|
|
| |
|
|
| |
Threat and Risk Analysis
|
|
| |
|
|
| |
Managing disaster recovery and business continuity risks involves:
-
Understanding the environment, vulnerabilities and criticalities of the organisation.
-
Identifying the nature and source of potential disruption events that pose business
continuity risks, both positive and negative, to the organisation.
-
Understanding the consequences of these events in terms of their impact on the
business.
-
Implementing strategies to mitigate, or benefit from, the occurrence of the risk.
-
Recognising that disruption events may occur that have not been considered through formal
risk assessment.
-
Requiring that business continuity and disaster recovery plans maintain a high degree of
flexibility.
When tackling a risk and vulnerability assessment, you may consider the following
approach:
-
An examination of the risks and their context.
-
A consideration of the organisation's vulnerabilities to those risks.
-
Identification and provision of resources and infrastructure to support the critical
functions of the business.
-
Determine the communication requirements before, during and after a disruption.
Eight key business disruption categories have been listed below. It is important to note that
there is an almost indefinite number of potential threats, with varying levels of likelihood, that could
result in a severe disruption to your normal business operations.
However, the results or impacts of the vast majority of threats can be categorised within the
following eight risk areas:
-
Loss of precinct (loss of access to the business premises and surrounding area)
-
Loss of building
-
Denial of access to building for a limited time
-
Loss of Information Technology service (data)
-
Loss of Information Technology services (voice)
-
Loss of vital records (non electronic)
-
Loss of key staff
-
Loss of key dependencies
The risk assessment tool acts as a guide to help you determine an appropriate rating for each
risk. It is important to note that risk is subjective and therefore any ratings applied should be considered
in this context.
Likelihood
|
Consequences
|
|
Insignificant
|
Minor
|
Moderate
|
Major
|
Catastrophic
|
Almost certain
(e.g. >90% chance)
|
High
|
High
|
Extreme
|
Extreme
|
Extreme
|
Likely
(e.g. between 50% and 90% chance)
|
Moderate
|
High
|
High
|
Extreme
|
Extreme
|
Moderate
(e.g. between 10% and 50% chance)
|
Low
|
Moderate
|
High
|
Extreme
|
Extreme
|
Unlikely
(e.g. between 3% and 10% chance)
|
Low
|
Low
|
Moderate
|
High
|
Extreme
|
Rare
(e.g. <3% chance)
|
Low
|
Low
|
Moderate
|
High
|
High
|
The table below shows an example of the eight risk items that were
considered. The table also includes a current and target consequence and
likelihood rating.
The column on the far right lists the end risk rating. The art
of cost effective business continuity planning is applying controls to reduce the risk rating (residual risk)
to an acceptable level.
ID
|
Risk
|
Consequence
|
Likelihood
|
Rating
|
Current
|
Target
|
Current
|
Target
|
Level of Risk
|
1
|
Loss of IT (data)
|
Major
|
Insignificant
|
Moderate
|
Unlikely
|
Extreme
|
2
|
Loss of Precinct
|
Major
|
Minor
|
Rare
|
Rare
|
High
|
3
|
Loss of Building
|
Major
|
Minor
|
Unlikely
|
Unlikely
|
High
|
4
|
Denial of Access to Building
|
Major
|
Minor
|
Unlikely
|
Unlikely
|
High
|
5
|
Loss of Key Dependencies
|
Major
|
Minor
|
Unlikely
|
Unlikely
|
High
|
6
|
Loss of Vital Records
|
Major
|
Insignificant
|
Unlikely
|
Rare
|
High
|
7
|
Loss of Key Staff
|
Moderate
|
Minor
|
Unlikely
|
Unlikely
|
Low
|
8
|
Loss of IT (voice)
|
Minor
|
Insignificant
|
Unlikely
|
Unlikely
|
Low
|
This table will be used as an example in the next section -
developing Recovery Strategies.
|
|
| |
|
|
|
dark.jpg)
