Risk and mitigation

Calculate the risk and mitigate

Here we are at the interesting bit, we have to calculate the risk and put some mitigations in place. Fortunately there are some great tools to ease the burden.

Risk and Mitigation

Take the risks from the BIA, remove, minimise or mitigate the risk.

From the business impact assessment we should have identified a number of risks in each business area. Now we need to look at each identified risk, how likely it is to happen and where possible remove, minimise or mitigate the risk.

The business impact analysis should have identified a number of potential risks, the next step in the process is determining the best way of dealing with the risk or its impact.

On this page we look at how to score a risk and which method is the most appropriate, some risks can be ignored and some have to be addressed immediately.

Risk and Perception

Risk can be prioritised and mitigations implemented.

Challenge

Identify the risk and its impact, ascertain the likelihood of an occurrence and implement a mitigation strategy or remove the risk.

The risks that have to be looked at should have been highlighted in the impact assessment, they have to be real risks so be realistic about what a risk is.

A key member of staff leaving or being away for personal reasons is a real risk that you can mitigate, as is a power outage or a supplier failing.

An asteroid landing on the office is a real physical risk, but the likelihood of it happening is incredibly small and mitigation is realistically not an option, should it happen you will probably have other things to deal with along with everyone else.

A good guide is that any identified risk in the risk register, should be something that your business can create a mitigation process for. If you cannot devise a mitigation strategy, then you have to accept the risk and move forward.

Solution

Remove, mitigate or minimise the risk. Each identified risk can be tackled by one or more of these methods, where the risk is identified as internal all are applicable. Where the risk is external and you have no control, then the last two apply.

An example would be the power utility supply, the risk of it failing cannot really be removed – however an onsite uninterruptible power supply would minimise the risk by providing power for a short while.

Further mitigation would be available if a backup generator was installed, which would probably maintain operations until the utility company restored power.

Obviously there is a cost implication for the UPS and for the Generator, this is not acceptable for many smaller companies – the BCP should cover this type of eventuality.

Solutions to risks must be practical, if you consider an asteroid impact a viable risk – your mitigation may be to have an office on an other planet!

Remove the Risk

For any risk, this is the preferred option. If at all possible the risk should be removed.

It is, it should be said very difficult for external risks to the business to be removed.

Minimise the Risk

Where practical any risk should be minimised, having a sign that warns people your premises are alarmed will reduce the risk of a burglary.

Sometimes there are obvious ways of minimising risk to the business.

Mitigate the Risk

This is the third preferred option, it probably carries the highest long term overheads as far as cost goes.

Any risk with a high probability should have a mitigation, but some can incur significant cost.

Dealing with Risk

Risk as we all know is a fact of life, business risks can be significant or minor and risk analysis is key to how the risk is dealt with. For the purposes of this exercise we are going to look at two risks, with the intention of analysing and dealing with the risks from a business continuity perspective.

The choice of risk is based on personal experience, but these could well be a risk identified during a business impact assessment – I’d be surprised if at least one of them wasn’t in the risk register.

The first risk is loss of access to your office, the reason is unimportant – although that could impact the duration of the loss of access.

The second is the loss of data and voice communications, again the reason is unimportant – and again this will likely impact the duration of the loss of communications.

I have personally experiences both these risks, in each case more than once. In each case the cause of the risk or incident was unexpected and although the problems were resolved, the impact and its long term resolution was very different in each case.

The risk register may reflect many risks to the business, some more significant than others. It is good practice to visit the risk register on a fairly regular basis and update it, as mitigations are implemented these can be incorporated and documented as part of the business continuity plan.

For both these risks, the analysis process is the same. The technique used to analyse the risk is the Failure Mode and Effects Analysis, the process has been used for over sixty years and is suitable for most situations.

Should you prefer an other method for risk anaylsis, then that will do equally well – there are many ways of doing the analysis and you may feel more comfortable with a different method.

In all cases the objective is to quantify the risk, allowing the business to direct resource to the risks in a priority order. There are obviously risks where there is little you can do to remove or mitigate them, this applies particularly to external risks.

But you should still be aware of them, there are always advances in technology that may help or other changes that may make a difference. There are also risks that even the best people can be unaware of, in 2019 very few people would have considered a pandemic as a significant risk to their business.

Finally these are events that I have seen, whether there was a business impact assessment that had the risk in it I’m not sure. But technically as it had happened, the risk was always there – possibly just not identified as such.

Loss of access to Office - Examples

There are many reasons why you may lose access to your office, along with all the information, technology and facilites that it houses. Obviously the considerations for fire, flood or some other devastating incident are different from minor incidents.

The process of analysis should indicate where there is scope to remove, minimise or mitigate the risk.

I have seen this situation a number of times, normally it is a set of mislaid keys or a key holder is delayed during the commute. However on one occasion the staff turned up to find a police line and a forensic tent covering the only office access, although the office did have three other emergency exits.

In the following sections we assess the risk of the loss of access to the office, this we can then use to implement an appropriate strategy.

Loss of access to Office - One to Four Hours

The loss of access to an office is a serious impact no matter the duration, but in most instances the reason is something like someone forgot the keys and had to go back and get them. So the duration might be in the order of one to four hours.

In the time that the office is unusable, you have obviously lost access to all the information, technology such as computers, fax, telephone and probably any incoming mail.

So weighting the severity of the impact we would probably assign a value if two or three, based on the short duration.

