A Risk Matrix should form the core of your Business Continuity Plan
The image above shows an extract from Suffolk County Council’s Community Risk Register (CRR) in the form of a matrix. (Click to see a larger version) It shows the probability and impact of a number of potential events that might create an adverse risk for the county and its population.
Production and maintenance of a CRR is a statutory duty placed on all local authorities in England & Wales as part of the Civil Contingencies Act 2004. I chose this one as an example because of the clarity of its presentation and format: it is easy to see what risks should form the focus of any disaster planning in Suffolk. Whilst this matrix reflects regional priorities from the perspective of a local authority, the principle of conducting a Risk Assessment is a core activity in the production of an organisation’s Business Continuity Plan.
All organisations are exposed to a number of internal and external events that have the potential to disrupt the operations of the organisation. Examples include:
- Severe weather causing traffic dislocation and staff being prevented from travelling to work.
- Failure of the public power supply causing a suspension of production or the creation of unacceptable health and safety risks.
- Unexpected loss of staff members resulting in the suspension of critical functions.
- User error resulting in the accidental destruction of order processing data or financial records.
- External attack via a trojan horse resulting in the theft or destruction of personal data.
All of these, and many more, hazardous events have the potential to disrupt the effectiveness of the organisation’s business processes. Depending on the probability that individual risks will occur in any one year and the likely impact if the risk does occur, the organisation can choose how to deal with the risk:
- Accept the risk that the event will occur and ignore it because the cost of treating it outweighs the benefits to be gained.
- Change the part of the business process that would be affected by the risk because the probability and impact are high enough to warrant intervention.
- Transfer the risk to another party, such as an outsourced supplier, because they are better equipped to deal with the risk.
- Take steps to reduce the probability and limit the impact.
Even after choosing one of these strategies; if the residual risk is still too high to be accepted, then the organisation must put in place plans detailing how to react if the risk materialises: the objective being to maintain the required level of operation so that the organisation can continue to serve its customers and satisfy its obligations.
More information can be found on the Suffolk Resilience web site.
Agdon Associates and Business Continuity UK are no longer in business. This website is not being updated: it has been left online solely as a source of useful information on Business Continuity.