Business Continuity Risk Assessment
Business Continuity Risk assessment is the process of identifying, analysing and evaluating the risks that an organisation faces.
This lays the groundwork for risk treatment, which involves taking steps to reduce the likelihood of events that could damage the organisation occurring, and/or to limit the impact should such an event occur.
Cambridge Risk Solutions can assist with each stage of this process, bringing the benefit of an objective viewpoint and years of experience.
Identifying Business Continuity Risks
Most organisations have already identified many of the risks that they face. Some of this information is held formally in, for example, quality management systems, health and safety risk registers and information security risk assessments; but much of it is informal and anecdotal, in terms of people’s experience of previous incidents and near misses.
There are also numerous external resources to help to identify risks, including:
- The UK National Risk Register;
- Community Risk Registers for each area of the UK;
- Government websites such as the HSE and MI5; and
- Media reports of incidents.
Risk Analysis
Risk analysis involves estimating the likelihood of the events identified as risks to the organisation taking place and the impact on the organisation (and its various stakeholders) if the event should take place.
Frequently these estimates are expressed in the form of a “Likelihood and Impact Matrix”.
However, we would recommend considering the use of quantitative risk analysis techniques; which combine estimates of likelihood and impact in a distribution of potential outcomes.
Risk Treatment
Having identified, analysed and evaluated the risks to your organisation there are 4 fundamental responses to each risk, known as the “4 T’s”:
- Tolerate the risk as it is (risk acceptance);
- Transfer the risk ie buy insurance to mitigate the financial losses (risk transfer);
- Treat the risk ie take practical steps to reduce the likelihood of the event occurring and/or mitigate the impact if it should occur (risk reduction); or
- Terminate the activity that gives rise to the risk (risk avoidance).
However, the best-intentioned efforts at reducing a risk often simply move the problem elsewhere.
For example in the year after the wearing of crash helmets was made compulsory in the UK, there was an increase in motorcycling fatalities: the positive impact of reducing the specific risk of serious head injuries was offset by people riding more recklessly and therefore sustaining other fatal injuries.
Care must always be taken that the method of risk treatment adopted does not unintentionally create new risks which may be harder to manage.
We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.
How Can Cambridge Risk Solutions Help?
Cambridge Risk Solutions provides a range of services to assist with each stage of the Business Continuity Lifecycle. Alternatively, if you wish, you can outsource your entire Business Continuity Management function to us.
View some case studies of recent Business Continuity planning, training and exercising projects.