The importance of risk assessments
In this blog, I share why risk assessments are business continuity critical. I recently spoke to a colleague I respect highly about the essential aspects of business continuity. We started to talk about how each of us viewed assets as they related to risk management. From her perspective, assets are the customers or stakeholders in the business operations. However, I took another stand, stating that we should include office sites as an asset from a business continuity perspective.
She disagreed. Instead, her argument doubled down that a business continuity program should not focus on locations as assets. Instead, she countered that it was the role of security to safeguard offices from a threat perspective. I completely respect her opinion, which stems from a risk management focus. However, we know that identifying risks that can adversely affect a company’s resources or reputation is vital to planning.
Risks assessments fuel better BC practices
For many of you, this is not news. DRI International’s Professional Practices calls out a risk assessment as a business continuity objective. Assessing risks to determine the potential impacts to an enterprise enables a company to determine the most effective use of resources to reduce the possible effects. Of course, ISO 22301 speaks to the importance of addressing risks as well. I also agree that security has a crucial role in threat assessment and protecting a company’s property.
So why am I bringing it up? My fellow practitioner came from a risk orientation to business continuity, while I took a more traditional route. By that I mean, my orientation was COOP, and I completed DRI International’s certification process to jump into BC. As we think about the role of operational resilience and its evolving impact on business continuity practice, it is essential to consider the part of risk management. In most situations, I hear that risk and business continuity get partnered to complete the work. Yet, to my mind, business continuity is incomplete without a robust risk assessment component to fuel the maturity of a strong program.
BC protects life, property and the environment
The reason that risk assessments are business continuity critical is that they help create a resilient organization. A well-conducted risk assessment is the building block to an effective BIA and subsequent plan. Without it, you have a boilerplate continuity plan that is missing insights for crisis response. You may know what functions and locations are impacted but will miss opportunities to understand the impacts fully.
More importantly, the planning will not adequately protect life, property, and the business environment because it lacks the situational awareness vital to effective crisis response. The continuity plans will only ever get to the level of addressing risk concerns instead of providing measurable and targeted penetration into an asset’s risk quotient (RQ). By employing the RQ method, you identify risk quantitatively. Taking this approach estimates exposure and its effects. You want to strive for data that highlights the adverse impact on processes, personnel, and operations from an interruption.
Risk analayis leads to effective controls
We know that identifying threats and hazards can mitigate business impacts from an interruption. Neither my colleague nor I disagreed on that. Where we diverged was on how to build a resilient organization. I get her point when location loss is less critical to operations in the emerging COVID next normal landscape. Yet, I believe we still need to consider locations as assets that require careful assessment with a solid risk approach. Most of our people are still tied to offices or connected in some way to our locations. So, facility and regional assessments are valuable.
As I shared in previous blogs, my take is that business continuity goes beyond having a plan. A risk assessment helps us understand existing exposure and builds increased resiliency. Trending business risks include business interruption, supply chain instability, cybercrime, reputational, and market risks. A risk analysis links the business impact data with an understanding of operational activities. With a resilience approach, you need to catalog all aspects of potential trouble to enable adequate controls.
Assets are locations
How, then, do we navigate to the next normal for business continuity? You may know that a few of my fellow practitioners and I in the Resilience Think Tank (RTT) are actively expressing how you articulate value as a business continuity professional. One way to do this is by not losing sight of core fundamentals while continuing to evolve. Prevention is an aspect of building a solid BC foundation.
Resilience is a C-Suite priority, and boards invest in business stability. To thrive, companies need to know their exposures from all angles. From my experience, this includes a continued element of horizon scanning and risk analysis. A thorough assessment for business continuity must continue to have full consideration of all risk types, including facility assets. An asset is any value item to the company, and real estate is still in that bucket for most organizations. So, having BC at the operational resilience table ensures a continued holistic approach of all impact types and criteria.