Charlie Maclean Bristol discusses whether you should consider likelihood when conducting a risk assessment as part of the business continuity process. Do you need to know how likely it is that a threat will become an actuality; or is knowledge of the impact of the threat enough?
Business continuity has always had a slightly uneasy relationship with risk management. In the 2010 and 2013 BCI Good Practice Guidelines (GPGs) we looked at threat assessments, whereas in the more recent 2018 GPG, we cover a threat and risk assessment. This issue of conducting a threat assessment instead of a risk assessment was driven by a certain character in business continuity circles who was very anti-risk assessment, and hence pushed the idea of threat assessment in the two earlier GPGs.
Nowadays, risk assessment is coming of age and it seems to be everywhere. You need a risk assessment for climbing up a ladder and you also need one for running a massive multinational organization.
This article was inspired by a talk given by Tony Thornton, ARM Manager for ADNOC Refining, which I heard at The BCI UAE Forum in February. During his talk on risk assessment, he focused on there being no point in looking at likelihood when you are doing a business continuity risk assessment. He said that having a 3×3 or even a 5×5 scale was meaningless in terms of likelihood. The point he was making was that if there was a possibility it could happen, then that was good enough: and how likely it was to happen didn’t really matter. He was more enamoured with impact, which he said was worth looking at, as well as differentiating between high, medium and low impacts.
Source: DRJ New feed