|
| |
|
|
| |
Threat and Risk Analysis
|
|
| |
|
|
| |
Managing disaster recovery and business continuity risks
involves:
-
Understanding the environment, vulnerabilities and
criticalities of the organisation.
-
Identifying the nature and source of potential disruption
events that pose business continuity risks, both positive and
negative, to the organisation.
-
Understanding the consequences of these events in terms of
their impact on the business.
-
Implementing strategies to mitigate, or benefit from, the
occurrence of the risk.
-
Recognising that disruption events may occur that have not
been considered through formal risk assessment.
-
Requiring that business continuity and disaster recovery
plans maintain a high degree of flexibility.
When tackling a risk and vulnerability assessment, you may
consider the following approach:
-
An examination of the risks and their context.
-
A consideration of the
organisation's vulnerabilities to
those risks.
-
Identification and provision of resources and infrastructure
to support the critical functions of the business.
-
Determine the communication requirements before, during and
after a disruption.
Eight key business disruption categories have been listed below.
It is important to note that there is an almost indefinite number of
potential threats, with varying levels of likelihood, that could
result in a severe disruption to your normal business operations.
However, the results or impacts of the vast majority of threats can
be categorised within the following eight risk areas:
-
Loss of precinct (loss of access to the business premises
and surrounding area)
-
Loss of building
-
Denial of access to building for a limited time
-
Loss of Information Technology service (data)
-
Loss of Information Technology services (voice)
-
Loss of vital records (non electronic)
-
Loss of key staff
-
Loss of key dependencies
The risk assessment tool acts as a guide to help you determine an
appropriate rating for each risk. It is important to note that risk
is subjective and therefore any ratings applied should be considered
in this context.
Likelihood
|
Consequences
|
|
Insignificant
|
Minor
|
Moderate
|
Major
|
Catastrophic
|
Almost certain(e.g.
>90% chance)
|
High
|
High
|
Extreme
|
Extreme
|
Extreme
|
Likely
(e.g. between 50% and 90% chance)
|
Moderate
|
High
|
High
|
Extreme
|
Extreme
|
Moderate
(e.g.
between 10% and 50% chance)
|
Low
|
Moderate
|
High
|
Extreme
|
Extreme
|
Unlikely
(e.g. between 3% and 10% chance)
|
Low
|
Low
|
Moderate
|
High
|
Extreme
|
Rare
(e.g. <3% chance)
|
Low
|
Low
|
Moderate
|
High
|
High
|
The table below shows an example of the eight
risk items that were considered. The table also includes a
current and target consequence and likelihood rating.
The column on the far right lists the end
risk rating. The art of cost effective business continuity
planning is applying controls to reduce the risk rating (residual
risk) to an acceptable level.
ID
|
Risk
|
Consequence
|
Likelihood
|
Rating
|
Current
|
Target
|
Current
|
Target
|
Level of Risk
|
1
|
Loss of IT (data)
|
Major
|
Insignificant
|
Moderate
|
Unlikely
|
Extreme
|
2
|
Loss of Precinct
|
Major
|
Minor
|
Rare
|
Rare
|
High
|
3
|
Loss of Building
|
Major
|
Minor
|
Unlikely
|
Unlikely
|
High
|
4
|
Denial of Access to Building
|
Major
|
Minor
|
Unlikely
|
Unlikely
|
High
|
5
|
Loss of Key Dependencies
|
Major
|
Minor
|
Unlikely
|
Unlikely
|
High
|
6
|
Loss of Vital Records
|
Major
|
Insignificant
|
Unlikely
|
Rare
|
High
|
7
|
Loss of Key Staff
|
Moderate
|
Minor
|
Unlikely
|
Unlikely
|
Low
|
8
|
Loss of IT (voice)
|
Minor
|
Insignificant
|
Unlikely
|
Unlikely
|
Low
|
This table will be used as an example in the
next section - developing Recovery
Strategies.
|
|
| |
|
|
|
dark.jpg)