26 Nov, 2009
Risk Assessment – Measuring Resilience Part 4
Posted by: pdjamez In: Agile Continuity|BCM|Metrics|Risk Management|Strategies
Talking Point: Is risk a good measure of the resilience of your business and therefore the efficacy of your business continuity process?
Within Business Continuity, and indeed most governance processes, risk is a trigger for action within the process. As a result the Business Continuity process should have a direct affect on the level of risk being faced by the business. As you would expect this is not as straight forward as it would first seem. Although the measure of risk provides a good picture as to how the business is responding it is not a complete picture.
As I touched on in a previous post, we humans are surprisingly bad at assessing risk. We can easily miss key risks or assign them the wrong value. Therefore any risk register is only a partial picture of what is actually going on as not all risks will be quantified. Tracking the risk register over time is also problematic, as new risks will be added and existing risks will be changed in value as the environment changes.
You can develop a model that attempts to address these issues, but in an effort to keep the model simple and this post short let us keep our discussion to 5 key measures. These measures can all be derived from the risk register.
Risk Register Value – What level of risk are we facing?
This is a valuation of the current risk register. It provides us with a view of how much risk the organisation is currently facing.
Change in Risk Register Value (%) – At what rate is this level of risk growing?
This is the difference between the previous period’s risk register and this period’s value. Note that we do not remove or devalue risks that have been addressed by BCM for this measure. This provides you with a measure of the change in the risk faced by the organisation.
Addressed Risk Value – How much risk has been removed from the register?
A valuation of the risks that have been addressed and therefore removed (less any residual) from the register. This is a measure of the risk which the organisation has already addressed and therefore a measure of the impact that the BCM is having on the risk register.
Change in Addressed Risk (%) – At what rate are we addressing risk?
This is the difference between the previous period’s addressed risk and this period’s addressed risk. This is a measure of the rate at which the BCM is operating.
BCM Efficiency – Is our BCM addressing risks faster than they are growing?
This is simply (Change in Risk Register Value/Change in Addressed Risk). If less than 1 then we are addressing these risks faster than they are developing.
These values give us both a current view on what needs to be addressed as well as a historical view. This provides us with a simple performance metric for the planning aspect of the BCM process. This aspect attempts to manage risk within the organisation, and therefore we should measure the impact that it is having.
You will note that I am ignoring the way in which these are measured and valued, as these may differ from organisation to organisation. These may also be split into different categories depending on the internal categorisation. Again let me qualify this by saying that these numbers are purely indicators and like all KPIs should be used to focus attention. Although I suspect they maybe a little more useful in respect to measuring the efficacy of your BCM than simply stating how many plans you have.
In the next post, I’ll look at some more potential metrics.
Actually that’s the end of this series of posts, but I will be posting more metrics over the coming weeks so keep an eye out.
Related posts:
Recent Comments