This guide on risk assessments in disaster recovery planning shows how to get started, how to prepare a risk analysis, and how to identify natural and man-made hazards. We’ve also included a free, downloadable IT risk assessment template you can use in your planning.
Types of defensive responses
A risk assessment can help you identify events that could adversely impact your organization. This includes potential damage events could cause, the amount of time needed to recover or restore operations, and preventive measures or controls that can mitigate the likelihood of an event occurring. A risk assessment will also help you determine what steps, if properly implemented, could reduce the severity of an event.
To get started with a risk assessment, begin by identifying the most critical business processes from the BIA. You should then gather information on potential threats to your organization.
After the risks and vulnerabilities have been identified, defensive responses can be considered.
Protective measures: These are activities designed to reduce the chances of a disruptive event occurring; an example is using security cameras to identify unauthorized visitors and to alert authorities before an attacker can cause any damage.
Mitigation measures: These activities are designed to minimize the severity of the event after it occurs. Mitigation measure examples include surge suppressors to reduce the impact of a lightning strike and uninterruptible power systems to limit the chances of a hard stop to critical systems due to a blackout or brownout.
Recovery activities: These activities serve to bring back disrupted systems and infrastructure to a level that can support business operations. For example, critical data stored off site can be used to restart business operations to an appropriate point in time.
Contingency plans: These process-level documents describe what an organization can do in the aftermath of a disruptive event. They are usually triggered based on input from the emergency management team.
The sequence in which these measures are implemented depends to a large extent upon the results of the risk assessment. After you identify a specific threat and its associated vulnerability, you can plan the most effective defensive strategy. Remember that contingency plans must cope with the effects, regardless of the causes.
Types of risk assessments
Risk assessments generally take one of two forms: quantitative, which seeks to identify the risks and quantify them based on a numeric scale (e.g., 0.0 to 1.0 or 1 to 10); and qualitative, which is based on gaining a general impression about the risks so as to qualify them. The process uses subjective terms like low to medium, high to poor, and good to excellent, instead of numeric values.
Quantitative methods, which assign a numeric value to the risk, usually require access to reliable statistics to project the future likelihood of risk. As mentioned earlier, qualitative methods often include subjective measures, like low, medium and high. However, sometimes the qualitative approach is more acceptable to management. In our risk assessment template, you will find columns that enable you to assign qualitative terms to each of the risks to your organization.
Quantitative risk assessment This table illustrates an example of a quantitative assessment.
A basic formula, Risk = Likelihood x Impact, is typically used to compute a risk value. This formula is also known as a risk assessment matrix. By weighing the likelihood of an event against the level of damage it could cause, the risk assessment matrix is an illustrative tool for management to use to plan for possible disasters.
For example, we can use a scale of 0.0 to 1.0, in which 0.0 means the threat is not likely to occur and 1.0 means the threat will absolutely occur. The impact 0.0 means there is no damage or disruption to the organization, whereas 1.0 could mean the company is completely destroyed and unable to further conduct business. Numbers in between can represent the result of a statistical analysis of threat data and company experience. The downloadable risk assessment template uses this approach.
Using the quantitative range 0.0 to 1.0, you may decide to assign qualitative terms to results (e.g., 0.0 to 0.4 = low risk, 0.5 to 0.7 = moderate risk, and 0.8 to 1.0 = high risk).
Example of a risk matrix A risk matrix is a qualitative tool for sharing a risk assessment.
Once all the relevant risks have been analyzed and assigned a qualitative category, you can then examine strategies to deal with only the highest risks or you can address all the risk categories. The risk management plan will depend on management’s risk appetite, which is their willingness to deal appropriately with risks. The strategies you define for risks can next be used to help design business continuity and disaster recovery strategies.
Conducting your risk assessment: Who, what, when
An appointed project manager and their team are typically in charge of conducting a risk assessment and risk management plan. Personnel may be involved when it comes to actions that may need to be performed at that level in the future.
Depending on the number of effects, symptoms and consequences, the level of detail in a risk assessment will vary by organization. There is no set number of risks to look for in a general risk assessment, so that is up to the discretion of the company performing the assessment. In our risk assessment template, there are fields for more than 50 potential hazards, both man-made and natural.
A risk assessment is a key activity in a business continuity or disaster recovery program. The process can be relatively simple; for example, if you elect to use a qualitative approach. They can be more rigorous when using a quantitative approach, as you may want to be able to substantiate your numerical factors with statistical evidence.
How often you carry out a risk assessment is also up to your discretion. However, results should be updated periodically to determine if any changes to the risks (e.g., likelihood and impact) have occurred. Regardless of the methodology used, the results should map to the critical business processes identified in the business impact analysis and help define strategies for responding to the identified risks. If a risk assessment is out of date, so are the strategies used to combat potential hazards.
GINDSINGH 