Chapter 8: Risk Assessment

• The assessment takes into account the organization's tolerance for continuity risks.
• The assessment should identify, evaluate, and record all relevant items, which include the following:
• Vulnerabilities for all of the organization's most time-sensitive resources and activities
• Threats and hazards to the organization's most urgent resources and actives
• Measures that cut the possiblity, length, or effect of a disruption or critical services and products
• Single points of failure, that is, concentrations of risk that threaten business continuity
• Continuity risks from concentrations of critical skills or critical shortages of skills
• Continuity risks due to outsourced vendors and suppliers
• Continuity risks that the BCP program has accepted, that are handled elsewhere, or the the BCP program does not address
• The end results of a risk assessment include:
• Identifying and documenting single points of failure
• Making a prioritized list of threats to the particular business processes of the organization
• Putting together information for developing a management strategy for risk control, and for developing action plans for addressing risk
• Documenting acceptance of identified risks, or documenting acknowledgement of risks that will not be addressed
• Risk assessment equation:
• Risk = Threat x Impact xProbability