Risk Management Models

There are many Risk Management models in common usage, some of a general nature and others which have been entirely developed for a specific industry or sector. Virtually all of them involve identification of specific threats (or hazards) and use a formula to calculate a risk value based upon threat probability and threat impact (if threat is realised).

The simplest formula is:

• Risk Value = Threat Impact x Threat Probability

BCI Good Practice Guidelines 2010 | GLOBAL EDITION []

Other models use more complex formulae and include the level of mitigation already in place. Some risk models then order by assessing the ability to control that risk. This formula prioritises the threats that are easiest to control with the argument that this will give the best return on investment of time and money but do so at the penalty of ignoring many significant external impacts.

Whilst reasonably effective at dealing with Business as Usual (BAU) risks, many BC professionals believe that these types of risk assessment methods and techniques have serious shortcomings in evaluating catastrophic operational risks because:

• It is impossible to identify all threats

• Estimates of probability are guesswork or based on historic information

• The probability of an event occurring depends on the time period under consideration – the longer the time period the more likely it is that an event will occur

• The numeric scales often used to classify probability and impact (e.g. 1 for low, 2 for medium, 3 for high) over-emphasize the impact of minor events and cannot be used to calculate a comparative measure of risk (e.g. does a low probability and high impact risk have the same value as a high probability risk with low impact?)

• The use of a numerical scale to assign a value to impacts cannot adequately reflect the relative importance of less-quantifiable assets such as reputation

• The organization’s ‘risk appetite’ or ‘risk tolerance’ is the amount of risk that an organization is prepared to accept and drives the level of action it will take to control identified threats

The above shortcomings demonstrate how difficult it is to measure risk and therefore to specify these metrics with any certainty.

Process

The key steps in evaluating threats are:

• List the known internal and external threats that could cause disruption to the organization’s most urgent activities, as determined in the BIA

• Determine a risk assessment scoring system for impacts and probabilities. Agree the approach with Top Management

• Estimate the impact on the organization of each threat using the agreed scoring system

• Determine the likelihood of each threat occurring and weight according to the scoring system

• Calculate a risk of each threat by combining the scores for impact and probability, according to an agreed formula

• Review the results of the scored risk analysis

• Prioritise the threats by level of risk

• Identify unacceptable areas of risk or single points of failure

• If the organization has an existing Risk Management control programme, pass the results of the threat evaluation to the person responsible for the programme

• Recommend the actions that can be taken to

reduce the threat of disruption to the organization’s most urgent activities

iStockphotos.com/lorrainedarke

Methods and Techniques

If the organization has an established Risk Management function, consider using the established risk assessment method or technique for evaluating threats.

Numerous risk assessment scoring systems can be obtained from published literature.

As well as the chosen risk assessment scoring system for impacts and probabilities, the methods and techniques that can be used to identify and evaluate threats include:

• The organization’s risk register (if one exists)

• Determine internal and external threats from appropriate sources

• Event tree analysis

• Fault tree analysis

• Stakeholder analysis

• Scenario planning

• Threats identified during the BIA process

• Previous incidents experienced by the organization, the industry sector or the vicinity

• Known local natural or man-made hazards

• Geographical mapping

• Network analysis

Probabilities can be assessed using:

• Insurance statistics

• Published disaster frequency statistics

Specific threat reduction techniques and measures that can be adopted include:

• Taking advice on physical security – from the various national and international professional security associations, many of whom publish guidelines and good practice

• Taking advice on information security – from the various national and international Information Communication Technology and Information Security bodies. ISO 27001 and ISO 27002 will also provide valuable guidelines to follow

• Monitoring systems may provide prompt warning of utility failures, equipment failures and disruptive threats

• Sprinkler and fire suppression systems

• Resilient telecommunications networks so that there are no single points of failure

Proposed solutions can be evaluated using Cost Benefit Analysis.

Outcomes and Review

The outcomes from evaluating threats are:

• A list of the threats that could cause a disruption to the organization’s most urgent activities, prioritised by level of impact

• The identification of any unacceptable single points of failure

• Recommendations on actions to be taken to reduce the threat of disruption to the organization’s most urgent activities

Threats to the organization’s most urgent activities should be re-evaluated annually or more frequently if:

• The BIA has been updated

• There is a significant change in the internal business processes, location or technology

• There is a significant change in the external business environment – such as market or regulatory change

[] BCI Good Practice Guidelines 2010 | GLOBAL EDITION