Business Risk Analysis

Conduct a business risk assessment against each business function.

The purpose of this task is to determine the 'Criticality' of each business function. After all of the business processes are evaluated to determine their criticality to your business unit, you can prioritize the business functions to determine which require a contingency plan and which can be ignored and eliminated. Thoroughly review all the steps within this task before proceeding.

The business risk analysis process inherent in this approach focuses on two types of information to compute a business processes criticality - risks and probabilities.

Here is a critical point in this analysis. Each function, system, interface and third party can and should receive a risk rating as discussed below. Probabilities, however, are assigned to each failure that can occur for each of these items. This means that an order function (risk rating = 5) could be impaired because of a business partner failure (probability of 60%) or could fail due to a system failure (probability of 20%). The same function would have a different criticality / probability score (see below) based on the fact that two different failures could hit that business function.

Once the risks and probabilities are determined you can calculate the criticality / probability score based upon the matrix shown in the table below.

Failure Probability High

 

 

 

 

 

 

 

Low

5 10 15 20 25
4 8 12 16 20
3 6 9 12 15
2 4 6 8 10
1 2 3 4 5

                                      Low                                                        High

Risk Criticality

Failure Probability / Risk Criticality Matrix: Failure probabilities and risk criticality can be multiplied to determine the ultimate importance of creating a contingency for a specific failure with a specific system, interface, 3rd party and / or business function.

To evaluate risk criticality (applies to business functions, systems, interfaces and 3rd parties):

Evaluate each business function in regard to the impacts that would occur if the function were interrupted, unavailable or significantly changed. Be sure to consider:

  1. The types of events that might adversely affect a business function.
  2. The upside and downside of various failure scenarios for each business function. Review the alternatives on this worksheet for further threats.
  3. The damage that these events could cause as time approaches and surpasses failure dates.

Business risks to consider for each business function:

  • Safety
    1. Potential for human loss of life or injury
    2. Potential for major incident or accident such as fire,  explosion, release, spill
    3. Environmental damage
    4. Office or facility security
  • Revenues
    1. Recoverable monetary loss
    2. Loss of customer base
    3. Lost opportunity in time to market
    4. Unrecoverable monetary loss
  • Costs
    1. Costs incurred due to problems that could have been prevented
    2. Costs due to lost discounts, increased  warehousing space, vendor changes, etc.
    3. Legal defense costs
  • Legal
    1. Regulatory compliance failures
    2. Results or actions which could justify legal actions against the company (litigation)
  • Related Exposure
    1. Loss of customer
    2. Loss of goodwill
    3. Loss of shareholder confidence
    4. Loss of image or reputation Investor confidence
  • Security breaches
    1. System breaches causing lost data
    2. System breaches causing a loss of capital
    3. Physical security breaches

The Safety risks are recorded as either a Yes or No while all other risk types are estimated and recorded in monetary terms. Some safety risks can also be recorded in monetary terms.

Estimating the monetary risks can be a very imprecise or even impossible task. These fields are merely to aid you in determining the 'criticality' of a business function and prioritizing your contingency planning efforts. Alternative methods of determining a business criticality can be used. Whatever the method, assign a numeric value to indicate the criticality as follows.

1 = no impact or impact does not impair business
2 = minor impact, could slow business or cause problems if not fixed within 30-60 days
3 = medium impact, slows business down, must be fixed in 2-4 weeks
4 = major impact, public relations impact, major cost, legal or safety risk, requires fix in 1-7 days
5 = difficult to easily recover, major loss of revenue or life possible, must be corrected in 24 hours

To evaluate probabilities:

  1. For each system, interface and 3rd party, consider the types of problems that may occur that would impact the ability of the business function relying on that system, interface and 3rd party. For each problem identified, update the system, interface and 3rd party forms and complete a Tactical / Technical Contingency Planning form accordingly.
  2. For each item listed in point one above, identify impacted business functions at the bottom of the form.
  3. For each failure scenario on a Tactical / Technical Contingency Planning form, record a probability using a 1-5 rating factor.
    1 = 0-20%
    2=20-40%
    3=40-60%
    4=60-80%
    5=80-100%
  4. Use the list of impacted business functions to create functional contingency plans as follows.
  5. For each business function, assess the types of problems that may occur for that function based on any reference to that business function on the Tactical / Technical Contingency Planning form.
  6. Enter this information on the Functional Problem Scenario Contingency Planning Worksheet and log the function - if not already done - on the Business Function Data Collection form.
  7. These problems or failure scenarios are used as direct input to creating a contingency plan.
  8. For each failure scenario, record the probability as a 1-5 rating factor on the
    1 = 0-20%
    2 = 20-40%
    3 = 40-60%
    4 = 60-80%
    5 = 80-100%

Creating the criticality / probability score:

Multiply the criticality rating for each item (i.e. system, interface, 3rd party or business function) by the probability of the failure occurring.

Example: criticality rating 5 * probability of a failure rating 4 = a criticality / probability score of 20.

This is the criticality / probability score. Apply this score to the systems, interfaces, 3rd parties and functions where failure scenarios were identified.

Eliminate non-critical business processes from a contingency planning project.

Review the business processes and determine which, if any, can be eliminated from your contingency planning project (i.e. don't require a contingency plan because they are not critical to the business unit).

Be sure to discuss which business processes can be eliminated with a business leader and clearly document the choice for each business function in the contingency planning forms by indicating low criticality for that function. Again, no business function that involves the safety to a person, facility, or environment can be eliminated!

Also, eliminate any business processes that are being handled by a common (corporate) organization such as receiving energy.

List and prioritize business functions that require a contingency plan.

This task provides you with a means to determine in what order to develop the contingency plans for your business functions. Most organizations simply use the criticality of a business function to determine its priority and others acquire all the resources they need to develop all the necessary contingency plans for all business processes. Most likely you will need to add some judgement in determining what to work on with your limited time and resources. The following are some ideas to help you prioritize your contingency planning efforts:

Possible Prioritization Considerations:

  1. Rate all failure scenarios for all business functions and tactical planning items (systems, interfaces, 3rd parties) by criticality / probability score.
  2. Make any item with a threat to safety a top priority then rank the remaining items by combining their risk totals (sum of all risk values per business function).
  3. Perform a reality check on the prioritized list. For example, the risk of higher costs or loss of revenues could be more critical to a business than litigation costs due to a businesses poor liquidity.
  4. Recommend that a facilitated session be arranged for the business unit's executives or Contingency Planning Task Force to refine priorities using this collected information.

Revise contingency planning project tasks to reflect the new priorities.

Update your contingency planning project plan(s) to include a task to create contingency plans for each business function. Be sure to assign who will be responsible for each task (business function).

Manage the identified risks as part of operational management practices.

There are many changes taking place due to strategic/tactical projects, daily operations and the Compliance projects. To insure that new risks are not incurred due these changes, review each change to determine if it increases, reduces or eliminates the risks and/or probability that a related business function will not perform properly. If necessary revise the information you recorded for that business function and adjust your contingency planning project plan(s) accordingly.

By Tactical Strategy Group, Inc.

 

 Terms of Use   ::   News   ::   About Us   ::   Contact Us
Copyright © 2000 - 2008 AngelsCorner. All rights reserved.
AngelsCorner - home