Business Continuity Risk Assessment: A Critical Exercise

Business Continuity Risk Assessment

How can you assess the risks of a disaster interrupting business operations? How can you manage and reduce risk?

Here in California, the word ‘disaster’ is mainly associated with large-scale, destructive events such as fires, earthquakes, and floods.

However, according to the Oxford Dictionary, one of the definitions of ‘disaster’ is “an event or fact that has unfortunate consequences.”

When it comes to business operations, even a small event like an internet outage can have adverse consequences for your business’s ability to generate revenue or service customers properly.

Because of this, technology providers and service companies have adopted the term ‘disaster’ to refer to a wide variety of different types of events.

Events include:

  • Partial data loss
  • Complete data loss
  • Maliciously locked data (ransomware)
  • Computer equipment malfunction or failure
  • A disrupted internet connection
  • Any technical occurrence that impacts the productivity of one or more employees

Disaster recovery means getting some or all of your business operations back on track after an event. For a given type of disaster, your business should have a defined path to recovery.

One businessperson’s inconvenience is another businessperson’s calamity. This leads to the following question:

What constitutes a disaster for your business?

What you consider a disaster could be very different from other business owners or managers in your area.

It partly depends on the degree to which your business operations rely on data.

Examples of different business types

➤ A gravel quarry is less reliant on data than a CPA firm. The former is mainly concerned with the proper mechanical operation, stripping, drilling, crushing, and other equipment. A CPA firm is involved with continuous access to client-provided data and software programs like LaCerte and Excel.

➤ A company that does several large business transactions a year may be less concerned about a day’s worth of accounting data loss than a company that has a steady, daily stream of financial transactions.

➤ A radiology practice has much more extensive data files to protect than a marketing agency.

All this means is that your tolerance for different types of business risk is specific to you and your business.

Let’s look at how to define your tolerance for different risks.

Create a business continuity risk assessment matrix

An important exercise is to create a risk assessment matrix for your business.

This will help you determine whether your data backup processes or disaster recovery plans have gaps.

The information you gather will help you complete this Disaster Risk Reduction Management Plan Template found on this SmartSheet landing page.

Catalog potential events

Start by cataloging five to ten potentially adverse events that could occur in your business. These should be specific to you and your business.

Here are some examples:

  • The loss of one day’s worth of bookkeeping entries
  • No access by anyone to your accounting software for one day
  • The loss of one day’s worth of client tax data entries
  • No access by anyone to your accounting software for five days
  • The loss of five day’s worth of bookkeeping entries
  • Failure of a customer service representative’s hard drive
  • One day of no internet access for ten people
  • A ransomware demand of under $10,000
  • A ransomware demand of $10,000 – $50,000
  • A ransomware demand of over $50,000

Determine event severity

Next, let’s look at a four-level event severity rating. These can be thought of as your tolerance level for different risks.

  • Acceptable
  • Tolerable
  • Undesirable
  • Intolerable

Example 1: You consider the failure of a customer service representative’s hard drive to be acceptable. The CSR uses all cloud applications, and their computer can be swapped out for a backup computer in minutes.

Example 2: You consider the loss of one day of accounting software entries tolerable. Recreating those entries would only take an hour or so.

Example 3: You consider one day without internet access for ten people undesirable. People could use their mobile phones as a backup, but this would be slower and more inefficient than desktop email access.

Example 4: You consider a ransomware demand of over $50,000 to be intolerable. Paying this amount, or more simply for the privilege of accessing your own data, would be a significant financial burden on your business.

Consider the likelihood of different events

When we consider buying optional types of insurance, such as earthquake insurance here in California, we take the likelihood of an earthquake damaging or destroying our home into consideration.

Here are the three likelihood levels:

  • Improbable
  • Possible
  • Probable

Keep in mind that there is also a time dimension to event likelihood. Even if you live near a major fault, a destructive earthquake in the next 24 hours is improbable. The same event occurring sometime in the next six months is possible.

Also, the fact that certain types of events have not happened in the past does not make them less likely to occur in the future.

Put it all together

If you download the above-referenced spreadsheet from SmartSheet, you can assemble the risks you have gathered. Then, assign a risk rating of Low, Medium, High, or Extreme to each. Here is an example:

Business Disaster Risk Matrix

The last step is to determine where you have holes in data backup and recovery—including the ability to regain access to inaccessible software programs and data.

You will then be in a position to look into business continuity and disaster recovery options best suited to your business.

You may use the risk assessment output to determine whether to move applications to a private cloud.

Cybersecurity Solutions for Sacramento Area Businesses

Improve your security posture and compliance

Sacramento Data Center