In looking at the likelihood of occurrence, you would look historically at the past occurrences – but this is likely to be a one or a two.

For detection, it would be a one – you will know that you cannot get access to the office.

In calculating the risk priority number we would arrive at a value between two and six, these are low numbers.

There are a number of ways of dealing with the risk, a key vault or a second key holder are probably adequate for this. So there is a cheap and easy solution to remove or mitigate the risk.

Loss of access to Office - Four Hours Plus

Losing access to the office for a protracted period of time can have a large impact, the cause is likely to be more significant than “someone forgot the keys”.

In this situation, it is important to have a carefully prepared plan. This is the business continuity plan. Even a relatively small business will require a plan, as they have to be able to communicate with customers and suppliers.

It is likely that any information on the systems and documentation in the office is no longer available, given the dependence on technology the lost information could include access to bank accounts and the ability to pay suppliers and staff.

The severity of this is high, probably between a seven and a ten depending on the cause.

The likelihood of occurrence is probably low, again probably a two or three.

And it is a pretty fair bet that you will know that you have lost access to the office so on the detection front a one.

Which gives a risk priority number of between ten and thirty.

 

Loss of Data and Voice Comms - Examples

In the modern world data and voice communications are essential, little can be done without them and yet we just accept that they will be there – well what happens when they are not there?

Clearly any loss of this technology is serious and is likely to be noticed quickly, but how do you quantify the risk attached to its loss. I have here two examples of problems, both experienced by myself as a user of the services.

The first was a total loss of data and voice, the building contained a computer suit and around 800 users – many of which operated in a call center environment.

The second was a loss of voice only, an organisation moving from one premises that they were planning to demolish to save costs.

In the first case new cables were being routed through an existing duct into the building, during the course of this work the existing fiber cables were severed. The ensuing bun fight between the company and the three vendors involved, required four full days to resolve the problem.

The estimated cost of the incident including staff costs was in the order of £550,000.

In the second, the supplier of the fiber services (which required a 65 day lead time) failed to schedule the relocation of voice services. This dragged on for almost 9 months and required that the building scheduled for demolition was maintained in a functional condition for all that time incurring significant costs.

The estimated cost of the incident was £300,000, relating to the costs of the old building.

 

Loss of Data and Voice Comms - One to Four Hours

The loss of data and voice communications has a significant impact, if there is a call center type environment involved then the impact is massive. There is effectively an immediate cessation of all activity, with no outgoing or incoming communication.

With this in mind, the severity would immediately be a ten due to the nature of the business.

The likelihood of occurrence is in the order of two or three, as the infrastructure can be expansive.

As for detection it is a one as it will be immediately noticed that nothing is working.

As you can see the risk priority number for this comes in between twenty and thirty, which is significant.

It is possible to minimise exposure to this risk by having multiple vendors for the service. Along with redundancy for cable routing and hardware, but this is a costly solution usually outwith the reach of smaller and medium companies.

Loss of Data and Voice Comms - Four Hours Plus

When the data and voice communications are out for a protracted length of time, there are very serious consequences. In particular relating to staff costs and reputational damage, for example having to pay help desk staff that cannot be contacted by customers.

Data and Voice communications are a core function of any business now, from the Man and a Van who uses a mobile phone and cellular data for everything whilst on the move. All the way to the corporate head quarters of a multi national corporation, the loss of this function is catastrophic.

And yet when we assess this risk the answer is quite surprising;

The severity of the risk screams out a ten.

The likelihood of it occurring strangely is somewhere between two and three.

The detection of the problem is certain so rated at one.

Again we end up in the twenty to thirty range.

The risk is the same for the Man and a Van as it is for the multi national.

The mitigation strategy for the Man with a Van is simple enough and not very expensive, a spare mobile phone with synchronised contacts – with the alternate number communicated to the customers.

The multi national corporation may have to have a slightly different strategy, however it still revolves around infrastructure resilience and equipment redundancy.

Mitigation

To mitigate the above scenarios there are a number of options available, how to deal with the loss of an office – or even THE OFFICE!

If nothing else, the Covid-19 pandemic has meant that many businesses implemented remote working. This is fine if your core IT systems and applications are still available, here we are assuming possibly a Cloud based model. But what if the core infrastructure is in the office, or if a Hybrid Cloud is in operation.

Things to evaluate would be;

  • What systems or applications would be lost.
  • What information would be unavailable.
  • Can the office staff work remotely.
  • Is the WFH model suitable for my staff.
  • What internal communications to use.
  • What is the Customer/Supplier impact.
  • Can we communicate with Customers and Suppliers.

I’m aware of one company that had to source, build, configure and ship 800 laptops at very short notice. They also had to configure Voice over IP for 800 people at short notice, this was a serious drain on available IT and Comms resource.

Prior to Covid-19 a SME could possibly have quickly relocated much of the administrative and back office function, using one of the specialist service suppliers like Regus.

As to the loss of data and voice communications, in general these services are robust – but not infallible. So you may want a premium support contract for this, but if someone cuts through a fiber cable there will still be a significant outage – possibly running to a number of days. How would you deal with the impacts, do you have alternate means of communications.

Given the nature of systems and applications, these may not be available from the office along with the data that is resident in the applications workloads.

So an alternate should be part of the mitigation strategy.

 

Get In Touch

6 Poplar Crescent, Gateshead, NE8 1QD
+44 77 88 71 03 06
info@VOLT-Technology.com

Pin It on Pinterest

Share This