This page provides a resource kit which will help business continuity planners with their risk and hazard assessment processes and their business impact analysis. For those working with the NFPA 1600 business continuity standard it will help ensure compliance with the requirement that:
“The entity shall identify hazards, the likelihood of their occurrence, and the vulnerability of people, property, the environment, and the entity itself to those hazards” (Ref 3-3 of The Standard on Emergency/Disaster Management and Business Continuity Programs – NFPA 1600); and
“A continuity of operations plan shall identify the critical and time-sensitive applications, processes, and functions to be recovered and continued, as well as the personnel and procedures necessary to do so, such as business impact analysis, and business continuity management” (Ref 3-6 of The Standard on Emergency/Disaster Management and Business Continuity Programs – NFPA 1600).
Our introduction to the Business Impact Analysis process is outlined below using the following steps:
1. Develop an entity profile.
2. Identify and profile hazards.
3. Establish risk assessment criteria.
4. Create and apply impact scenarios.
5. Compare and prioritise risks.
As shown in our “identify potential sources of risk” pdf, a broad range of risk sources should be considered. For illustrative purposes we use “natural hazards” because they are:
(b) shared and thereby involve interdependencies and vulnerabilities; and
(c) to a degree, non political and thereby minimize isssues of sensitivity and confidentiality.
Consider critical functions, processes, products and services – and significantly, premise the resources they depend on.
The “Universal Process Classification Framework“ below, from the American Productivity & Quality Center
is a useful context tool – for mapping the critical functions and processes (for business continuity).
Lessons from recent shortcomings in Continuity Of Operations Plans (COOP) have brought home the need to focus on ranking functions – grouped and filtered on the basis of those needed first, if not immediately, through to those which are discretionary.
Layering highlights relationships
Risk is a function of hazard, exposure and vulnerability.
Click on the “Hazard Information and Awareness” banner (above) to explore examples of “hazard and vulnerability layering”.
(Note, these are illustrative examples from the USA of the value of Geographic Information Systems – EPCB’s Business Impact Assessment Toolkit methodology does not rely on Geographic Information Systems technology.)
Step 3: Establish risk assessment criteria.
What criteria determine your focus?
How and by whom will they be selected?
Will you embrace enough of the necessary considerations to be able to demonstrate due care / due diligence?
Generate and model scenarios by identifying what, why, where, when and how events could effect the entity (business).
Ensure a sound foundation for your risk assessment – click here for a presentation on scenario analysis (pdf)
EXAMPLE: click here to download ALOHA, the free plume dispersion model – and generate your own scenarios.
Comparing the estimated levels of risk against your assessment criteria.
– this enables judgments to be made about your management priorities.
NB The examples used to demonstrate the Summary Risk Assessment Register (xls) are about Occupational Health and Safety; Extreme Events;and Terrorism (Selected because they are “general” and “shared”).
Click here for a free Summary Risk Assessment Register (xls).
Hazard Identification & Business Impact Assessment Toolkit
All prices in US Dollars