The Threat and Risk Assessment (TRA) is one aspect of business continuity that has come under criticism recently. In our opinion, this tool remains highly valuable, provided it is used correctly.
Related on MHA Consulting: Today’s Threat Environment: How Vulnerable is Your Business?
The complaints against the TRA are similar to those expressed about the Business Impact Analysis. People say it isn’t useful, that the information gathered tends to be of low quality, and that it’s too disruptive to the staff of other departments.
In our view, using these complaints as a reason for not doing threat and risk assessments is like getting rid of your car because it needs to be washed.
The TRA itself remains a valuable tool for protecting organizations and minimizing impacts, so the goal is to make it more effective rather than not doing it at all.
The TRA is a tool that alerts you to the presence of storm clouds ahead.
It is a way of obtaining an overall view of the risks to the organization. TRAs identify the most relevant man-made, natural, and technology-based threats that your organization faces, based on an assessment of probability and potential impact.
These can include anything from fires and floods to data breaches, incidents of workplace violence, and reputational damage caused by social-media flareups.
TRAs are based on interviews with subject matter experts from inside and outside the company along with a review of other documentation that they provide.
After these interviews, the team conducting the assessment writes a report identifying areas of risk and exposure for the organization, as well as the soundness of existing recovery plans. It also provides recommendations for improvement.
Once complete, the TRA can guide recovery planning and investment and help the organization avoid, anticipate, and prepare for impacts, saving money and promoting resiliency.
Your TRA should incorporate a physical site assessment and detailed notes for each location. Included should be a hazard analysis, the environmental components, and notes on past events as well the appropriate items from the list above.
The typical TRA also looks at the following areas:
Assessments can be more or less formal. Formal assessments typically include interviews, written questions, scoring models, impact weightings, and estimates of the probability of occurrence for different events.
Informal assessments aim to arrive through relaxed discussion at an understanding of risks, hazards, current remediation, and the likelihood of occurrence.
Just identifying the basic risks and your state of preparedness is a good start.
The TRA should be as comprehensive as possible, with the risks and threat probability identified for each location.
Risk assessments are most effective when there is BIA data. Understanding business impact then allows for better risk assessment. When the BIA is in hand, risks can be evaluated in terms of how much each event is likely to harm the company. This helps you understand which threats you should address and which it is reasonable to ignore.
Don’t forget to consider the two aspects of risk: impact and probability. Those items to correct are those with the highest impact and the highest probability, or those which may have a low probability but would have a catastrophic impact.
Nothing written above should be taken to mean the TRA as currently performed is without flaw.
Here are a few tips to improve the process:
The process of completing them might need updating, but the TRA is still a vital tool. To win over doubters and increase their upside, look for ways to minimize the demands on your sources.
For more information on this and other hot topics in business continuity and disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: