Research Report: Risk Assessment for BCM
Planning & Management
Written by Tom Scholtz   
13p_058

This information comes from the Gartner Hype Cycle for Business Continuity Management and IT Disaster Recovery Management, 2013.

Definition: Risk assessment in the Business Continuity Management (BCM) context is the process of identifying and treating risks to business process availability and the continuity of operations. It is an essential first step (along with the business impact analysis [BIA]) in the overall BCM process, and is necessary to reduce the frequency and effect of business interruptions, addressing risks related to technology, location, geopolitics, regulations and industry, as well as the business and IT supply chains.

Position and Adoption Speed Justification: BCM planning was historically conducted with a very superficial level of risk assessment, or even with none at all. Although it has been well-understood that risk assessments are a necessary component of BCM planning, business managers sometimes consider them to be time-consuming and too resource-intensive. This opinion has been justified by the general lack of effective risk assessment methods and tools, and often exacerbated by the inappropriate use of such tools and methods. Furthermore, given that BCM planning is often focused on low-likelihood, high-impact events, the emphasis of the risk assessment is typically on planning for the possibility of a catastrophic event, rather than for the probability of the event happening.

However, expectations of better levels of practice are increasing, encouraged to some extent by standards – such as ITIL; COBIT; and International Organization for Standardization (ISO)/International Electro-technical Commission (IEC) 22301, 27001 and 31000. This is reinforced by a growing realization that risk assessment has a valuable role to play in identifying, assessing and preventing events that could result in the unnecessary triggering of recovery plans. That is, risk assessment focuses not only on events over which the enterprise has little control (such as natural disasters and terrorism), but also on those over which it has more control (for example, facility failures, supply chain complexity, poor change management, security control weaknesses and human error).

Today, risk assessments are recommended in all BCM frameworks, and risk assessment tools are being included as integrated or stand-alone modules in BCM planning (BCMP) toolsets. In addition, governance, risk and compliance tools increasingly support assessing and reporting on BCM risk. Using these tools still requires specific BCM skills and time, which often are unavailable, but this situation is improving. Increasing emphasis on the importance and value of risk assessment in all spheres of business management is driving increased adoption of the discipline as a key component of BCM. However, unrealistic expectations about risk assessment being a panacea for ensuring business involvement in the BCM process, coupled with the inappropriate use of risk assessment tools (such as using very algorithmic mathematical models with a business audience that manages risk in a more intuitive manner), will continue to result in some disillusionment and a lack of business unit buy-in.

User Advice: Make formal risk and business impact assessments that identify key control weaknesses and single points of failure as mandatory components of your BCM program. Define the extent to which risk assessments will be performed, based on BCM project scope, resources and time availability. If existing processes are not effective, then change them. Consider replacing complex mathematical tools with more-intuitive assessment methods (for example, scenario planning and Delphic brainstorming), if it will better suit the cultural approach to risk management. Such methods are typically more suited to assessments of multi-sourced environments, including software as a service (SaaS) and cloud-based services.

Improve efficiency and reduce the time demands on business managers by leveraging risk assessments performed by operational or IT risk teams. Work with those teams to ensure that their data is sufficiently granular to meet BCM needs. As you become more mature at BCM risk assessment, make the transition to a continuous improvement process that accommodates BCM, IT and security risks. This will ensure that BCM team members – business and IT – are included and kept apprised of new or changing threats.

Use standard terminology and processes to ensure consistency in assessment and risk prioritization. Investigate the use of software tools. They will not eliminate the need for an experienced risk assessor, but they can simplify the risk assessment process. Additionally, they provide an important repository for risk information, tracking assessments and treatment activities, as well as documentation for auditors and aid to program improvement. BCMP tools, which often provide integrated risk assessment functionality, are increasingly being used as hosted or SaaS solutions. This potentially allows the business continuity manager to realize value at a lower-price entry point.

Business Impact: Implementing BCM plans can be expensive and disruptive. Risk assessments are essential for pre-emptive action to reduce threat occurrences and constrain the effect of any disaster. Risk assessments (“What are the chances of a disaster happening?”) also provide critical information for effective BIAs (“What will the impact be if a disaster becomes reality?”). Increasing adoption of SaaS and cloud-based services adds an additional level of complexity to BCM planning and the ability to perform effective risk assessment.

Benefit Rating: High

Market Penetration: 5% to 20% of target audience

Maturity: Adolescent

Sample vendors: Business Protector; Coop Systems; Cura Technologies; eBRP Solutions; EverGreen Data Continuity; Fusion Risk Management; Linus Information Security Solutions; MetricStream; Risk Watch International; EMC (RSA); Strategic BCP; SunGard Availability Services

 

About the Author

Tom Scholtz is a Research Vice President in Gartner, where he advises clients on security management strategies and trends, and is an acknowledged authority on information security policy design, security organizational dynamics, and security management processes.

This information comes from the Gartner Hype Cycle for Business Continuity Management and IT Disaster Recovery Management, 2013. This report is part of Gartner’s 2013 Hype Cycle Special Report which provides strategists and planners with an assessment of the maturity, business benefit and future direction of more than 2,000 technologies, grouped into 98 areas. The Special Report includes a video, provides more details regarding this year’s Hype Cycles, as well as links to all of the Hype Cycle reports. The Special Report can be found at http://www.gartner.com/technology/research/hype-cycles/.