III.B.1 Risk Identification
While management performs risk assessments, the focus of business continuity risk identification is on the resilience of the entity. While the causes of events can vary greatly, many of the effects do not. According to the Federal Emergency Management Agency (FEMA), threats and hazards can be categorized as natural, technological, and adversarial or human-caused.Refer to FEMA’s Comprehensive Preparedness Guide (CPG) 101 Version 2.0. Non-FFIEC agency documents are included for illustrative purposes of common risks and are not supervisory expectations. Each of these threats and hazards can be subcategorized, for example as internal (e.g., malicious insider or human error) or external, systemic or non-systemic, deliberate or inadvertent, and with or without warning. Although the characteristics of each hazard and threat (e.g., speed of onset, size of the affected area) may be different, the general tasks for recovering operations are the same. Management should address common operational functions in the business continuity plan (BCP) instead of having unique plans for every type of hazard or threat. Planning for all threats and hazards ensures that, when addressing emergency functions, planners identify common tasks and the personnel responsible for accomplishing the tasks.
Management should evaluate potential risks that are in the entity’s geographic area. For example, entities could be located in flood-prone areas, earthquake zones, terrorist targets, or areas affected by tornados or hurricanes. In addition to geographic areas, management should also assess geopolitical risk and the potential for retaliatory cyber attacks. For example, U.S. sanctions against a nation-state could increase the risk of cyber attacks against critical infrastructure(s).
Management should coordinate business continuity risk identification efforts throughout the entity. Individual business units within larger entities should coordinate risk identification activities to identify systemic threats to the overall entity. Management should identify and inventory the entity’s internal and external assets, types of threats and hazards, and existing controls as an important part of effective risk identification. Refer to the IT Handbook’s “Management” booklet for additional information.
Furthermore, management should identify cyber security risks (refer to the IT Handbook’s “Information Security” booklet for additional information), which should be gathered as part of the risk assessment process. Cyber security can pose risk to customer information as discussed in the Interagency Guidelines Establishing Information Security StandardsRefer to the Interagency Guidelines Establishing Information Security Standards issued by 12 CFR 364, Appendix B (FDIC); 12 CFR 208, Appendix D-2 and 12 CFR 225, Appendix F (FRB); and 12 CFR 30, Appendix B (OCC). Also refer to Guidelines for Safeguarding Member Information, 12 CFR 748, Appendix A (NCUA). that implement the Gramm-Leach-Bliley Act (GLBA).
Management should coordinate with external sources to obtain information about hazards and threats. External sources include industry information-sharing groups (e.g., Financial Services Information Sharing and Analysis Center (FS-ISAC)), and local, state, and federal authoritiesExamples include ChicagoFIRST county and state government, the DHS’s National Terrorism Advisory System, FEMA, and the World Health Organization. that provide timely and actionable information about hazards and threats. In addition, sharing information about events at an entity may help others identify, evaluate, and mitigate cybersecurity threats and vulnerabilities. Information about hazards and threats should be considered in the BIA, risk assessment, and other BCM processes. Refer to the IT Handbook’s “Information Security” booklet for additional information.
One component in the risk identification process is the gathering and assessment of threat intelligence, which National Institute of Standards and Technology (NIST) defines as “information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.” Management should integrate its threat-intelligence process with the BCM function.
Threats are potentially magnified when entities and their third-party service providers are tightly interconnected. An incident affecting one entity or third-party service provider can result in cascading impacts that quickly affect other service providers, institutions, or sectors. The term “supply chain risk” in BCM may be used to represent the risk related to the interconnectivity among the entity and others. A critical failure at a third-party service provider could have large-scale consequences. Management should identify interconnectivity points between the entity and its third-party service providers, as well as between other entities and third-party service providers. Documenting the flow of transactions, such as developing formal process diagrams, may help management identify interdependencies and end-to-end processes.
III.B Risk Assessment
III.B.2 Likelihood and Impact