The risk assessment is the second step in the business continuity planning process. It should include:
- Evaluating the BIA assumptions using various threat scenarios;
- Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves;
- Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and
- Performing a "gap analysis" that compares the existing BCP to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution.
The risk assessment step is critical and has significant bearing on whether business continuity planning efforts will be successful. During the risk assessment step, business processes and the BIA assumptions are evaluated using various threat scenarios.Refer to Appendix F: "Business Impact Analysis Process" for additional information. This will result in a range of outcomes that may require changes to the BCP.
Financial institutions should develop realistic threat scenarios that may potentially disrupt business processes and their ability to meet clients' expectations (internal, business partners, or customers). Threats can take many forms, including malicious activity, natural and technical disasters, and pandemic incidents.Refer to Appendix C: "Internal and External Threats" and Appendix D: "Pandemic Planning" for additional informationWhere possible, institutions should analyze a threat by using non-specific, all-risk planning that focuses on the impact of the threat instead of the nature of the threat. For example, the effects of certain threat scenarios can include business disruptions that affect only specific personnel, work areas, systems, facilities (i.e., buildings), or geographic areas. Additionally, the magnitude of the business disruption should consider a wide variety of threat scenarios based upon practical experiences and potential circumstances and events. If the threat scenarios are not comprehensive, the resulting BCP may be too basic and omit reasonable steps that are needed for a timely recovery after a disruption.
Threat scenarios should consider the severity of the disaster, which is based upon the impact and the probability of business disruptions resulting from identified threats. Threats may range from those with a high probability of occurrence and low impact to the institution, such as brief power interruptions, to those with a low probability of occurrence and high impact to the institution, such as hurricanes or terrorist attacks. The most difficult threats to address are those that have a high impact on the institution but a low probability of occurrence. However, through the use of non-specific, all-risk planning, the BCP may be more flexible and adaptable to all types of disruptions.
When assessing the probability of a disruption, financial institutions and technology service providers should consider the geographic location of all facilities, their susceptibility to threats (e.g., location in a flood plain), and the proximity to critical infrastructures (e.g., power sources, nuclear power plants, airports, major highways, railroads). Worst-case scenarios, such as destruction of the facilities and loss of life, should be considered. As part of this process, external factors should also be closely monitored to determine the probability of occurrence. External factors can be monitored through constant communication with community and government officials and regulatory authorities. For example, institutions should monitor alerts issued by such organizations as the Department of Homeland Security and the World Health Organization, which provide information regarding terrorist activity and environmental risks, respectively.
After analyzing the impact, probability, and the resulting severity of identified threats, the institution can prioritize business processes and estimate how they could be disrupted under various threat scenarios. The resulting probability of occurrence may be based on a rating system of high, medium, and low.
At this point in the business continuity planning process, the financial institution should perform a "gap analysis." In this context, a "gap analysis" is a methodical comparison of what types of policies and procedures the institution (or business line) should implement to recover, resume, and maintain normal business operations, versus what the existing BCP provides. The difference between the two highlights additional risk exposure that management should address when developing the BCP.
Business Impact Analysis