bccm - session 7 - power point

7/30/2019 BCCM - Session 7 - Power Point

1/18

Business Crisis and Continuity

Management (BCCM)

Class Session 7

7 - 1


2/18

7 -2


3/18

Risk Analysis Taxonomy

Risk

Consequences

Likelihood

People

Equipment

Facilities

Financial

Operational

Reputation

Environmental

Regulatory

Vulnerability

Threat

History

Capability

Intent

Survivability

Susceptibility

Exposure

Source: Patrick Gallagher

Manager Group Security Intelligence & Risk, Qantas

Airways Limited


4/18

NIPP DEFINITION OF RISK

A measure of potential harm that

encompasses threat, vulnerability, and

consequence. In the context of the NIPP,

risk is the expected magnitude of loss due

to a terrorist attack, natural disaster, or

other incident, along with the likelihoodof such an event occurring and causing

that loss.

7 - 4


5/18

Risk Management The synthesis of

the risk assessment, business areaanalysis, business impact analysis,

risk communication and risk-based

decision making functions to informand make strategic and tactical

decisions on how business risks will

be treated whether ignored,

reduced, transferred, or avoided.

7 - 5


6/18

PROBABILITY

low

high

low high

CONSEQUENCE

Introduce measures

to avoid the risk

Manage Scenario

(Reduce or Transfer risk)

Ignore

(Accept risk)

Risk Management Strategies


7/18

Risk-based decision-making is a continual process that

requires dialogue with stakeholders, monitoring

and adjustment in light of economic, public

relations, political and social impacts of the

decisions made and implemented. Risk-based

decision making requires the consideration of the

following questions:

Can risk be reduced?

What are the interventions (controls) available to

reduce risk?What combination of controls make sense

(economic, public relations, social, legal, and

political)?

7 - 7


8/18

Risk Assessment - The identification, analysis, and

presentation of the potential hazards andvulnerabilities that can impact a business and the

existing and potential controls that can reduce the risk

of these hazards. Risk assessment requires

consideration of the following questions:

What can go wrong (hazards identification)

What is the likelihood that it would go wrong?

What are the consequences?What controls are currently in place?

7 - 8


9/18

Business Area Analysis The examination andunderstanding of the business functions, sub-

functions and processes and the interdependencies

amongst them. Business area analysis requires

consideration of the following questions:

What are our business functions?

What are our business sub-functions and processes?

Which are critical to the continuity of our business?

7 - 9


10/18

Business Impact Analysis Applying the results of the

risk assessment to the business area analysis to

analyze the potential consequences/impacts ofidentified risks on the business and to identify

preventive, preparedness, response, recovery,

continuity and restoration controls to protect the

business in the event of business disruption. Businessimpact analysis requires consideration of the

following questions:

How do potential hazards impact business functions,sub-functions and processes?

What controls are currently in place?

7 - 10


11/18

Risk Communication - The exchange of risk related

information, concerns, perceptions, and preferenceswithin an organization and between an organization

and its external environment that ties together overall

enterprise management with the risk management

function. Risk communication requires considerationof the following questions:

To whom do we communicate about risk?

What do we communicate about risk?How do we communicate about risk?

7 - 11


12/18

A RISK-BASED APPROACH

We need to adopt a risk-based approach in bothour operations and our philosophy. Risk

management is fundamental to managing the

threat, while retaining our quality of life and living

in freedom. Risk management must guide ourdecision-making as we examine how we can best

organize to prevent, respond and recover from an

attack.

Remarks as prepared for Secretary Michael ChertoffU.S. Department of HomelandSecurity George Washington University Homeland Security Policy Institute(3/16/05)


13/18

Probably the most important thing a Cabinet Secretary in

a department like this can do as an individual is to clearly

articulate a philosophy for leadership of the department

that is intelligible and sensible, not only to the membersof the department itself, but to the American public. And

that means talking about things like risk management,

which means not a guarantee against all risk, but an

intelligent assessment and management of risk; talkingabout the need to make a cost benefit analysis in what

we do, recognizing that lurching from either extreme

forms of protection to total complacency, that's not an

appropriate way to build a strategy; and finally, a clear

articulation of the choices that we face as a people, and

the consequence of those choices.

Remarks of Secretary Chertoff GWU 12/14/06


14/18

Source GAO


15/18

7 - 15

Source NIPP June 2006


16/18

7 - 16

Hazard Risk Management

Adapted from Emergency Management Australia, 2002. Emergency Risk Management

Establish the

Context

(1)

Organizational/

Community

Stakeholders

Objectives

Identify the

Hazards

(2)

HazardsIdentification

(4)

CompareHazard Risks

RankHazards by Risk

Analyze the

Risks fromeach Hazard

DecomposeRisks into

components

CategorizeRisk

Components

Group &

Prioritize theRisks

(6)

Group into like

Categories

Rank by Priority

ConsiderInterventions

Sort the

Hazards byRisk

Magnitude

Communicate and Consult

Monitor and Review

1 2 3 4 5 6

Assess the

Hazard Risk

Probability

Impact/Consequences


17/18

What are the organizations/communitys strategic goals andobjectives and considering those goals and objectives:

a. What is the scope of our hazards risk management effort?

b. What is an acceptable level of risk?

c. Who determines what an acceptable level of risk is?

d. Can risk be managed?

e. What are the interventions (controls/countermeasures) available to

manage risk?

f. What combination of risk management interventionscontrols/countermeasures) make sense in terms of non-risk specific

considerations (economic, social, political, legal)?

7 - 17


18/18

The HRM framework includes six steps:

1) Establish the context,

2) Identify the hazards,

3) Assess the hazards risk,

4) Sort the hazards by risk magnitude,

5) Analyze the risks from each hazard,

and

6) Group and prioritize risks; and two continualcomponents: Communicate and Consult, and Monitor

and Review.

7 - 18

bccm - session 7 - power point

Documents