Part 3: RAR - Risk Analysis v2

From BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
Revision as of 15:44, 16 January 2020 by Moh heng (talk | contribs)
Jump to navigation Jump to search
BackBCM RAR.png
BCM Planning Methodology RAR.jpg

After identifying the list of threats faced by the organisation in the previous section, participants will then proceed to the Treatment and Control section

Part 3: Risk Analysis

Threat Name

  • The name of each threat identified in List of Threats. BCM Coordinators are to ensure that all threats that have been highlighted in the previous section are represented here under the threat column.

Impact Area

  • Risk Impact or Impact Area analyzes the potential human impact on the organization such as the possibility of facilities being inaccessible, revenue being disrupted, personnel being killed, injured, or rendered ineffective and by each type of threat. Impact Area can be divided into 7 main categories:
    • Finance
    • Operations
    • Legal & Regulatory
    • Reputation & Image
    • Social Responsibility
    • People
    • Assets/IT Systems/Information

Highest Impact Area

  • Based on all 7 categories of Impact Area in the prior section, Highest-Impact Area takes the highest Impact Rating from all 7 categories

Risk Likelihood

Risk Rating

  • Risk Rating is the result of the multiplication of the assigned value for Risk Likelihood against the assigned value of the Highest Risk Impact. The result is the Risk Rating of an individual threat.

Risk Level

  • [Risk Level]] is the overall level of assessed risk for an individual threat to the organization

Expected Period of Disruption

BackBCM RAR.png
  • Expected Period of Disruption is the expected residual disruption resulting from each identified threats, taking into consideration existing controls.
  • The period of disruption is an estimated duration during which the organization’s operations are disrupted (operationally), or access to the primary location is denied (infrastructure).
  • For example, if the Expected Period of Disruption for any given threat is stated as 5 days, the organization will be disrupted for that amount of time.