of 18
7/30/2019 BCCM - Session 7 - Power Point
1/18
Business Crisis and Continuity
Management (BCCM)
Class Session 7
7 - 1
7/30/2019 BCCM - Session 7 - Power Point
2/18
7 -2
7/30/2019 BCCM - Session 7 - Power Point
3/18
Risk Analysis Taxonomy
Risk
Consequences
Likelihood
People
Equipment
Facilities
Financial
Operational
Reputation
Environmental
Regulatory
Vulnerability
Threat
History
Capability
Intent
Survivability
Susceptibility
Exposure
Source: Patrick Gallagher
Manager Group Security Intelligence & Risk, Qantas
Airways Limited
7/30/2019 BCCM - Session 7 - Power Point
4/18
NIPP DEFINITION OF RISK
A measure of potential harm that
encompasses threat, vulnerability, and
consequence. In the context of the NIPP,
risk is the expected magnitude of loss due
to a terrorist attack, natural disaster, or
other incident, along with the likelihoodof such an event occurring and causing
that loss.
7 - 4
7/30/2019 BCCM - Session 7 - Power Point
5/18
Risk Management The synthesis of
the risk assessment, business areaanalysis, business impact analysis,
risk communication and risk-based
decision making functions to informand make strategic and tactical
decisions on how business risks will
be treated whether ignored,
reduced, transferred, or avoided.
7 - 5
7/30/2019 BCCM - Session 7 - Power Point
6/18
PROBABILITY
low
high
low high
CONSEQUENCE
Introduce measures
to avoid the risk
Manage Scenario
(Reduce or Transfer risk)
Ignore
(Accept risk)
Risk Management Strategies
7/30/2019 BCCM - Session 7 - Power Point
7/18
Risk-based decision-making is a continual process that
requires dialogue with stakeholders, monitoring
and adjustment in light of economic, public
relations, political and social impacts of the
decisions made and implemented. Risk-based
decision making requires the consideration of the
following questions:
Can risk be reduced?
What are the interventions (controls) available to
reduce risk?What combination of controls make sense
(economic, public relations, social, legal, and
political)?
7 - 7
7/30/2019 BCCM - Session 7 - Power Point
8/18
Risk Assessment - The identification, analysis, and
presentation of the potential hazards andvulnerabilities that can impact a business and the
existing and potential controls that can reduce the risk
of these hazards. Risk assessment requires
consideration of the following questions:
What can go wrong (hazards identification)
What is the likelihood that it would go wrong?
What are the consequences?What controls are currently in place?
7 - 8
7/30/2019 BCCM - Session 7 - Power Point
9/18
Business Area Analysis The examination andunderstanding of the business functions, sub-
functions and processes and the interdependencies
amongst them. Business area analysis requires
consideration of the following questions:
What are our business functions?
What are our business sub-functions and processes?
Which are critical to the continuity of our business?
7 - 9
7/30/2019 BCCM - Session 7 - Power Point
10/18
Business Impact Analysis Applying the results of the
risk assessment to the business area analysis to
analyze the potential consequences/impacts ofidentified risks on the business and to identify
preventive, preparedness, response, recovery,
continuity and restoration controls to protect the
business in the event of business disruption. Businessimpact analysis requires consideration of the
following questions:
How do potential hazards impact business functions,sub-functions and processes?
What controls are currently in place?
7 - 10
7/30/2019 BCCM - Session 7 - Power Point
11/18
Risk Communication - The exchange of risk related
information, concerns, perceptions, and preferenceswithin an organization and between an organization
and its external environment that ties together overall
enterprise management with the risk management
function. Risk communication requires considerationof the following questions:
To whom do we communicate about risk?
What do we communicate about risk?How do we communicate about risk?
7 - 11
7/30/2019 BCCM - Session 7 - Power Point
12/18
A RISK-BASED APPROACH
We need to adopt a risk-based approach in bothour operations and our philosophy. Risk
management is fundamental to managing the
threat, while retaining our quality of life and living
in freedom. Risk management must guide ourdecision-making as we examine how we can best
organize to prevent, respond and recover from an
attack.
Remarks as prepared for Secretary Michael ChertoffU.S. Department of HomelandSecurity George Washington University Homeland Security Policy Institute(3/16/05)
7/30/2019 BCCM - Session 7 - Power Point
13/18
Probably the most important thing a Cabinet Secretary in
a department like this can do as an individual is to clearly
articulate a philosophy for leadership of the department
that is intelligible and sensible, not only to the membersof the department itself, but to the American public. And
that means talking about things like risk management,
which means not a guarantee against all risk, but an
intelligent assessment and management of risk; talkingabout the need to make a cost benefit analysis in what
we do, recognizing that lurching from either extreme
forms of protection to total complacency, that's not an
appropriate way to build a strategy; and finally, a clear
articulation of the choices that we face as a people, and
the consequence of those choices.
Remarks of Secretary Chertoff GWU 12/14/06
7/30/2019 BCCM - Session 7 - Power Point
14/18
Source GAO
7/30/2019 BCCM - Session 7 - Power Point
15/18
7 - 15
Source NIPP June 2006
7/30/2019 BCCM - Session 7 - Power Point
16/18
7 - 16
Hazard Risk Management
Adapted from Emergency Management Australia, 2002. Emergency Risk Management
Establish the
Context
(1)
Organizational/
Community
Stakeholders
Objectives
Identify the
Hazards
(2)
HazardsIdentification
(4)
CompareHazard Risks
RankHazards by Risk
Analyze the
Risks fromeach Hazard
DecomposeRisks into
components
CategorizeRisk
Components
Group &
Prioritize theRisks
(6)
Group into like
Categories
Rank by Priority
ConsiderInterventions
Sort the
Hazards byRisk
Magnitude
Communicate and Consult
Monitor and Review
1 2 3 4 5 6
Assess the
Hazard Risk
Probability
Impact/Consequences
7/30/2019 BCCM - Session 7 - Power Point
17/18
What are the organizations/communitys strategic goals andobjectives and considering those goals and objectives:
a. What is the scope of our hazards risk management effort?
b. What is an acceptable level of risk?
c. Who determines what an acceptable level of risk is?
d. Can risk be managed?
e. What are the interventions (controls/countermeasures) available to
manage risk?
f. What combination of risk management interventionscontrols/countermeasures) make sense in terms of non-risk specific
considerations (economic, social, political, legal)?
7 - 17
7/30/2019 BCCM - Session 7 - Power Point
18/18
The HRM framework includes six steps:
1) Establish the context,
2) Identify the hazards,
3) Assess the hazards risk,
4) Sort the hazards by risk magnitude,
5) Analyze the risks from each hazard,
and
6) Group and prioritize risks; and two continualcomponents: Communicate and Consult, and Monitor
and Review.
7 - 18