Business Risk Analysis
Conduct a business risk assessment against each business
The purpose of this task is to determine the 'Criticality'
of each business function. After all of the business processes
are evaluated to determine their criticality to your business
unit, you can prioritize the business functions to determine
which require a contingency plan and which can be ignored
and eliminated. Thoroughly review all the steps within
this task before proceeding.
The business risk analysis process inherent in this approach
focuses on two types of information to compute a business
processes criticality - risks and probabilities.
Here is a critical point in this analysis. Each function,
system, interface and third party can and should receive
a risk rating as discussed below. Probabilities, however,
are assigned to each failure that can occur for each of
these items. This means that an order function (risk rating
= 5) could be impaired because of a business partner failure
(probability of 60%) or could fail due to a system failure
(probability of 20%). The same function would have a different
criticality / probability score (see below) based on the
fact that two different failures could hit that business
Once the risks and probabilities are determined you can
calculate the criticality / probability score based upon
the matrix shown in the table below.
Failure Probability / Risk Criticality Matrix: Failure
probabilities and risk criticality can be multiplied to
determine the ultimate importance of creating a contingency
for a specific failure with a specific system, interface,
3rd party and / or business function.
To evaluate risk criticality (applies to business functions,
systems, interfaces and 3rd parties):
Evaluate each business function in regard to the impacts
that would occur if the function were interrupted, unavailable
or significantly changed. Be sure to consider:
- The types of events that might adversely affect a
- The upside and downside of various failure scenarios
for each business function. Review the alternatives
on this worksheet for further threats.
- The damage that these events could cause as time approaches
and surpasses failure dates.
Business risks to consider for each business
- Potential for human loss of life or injury
- Potential for major incident or accident such
as fire, explosion, release, spill
- Environmental damage
- Office or facility security
- Recoverable monetary loss
- Loss of customer base
- Lost opportunity in time to market
- Unrecoverable monetary loss
- Costs incurred due to problems that could have
- Costs due to lost discounts, increased warehousing
space, vendor changes, etc.
- Legal defense costs
- Regulatory compliance failures
- Results or actions which could justify legal actions
against the company (litigation)
- Related Exposure
- Loss of customer
- Loss of goodwill
- Loss of shareholder confidence
- Loss of image or reputation Investor confidence
- Security breaches
- System breaches causing lost data
- System breaches causing a loss of capital
- Physical security breaches
The Safety risks are recorded as either a Yes or No while
all other risk types are estimated and recorded in monetary
terms. Some safety risks can also be recorded in monetary
Estimating the monetary risks can be a very imprecise
or even impossible task. These fields are merely to aid
you in determining the 'criticality' of a business function
and prioritizing your contingency planning efforts. Alternative
methods of determining a business criticality can be used.
Whatever the method, assign a numeric value to indicate
the criticality as follows.
1 = no impact or impact does not impair business
2 = minor impact, could slow business or cause problems
if not fixed within 30-60 days
3 = medium impact, slows business down, must be fixed
in 2-4 weeks
4 = major impact, public relations impact, major cost,
legal or safety risk, requires fix in 1-7 days
5 = difficult to easily recover, major loss of revenue
or life possible, must be corrected in 24 hours
To evaluate probabilities:
- For each system, interface and 3rd party, consider
the types of problems that may occur that would impact
the ability of the business function relying on that
system, interface and 3rd party. For each problem identified,
update the system, interface and 3rd party forms and
complete a Tactical / Technical Contingency Planning
- For each item listed in point one above, identify
impacted business functions at the bottom of the form.
- For each failure scenario on a Tactical / Technical
Contingency Planning form, record a probability using
a 1-5 rating factor.
1 = 0-20%
- Use the list of impacted business functions to create
functional contingency plans as follows.
- For each business function, assess the types of problems
that may occur for that function based on any reference
to that business function on the Tactical / Technical
Contingency Planning form.
- Enter this information on the Functional Problem Scenario
Contingency Planning Worksheet and log the function
- if not already done - on the Business Function Data
- These problems or failure scenarios are used as direct
input to creating a contingency plan.
- For each failure scenario, record the probability
as a 1-5 rating factor on the
1 = 0-20%
2 = 20-40%
3 = 40-60%
4 = 60-80%
5 = 80-100%
Creating the criticality / probability score:
Multiply the criticality rating for each item (i.e. system,
interface, 3rd party or business function) by the probability
of the failure occurring.
Example: criticality rating 5 * probability of a failure
rating 4 = a criticality / probability score of 20.
This is the criticality / probability score. Apply this
score to the systems, interfaces, 3rd parties and functions
where failure scenarios were identified.
Eliminate non-critical business processes from a contingency
Review the business processes and determine which, if
any, can be eliminated from your contingency planning
project (i.e. don't require a contingency plan because
they are not critical to the business unit).
Be sure to discuss which business processes can be eliminated
with a business leader and clearly document the choice
for each business function in the contingency planning
forms by indicating low criticality for that function.
Again, no business function that involves the safety to
a person, facility, or environment can be eliminated!
Also, eliminate any business processes that are being
handled by a common (corporate) organization such as receiving
List and prioritize business functions that require
a contingency plan.
This task provides you with a means to determine in what
order to develop the contingency plans for your business
functions. Most organizations simply use the criticality
of a business function to determine its priority and others
acquire all the resources they need to develop all the
necessary contingency plans for all business processes.
Most likely you will need to add some judgement in determining
what to work on with your limited time and resources.
The following are some ideas to help you prioritize your
contingency planning efforts:
Possible Prioritization Considerations:
- Rate all failure scenarios for all business functions
and tactical planning items (systems, interfaces, 3rd
parties) by criticality / probability score.
- Make any item with a threat to safety a top priority
then rank the remaining items by combining their risk
totals (sum of all risk values per business function).
- Perform a reality check on the prioritized list. For
example, the risk of higher costs or loss of revenues
could be more critical to a business than litigation
costs due to a businesses poor liquidity.
- Recommend that a facilitated session be arranged for
the business unit's executives or Contingency Planning
Task Force to refine priorities using this collected
Revise contingency planning project tasks to reflect
the new priorities.
Update your contingency planning project plan(s) to include
a task to create contingency plans for each business function.
Be sure to assign who will be responsible for each task
Manage the identified risks as part of operational
There are many changes taking place due to strategic/tactical
projects, daily operations and the Compliance projects.
To insure that new risks are not incurred due these changes,
review each change to determine if it increases, reduces
or eliminates the risks and/or probability that a related
business function will not perform properly. If necessary
revise the information you recorded for that business
function and adjust your contingency planning project
By Tactical Strategy Group, Inc.