutions that minimize their impact.
For our purposes, “BCP risk management” refers to a similar process of identifying and removing risks, as outlined in your business continuity plan (BCP).
Your BCP is the foundation of your continuity planning. It’s a written document that provides guidance on how your company can prevent and recover from a disaster, and minimize the risks of operational downtime.
Three of the most crucial sections within your BCP are:
- Risk assessment: All events or scenarios that threaten company operations, and the estimated likelihood of those events occurring
- Business impact: To what extent the events would disrupt the organization, both in the immediate aftermath and the long term
- Resolution & recommended guidance: The preventative measures currently implemented that help to mitigate the risks of those events, along with recommendations for further solutions yet to be added
Why it’s so important
Before we delve into the best practices for your BCP, it’s always important to consider why these measures are so important for every business.
No company looks forward to being infected by ransomware, to being destroyed in a fire, or to losing a trove of business-critical files due to accidental deletion. But even companies who are aware of these risks aren’t doing enough to prevent them. Often, that’s simply because no one has seriously evaluated what the consequences might look like.
So let’s be clear about how such events can devastate your company:
- Only 6% of companies who don’t have a disaster recovery plan survive a disaster (Datto)
- After a disaster, small businesses lose an average of $8,581 in downtime every hour (The Atlantic)
- 40% of businesses shut down for good after a disaster. Among those that manage to reopen their doors, 71% of them ultimately close within two years (FEMA)
These statistics should scare every organization.
But the good news is: it’s not that difficult to evaluate the risks and consequences of a disaster at your company. That’s where BCP risk management comes into play. By performing a thorough risk assessment, you can determine the exact level of danger and damage that each risk poses. In turn, this provides clarity around the exact solutions that are needed to mitigate those risks.
What you’ll need before you get started
So, where to begin? Below is a list of “ingredients” you’ll need to ensure that the information in your risk assessment is thorough and accurate.
This isn’t the time for loose predictions. If you underestimate the costs of a disaster, it will negatively affect every other aspect of your continuity planning. Your preventative measures will fall short. Your recovery procedures won’t be aggressive enough. Worse-case scenario: unexpected recovery costs could make the company could “go under,” simply because you didn’t take the time to do the calculations.
Here’s what you need:
- Disaster recovery team: a small group of personnel who can help to compile information for the risk assessment, as well as manage the BCP. This team will also help coordinate recovery efforts after a disaster.
- Interdepartmental communication / collaboration: You’ll likely need to communicate with several departments (IT, accounting, QA, and so on) to obtain the information you need. Department managers should be aware of the importance of the risk assessment and should make resources available to assist you with the information-gathering process.
- Business continuity consultant (optional): If your team does not have much experience with risk management or business impact analyses, then it may be a good idea to hire an outside consultant. A qualified consultant should be able to complete these assessments with greater speed and efficiency, which may actually save the company money vs. doing the assessments in-house.
- Lots of coffee: Always a good idea, especially for those late-night disaster planning sessions.
Now, let’s dig into the details of the three vital BCP sections mentioned above: risk assessment, impact and resolution.
Depending on the format of your business continuity plan, you may decide to break these into three separate sections, or to use a chart with three columns. A very basic example might look like this:
|Risk||Impact||Resolution / Recommendation|
|Warehouse server outage due to hardware malfunction or physical damage|| |
Maximum of 6 hours of critical data loss; suspended warehouse and logistical operations
|Cloud-based data backup system already in place. Check status of most recent backup; restore.|
In actuality, each section or column will have much greater depth. Here’s what you’ll include in each:
1) Risk Assessment
This is where you’ll list all the “what ifs” – the unique dangers that threaten your business. This section should include every possible situation that has the potential to disrupt your options. Don’t worry too much about the likelihood of each scenario just yet – you’ll identify that and prioritize as needed later.
Some risks, like fire, are common to almost all businesses, although the impact might not necessarily be. Other risks might be more unique to your business, based on your industry, infrastructure or your location. For example, if you’re located in a crowded metropolitan area, and there’s a mass transit breakdown that prevents a large portion of your workforce from coming into work, then your operations are likely to be more affected.
Here are some general business risks you might find in a business continuity plan:
- Human error (file/folder deletion)
- Fire / smoke / gas leak
- Malware / virus / ransomware
- DDoS or other cyberattacks
- Failure of hardware / software / network infrastructure
- Loss of telecommunications
- Electrical outage or utility disruption
- Damage from natural disasters or severe weather (earthquakes, flooding, etc.)
- Terrorism / civil unrest
Remember: the more specific the better.
At larger companies, you may find it difficult at first to determine which risks pose the biggest threats. You’ll gain a better picture of your company’s unique risks as you (or your BC consultant) meet with managers throughout the organization to better understand their processes.
2) Business Impact
To prioritize your risks, you need to define exactly how they will affect the business. Also, you should project how likely each event is likely to happen. This is your business impact analysis.
Consider an event in which ransomware has locked up data that is critical to nearly every unit of your business, from sales to shipping. How would it affect your operations? How long would the disruption last? And most importantly: how much would it cost?
Cost analyses are an essential component of your business impact assessment. To truly understand how the company will be affected, you must quantify the losses. Ideally, you should know how much the event will cost the business per hour, per day, etc.
This is where you’ll likely need the assistance of your accounting teams. When calculating the cost of losses, be sure to consider every possible factor. Here are a few to consider:
- Loss in sales / revenue
- Damaged equipment
- Compliance liabilities
- Worker inactivity
- Production disruption
- Legal or compliance liabilities
- Long-term damage to company reputation
When outlining your impact analysis, you may also find it helpful to use a 5-point scale to quantify the severity (and probability) of each event in general terms:
- Business impact: 5=Major disruption, 1=Minor
- Probability: 5=Very likely, 1=not likely
Consider adding these numerical ratings to columns in your Risk-Impact-Resolution chart, described above.
3) Resolution & Recommended Guidance
Ahh, sweet, sweet resolution.
The important final component of your risk assessment is outlining the systems and protocols for responding to the disaster. Additionally, this is where you’ll identify the solutions to any remaining weaknesses.
In the case of the ransomware attack example above, your resolution section would identify both the high-level solution (i.e. your corporate data backup system) as well as the specific steps that should be taken, such as:
- Which personnel to notify when an infection has been detected
- How to isolate the infection
- How to validate and restore a backup
Keep in mind that some disasters will require additional steps for contacting external contacts, such as emergency responders, attorneys, media and so on.
If you find that there are currently no adequate systems in place for preventing certain risks, be sure to place emphasis on these. Specify exactly which steps need to be taken, in what amount of time, and any technologies or solutions that need to be implemented.
Need Some Help? Give Us a Buzz
For more information on how your company can mitigate risk with today’s best data-protection technologies, contact our business continuity experts at Invenio IT. Request a free demo or contact us today by calling (646) 395-1170 or by emailing [email protected].