Business Crisis and Continuity Management (BCCM)

Class Session 7

7-1

7 -2

Risk Analysis Taxonomy

People Equipment Facilities Financial Consequences Operational Regulatory Reputation Environmental Risk Intent Threat Capability History

Likelihood
Exposure Vulnerability Susceptibility Survivability

Source: Patrick Gallagher Manager Group Security Intelligence & Risk, Qantas Airways Limited

NIPP DEFINITION OF RISK A measure of potential harm that encompasses threat, vulnerability, and consequence. In the context of the NIPP, risk is the expected magnitude of loss due to a terrorist attack, natural disaster, or other incident, along with the likelihood of such an event occurring and causing that loss.
7-4

Risk Management The synthesis of the risk assessment, business area analysis, business impact analysis, risk communication and risk-based decision making functions to inform and make strategic and tactical decisions on how business risks will be treated whether ignored, reduced, transferred, or avoided.
7-5

Risk Management Strategies

high Introduce measures to avoid the risk

PROBABILITY

Manage Scenario (Reduce or Transfer risk)

low

Ignore (Accept risk) low CONSEQUENCE

high

Risk-based decision-making is a continual process that requires dialogue with stakeholders, monitoring and adjustment in light of economic, public relations, political and social impacts of the decisions made and implemented. Risk-based decision making requires the consideration of the following questions: Can risk be reduced? What are the interventions (controls) available to reduce risk? What combination of controls make sense (economic, public relations, social, legal, and political)?
7-7

Risk Assessment - The identification, analysis, and presentation of the potential hazards and vulnerabilities that can impact a business and the existing and potential controls that can reduce the risk of these hazards. Risk assessment requires consideration of the following questions: What can go wrong (hazards identification) What is the likelihood that it would go wrong? What are the consequences? What controls are currently in place?

7-8

Business Area Analysis The examination and understanding of the business functions, subfunctions and processes and the interdependencies amongst them. Business area analysis requires consideration of the following questions:
What are our business functions? What are our business sub-functions and processes? Which are critical to the continuity of our business?

7-9

Business Impact Analysis Applying the results of the risk assessment to the business area analysis to analyze the potential consequences/impacts of identified risks on the business and to identify preventive, preparedness, response, recovery, continuity and restoration controls to protect the business in the event of business disruption. Business impact analysis requires consideration of the following questions: How do potential hazards impact business functions, sub-functions and processes? What controls are currently in place?
7 - 10

Risk Communication - The exchange of risk related information, concerns, perceptions, and preferences within an organization and between an organization and its external environment that ties together overall enterprise management with the risk management function. Risk communication requires consideration of the following questions: To whom do we communicate about risk? What do we communicate about risk? How do we communicate about risk?

7 - 11

A RISK-BASED APPROACH
We need to adopt a risk-based approach in both our operations and our philosophy. Risk management is fundamental to managing the threat, while retaining our quality of life and living in freedom. Risk management must guide our decision-making as we examine how we can best organize to prevent, respond and recover from an attack.
Remarks as prepared for Secretary Michael Chertoff U.S. Department of Homeland Security George Washington University Homeland Security Policy Institute (3/16/05)

Probably the most important thing a Cabinet Secretary in a department like this can do as an individual is to clearly articulate a philosophy for leadership of the department that is intelligible and sensible, not only to the members of the department itself, but to the American public. And that means talking about things like risk management, which means not a guarantee against all risk, but an intelligent assessment and management of risk; talking about the need to make a cost benefit analysis in what we do, recognizing that lurching from either extreme forms of protection to total complacency, that's not an appropriate way to build a strategy; and finally, a clear articulation of the choices that we face as a people, and the consequence of those choices. Remarks of Secretary Chertoff GWU 12/14/06

Source GAO

Source NIPP June 2006

7 - 15

Hazard Risk Management

Communicate and Consult

Establish the Context

Identify the Hazards

Assess the Hazard Risk

Sort the Hazards by Risk Magnitude

Analyze the Risks from each Hazard

Group & Prioritize the Risks

(1) 1
Organizational/ Community Stakeholders Objectives

(2) 2
Hazards Identification

(4)
3
Probability Impact/ Consequences

(6)
5
Decompose Risks into components Categorize Risk Components

4
Compare Hazard Risks Rank Hazards by Risk

6
Group into like Categories Rank by Priority Consider Interventions

Monitor and Review

Adapted from Emergency Management Australia, 2002. Emergency Risk Management

7 - 16

What are the organizations/communitys strategic goals and objectives and considering those goals and objectives: a. b. c. d. e. What is the scope of our hazards risk management effort? What is an acceptable level of risk? Who determines what an acceptable level of risk is? Can risk be managed? What are the interventions (controls/countermeasures) available to manage risk? What combination of risk management interventions controls/countermeasures) make sense in terms of non-risk specific considerations (economic, social, political, legal)?

f.

7 - 17

The HRM framework includes six steps:

1) Establish the context, 2) Identify the hazards, 3) Assess the hazards risk, 4) Sort the hazards by risk magnitude, 5) Analyze the risks from each hazard, and 6) Group and prioritize risks; and two continual components: Communicate and Consult, and Monitor and Review.
7 - 18