Business Continuity Risk Assessment – For Banks

It is always preferable to conduct business continuity risk assessment While performing the roundtable test of the financial institution’s business continuity plan.

Below are 4 steps to risk assessment.

1. Identify Disaster Scenarios — List the disaster scenarios to be included in the assessment. Few sample disaster scenarios are listed below.
   • Fire near Institution. Possible explosion could occur.
   • Tornado damages building. No injuries, but building closed for one week due to damage. Can’t retrieve work due to structural damage.
   • Fire destroys the main office.
   • Water damage due to burst pipes.
   • Earthquake occurs during work hours. Lose half of workforce due to injuries and deaths. Most overpasses are damaged and inaccessible. Employees are concerned about loved ones.
   • Winter storm producing extreme ice/snow/sleet. Majority of workforce cannot get to work due to slick roads.
   • Flood occurs at Institution.
   • Institution president is incapacitated for months due to illness.
   • Bomb threat received by telephone call.
   • A suspicious package is received. The package is leaking an oily residue and those employees who have handled the package are having difficulty breathing.
   • The Institution’s customer database is hacked. The hacker threatens to release the customer information on the Internet if $100,000 is not wired to an offshore account.
   • Disk crash on the main file server.
   • Printer fails.
   • Power outage to entire main office.
   • Report archive system fails.

     2. Estimate the Likelihood/Probability That the Disaster Will Occur —

1. • The “Likelihood of Occurrence” is a measure of the probability of the specific disaster occurring at your financial institution. For example, your financial institution may be located in Florida. This clearly increases the probability that your financial institution could be impacted by a hurricane. Conversely, your financial institution could be located in California Seismic Zone, susceptible to earthquakes but immune to hurricanes.
   • Assign a value to the “Likelihood of Occurrence” for each identified disaster scenario. A value range of 0.1  (low) to 1.0 (high) can be assigned for the “Likelihood of Occurrence” 

        3. Estimate the Magnitude of the Impact, Should the Disaster Occur —

1. • The “Magnitude of Impact” is a measure of how severely the financial institution would be impacted, should the disaster scenario occur. For example, a bomb threat in lower Manhattan might be greeted quite differently than a bomb threat in rural Nebraska.

   • The “Magnitude of Impact” has a value range of 0 – 100, with 100 being highest and most severe impact to the financial institution. Assign a value to the “Magnitude of Impact” for each identified disaster scenario.

      4. Rank the Risk by the “Risk Rating” and “Risk Category” — By multiplying the “Likelihood of Occurrence” by the              “Magnitude of Impact,” calculate a “Risk Rating” and the risk will be prioritized into the following risk categories:

• • 0– 10  : Low Risk  , 11 – 20 : Below Average Risk , 21 -30 : Average Risk, 31 – 50: Above Average Risk, 51 – 100 : High Risk

Final Steps

Typically, the Business Continuity Risk Assessment is completed on paper, by each individual, as each disaster scenario is reviewed . By focusing on the different disaster scenarios while completing the risk assessment, each participant can better assess the likelihood and magnitude of each disaster.

The individual risk assessments can then be combined to form the aggregate risk assessment. At that time, the aggregate risk assessment can be sorted and summarized from the highest risk disaster to the lowest risk disaster, giving the financial institution’s business continuity planning team a quantitative tool to assess risk and mitigate such risk through effective business continuity planning.

Sample Completed BCP Risk Assessment