Part 3: Risk Assessment CRA3 v2

From BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
Jump to navigation Jump to search
ButBackCM RAR.png
ButBackCC RAR.png
Analysing And Reviewing The Risks For Business Continuity Planning BUY!

After identifying the list of threats and crisis scenarios faced by the organisation in the previous section, participants will then proceed to the Treatment and Control section

Part 3: Crisis Treatment and Control

Each item below is a detailed explanation of the column that you are required to complete in the template provided.

Threat Name or Crisis Scenario

  • The name of each threat identified in List of Threats. Organisation BCM Coordinator and Crisis Management Team Coordinator are to ensure that all threats and crisis scenarios, that have been highlighted in the previous section are represented here under the threat column.

Impact Area

  • Risk Impact or Impact Area analyzes the potential human impact on the organization such as the possibility of facilities being inaccessible, revenue being disrupted, personnel being killed, injured, or rendered ineffective and by each type of threat. Impact Area can be divided into 7 main categories:
Part 3: Risk Analysis
  • Finance
  • Operations
  • Legal & Regulatory
  • Reputation & Image
  • Social Responsibility
  • People
  • Assets/IT Systems/Information

Highest Risk Impact (Area)

Based on all 7 categories of Impact Area in the prior section, Highest-Impact Area takes the highest Impact Rating from all 7 categories

Risk Likelihood

Risk Likelihood is the probability/chance of a threat happening

Risk Rating

Risk Rating is the result of the multiplication of the assigned value for Risk Likelihood against the assigned value of the Highest Risk Impact. The result is the Risk Rating of an individual threat.

Risk Level

[Risk Level]] is the overall level of assessed risk for an individual threat to the organization

Expected Period of Disruption

ButBackCM RAR.png
ButBackCC RAR.png

Expected Period of Disruption is the expected residual disruption resulting from each identified threats, taking into consideration existing controls. In the case of a crisis scenario, this period is estimated as it is very difficult to estimate the period. The period of disruption is an estimated duration during which the organization’s operations are disrupted (operationally), or access to the primary location is denied (infrastructure). For example, if the Expected Period of Disruption for any given threat is stated as 5 days, the organization will be disrupted for that amount of time.