In the process of defining a BCP, carrying out a risk assessment is a priority. To do this, it is necessary to identify the most strategic assets, pinpoint the vulnerabilities facing these assets, and assess the impacts that their unavailability could have for the company. This is called the risk heat map or risk matrix.
Example of a risk matrix or risk heat map
A. Likelihood and impact
In the risk matrix, two dimensions are crucial: the likelihood that the relevant risk will occur, and the impact that this risk has on the company. It is appropriate to categorise the likelihood from low to high, with a medium level in between, which can be nuanced further.
- “HIGH” is the label for an event that can occur several (e.g. three to five) times a year.
- “MEDIUM-HIGH” refers to a likelihood that the risk will occur once to three times a year.
- “MEDIUM-LOW” indicates a probability of once every three years.
- “LOW” is used for a risk that could arise once every five to ten years.
This classification helps to prioritise actions. Anything above the “MEDIUM-HIGH” level will trigger a risk response or risk adaptation, as this likelihood is not acceptable as it stands, and measures must be taken to guard against it. This is a concern that you can raise with your management or line manager.
For these high risk levels, scenarios should be defined, with the impacts for each being assessed. Depending on the company, the orders of magnitude of these estimates may vary.
B. Implementation of measures
Once the classification has been carried out and the impacts of the various scenarios have been forecasted, management should adopt a prevention and response plan. These risks need to be presented to management and then potential measures put forward to reduce the risk. This exercise has two objectives: to reduce the likelihood of occurrence of the risk, and to reduce its impact if the event nevertheless does materialise.
This results in two matrices: a current matrix and a residual matrix. Once all the controls have been carried out and the actions defined, the risks will be reduced. Drawing on this discussion basis with management, the costs of the plans must be compared with the financial benefits (return on investment).. If the company earmarks a budget for these measures, what consequences will it face? What will be protected?
C. DRP and CMP
In the context of a BCP, two tools are particularly useful: the Disaster Recovery Plan (DRP) and the Crisis Management Plan (CMP). These two instruments can be of strategic importance in getting through a difficult period as seamlessly as possible.
The DRP is the specific version of the BCP for an organisation’s IT department. It covers a number of key points:
- IT teams action plan
- Backup site
- Hardware
- Coordination
- Network, infrastructure and workstations based on business needs
- IT emergency plan
- Switch to backup site
- Restart (timeline) based on the established scenario
The CMP defines each individual’s objectives, roles and tasks and draws up a communication strategy. Its objective is to take into account all the scenarios envisaged by the BCP and to provide operational responses to reduce the human, business, operational, financial, legal and organisational impacts. In terms of organisation, the CMP defines and identifies internal and external stakeholders. Finally, with regard to crisis communication, the CMP makes it possible to develop and check the presentation of the crisis internally and externally, to organise a communication unit and to set up a communication plan.