Risk assessment is often cited as a key part of business continuity planning: the discipline of ensuring an organization can keep on working in the face of adversity. As such, it’s a natural playground for stochastic modeling because of the nature of the parameters involved. However, business continuity can cover just about anything – all the internal departments of an organization, plus any external event that could have an impact on them. With the plethora of risk factors that might be considered in the model, how far should you go?
Risk assessment does not equal ability to respond
Some business continuity practitioners think that risk assessment provides no real help in developing the resilience of an organization. This shock statement needs some further explanation. Their point of view is that because business continuity is all about responding to impact, the cause and the risk of what caused the impact is irrelevant. If severe storms strike a factory, the business continuity emphasis has to be on the protection of critical resources that have not been damaged and the recovery or repair of the others; rather than on risk modeling and planning for what the future may hold.
The customer’s point of view
This shift in point of view is consistent with customer expectations. Whether they are other businesses, consumers, or citizens, customers primarily want their goods and services (machine parts, fruit and vegetables, municipal services – for instance). They want service level agreements to be respected. Their interest in what provoked a disruption is secondary: what they really want is delivery as though no disruption had ever occurred.
What, no risk assessment?
Risk assessment still applies across an enterprise because of the constant requirement to improve operational efficiency and reduce exposure to internal weaknesses and external threats. The issue is with repetition or redundancy of these analyses within the business continuity framework. In other words, it comes down to a matter of operational efficiency in risk assessment, and the need to conserve the most precious resource of all, time, by not squandering it on duplicating work already done.
Difficult to let go
Notwithstanding the thinking above, risk assessment is typically part of the different business continuity planning methods in existence today. Risk registers, business impact analysis and risk modeling are all clearly indicated as components of the business continuity curriculum on the path to continuity nirvana. With the degree of embedding that exists today, it’s unlikely that risk assessment will drop out of the business continuity package any time soon. But it’s also recognized that risk assessment is not confined to business continuity. In fact, some level of risk assessment should be practiced by managers in any organizational function.
A flexible and future-proof approach
Using a risk assessment model that allows for easy assembly and disassembly is a way to setting up a structure that can handle both possibilities. Using Analytica’s Intelligent Arrays for example, risk sub-models can be constructed on a per department basis and brought together for overall risk assessment as required. If appropriate, responsibility for a particular are can be handed off to the individual group concerned for it to construct the straightforward influence diagram that represents the risks it sees. The group can also extend the diagram (no expert training required) to a risk assessment model using the capabilities of Analytica. That way, whether risk assessment remains a part of business continuity or whether it is completely devolved to individual departments, organizations can still have it covered.
If you’d like to know how Analytica, the modeling software from Lumina, can help you distribute risk assessment between departments, then try a free evaluation of Analytica to see what it can do for you.