Assessing Your Risk: Planning for the Unexpected
Your first step is to identify all your key business processes and assess the impact of each on normal customer or member service levels: what would happen to your operations if one or more of these processes were unavailable for a period of time? The following three elements below will help you identify potential risks, their likelihood, and their probable impact on day-to-day operations.
Service Interruption Time-Bands - Identify the time limits for your ability to do without your key business processes including those that are outsourced to a third-party vendor or organization. Use a range of time periods - under two hours, 2-24 hours, 24-48 hours, 2-5 days, over five days - and identify the critical time band for each key process. For example, how long could you do without your website or email system before normal service levels and continued viability are affected?
Emergency Incident Assessment - To determine the types of disruptive events that are most likely to affect your normal business process, review any plans, policies, and/or procedures relating to the areas under investigation (evacuation plans, building management documentation, backup procedures, etc.) Consider any unique operational risks of your business. Examine each potential disruption and develop a list of consequences for each threat. Determine the likelihood of each threat (probability rating of 1 to 5 - very low, low, medium, high, very high) and its possible impact (impact rating of 1 to 5 - irritating, controllable, critical, devastating, terminal).
Operational Impact - Overlaying the Service-Interruption Time Bands and the Emergency Incident Assessment results will help you establish areas of "significant impact" on normal operations. Significant impact represents a level where members' service levels will be negatively affected. This overlay will guide the development and help you prioritize the elements of your Business Continuity Plan.
© Bob Mellinger, Attainium Corp
# # #