The Threat and Risk Assessment (TRA) is one aspect of business continuity that has come under criticism recently. In our opinion, this tool remains highly valuable, provided it is used correctly.
The complaints against the TRA are similar to those expressed about the Business Impact Analysis. People say it isn’t useful, that the information gathered tends to be of low quality, and that it’s too disruptive to the staff of other departments.
A Valuable Tool
In our view, using these complaints as a reason for not doing threat and risk assessments is like getting rid of your car because it needs to be washed.
The TRA itself remains a valuable tool for protecting organizations and minimizing impacts, so the goal is to make it more effective rather than not doing it at all.
The TRA is a tool that alerts you to the presence of storm clouds ahead.
It is a way of obtaining an overall view of the risks to the organization. TRAs identify the most relevant man-made, natural, and technology-based threats that your organization faces, based on an assessment of probability and potential impact.
These can include anything from fires and floods to data breaches, incidents of workplace violence, and reputational damage caused by social-media flareups.
Conducting a Threat and Risk Assessment
TRAs are based on interviews with subject matter experts from inside and outside the company along with a review of other documentation that they provide.
After these interviews, the team conducting the assessment writes a report identifying areas of risk and exposure for the organization, as well as the soundness of existing recovery plans. It also provides recommendations for improvement.
Once complete, the TRA can guide recovery planning and investment and help the organization avoid, anticipate, and prepare for impacts, saving money and promoting resiliency.
Anatomy of a Threat and Risk Assessment
Your TRA should incorporate a physical site assessment and detailed notes for each location. Included should be a hazard analysis, the environmental components, and notes on past events as well the appropriate items from the list above.
The typical TRA also looks at the following areas:
- Operational Procedures. This is as an assessment of your current recovery plans. Are those plans sufficiently specific? The operational procedures in your plans should focus on proprietary information as opposed to general knowledge.
- Fire and Life Safety. Do your recovery plans address threats and risks associated with the facility? Plans should include timelines and milestones.
- Physical Security and Controls. How secure is the facility against unauthorized entry? Measures in place should be appropriate for the location. Employee education is critical.
- Information Security. Are your data and access protected?
- Change Management. Are the appropriate processes and controls in place to make sure changes do not impact production activities? Needs to cover both IT and the business processes.
- Disaster Recovery Planning. Where are your single points of failure, if you have any? Are there gaps in your IT/Disaster Recovery planning?
- Data Backup and Offsite Storage. Does your capacity match your business requirements? Does your backup solution work? Has it been tested?
- Hardware Redundancy. Have you identified any single points of failure?
- Network and Telecommunications. What pieces, if they broke, would prevent use of the system, either day-to-day or during a crisis?
- Data Center Infrastructure. This is about performing a gap analysis of your data center. Do you have sufficient power? Is your power protected? Are appropriate redundancies built in?
- Succession Planning. This is all about people. What happens if you lose key members of your staff?
- Past Event History. What’s happened in the past is more likely to happen again in the future.
- Business Continuity. Are recovery plans in place and ready to be executed? Are they adequate and verified? Do they address people, buildings, technology, and business processes?
Formal vs. Informal
Assessments can be more or less formal. Formal assessments typically include interviews, written questions, scoring models, impact weightings, and estimates of the probability of occurrence for different events.
Informal assessments aim to arrive through relaxed discussion at an understanding of risks, hazards, current remediation, and the likelihood of occurrence.
Just identifying the basic risks and your state of preparedness is a good start.
The TRA should be as comprehensive as possible, with the risks and threat probability identified for each location.
Do the BIA First
Risk assessments are most effective when there is BIA data. Understanding business impact then allows for better risk assessment. When the BIA is in hand, risks can be evaluated in terms of how much each event is likely to harm the company. This helps you understand which threats you should address and which it is reasonable to ignore.
Don’t forget to consider the two aspects of risk: impact and probability. Those items to correct are those with the highest impact and the highest probability, or those which may have a low probability but would have a catastrophic impact.
Improving the Threat and Risk Assessment Process
Nothing written above should be taken to mean the TRA as currently performed is without flaw.
Here are a few tips to improve the process:
- Be considerate of people’s time.
- It doesn’t have to be formal and time-consuming.
- Just ask people, “Tell me what you are most concerned about?”
- Go easy on your sources. Look around the location yourself. What’s nearby that could pose a danger?
- Talk to the facilities person. They are a great resource and might be more willing to talk than some others.
- Ask: “What are the biggest risks? Power? Flooding? Access?”
- Make TRA part of your overall planning process. It should be part of the company culture.
Increasing the Upside
The process of completing them might need updating, but the TRA is still a vital tool. To win over doubters and increase their upside, look for ways to minimize the demands on your sources.
For more information on this and other hot topics in business continuity and disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- Today’s Threat Environment: How Vulnerable is Your Business?
- Sweating the Big Stuff: 5 Things that Really Matter in BCM
- Shark Attacks vs. Sunburn: Preparing for the Most Likely Problems
- How to Stop Third-Party Vendors from Becoming Your Achilles’ Heel
- America’s Red Zones: Where Natural Disasters Cluster and What It Means for You
- Business Continuity Risks: Comparing Inherent & Residual Risks