Business Continuity Toolkit

Risk Assessment
Methodology & Guide

March 2021
Welcome to the Business Continuity Toolkit
• The COVID-19 pandemic has shone a spotlight on how
quickly things can change for a business.

• You never really expect the unexpected, so it’s useful to

plan ahead for change and crises.

• The Halifax Partnership has developed a Business

Continuity Toolkit to help small- and medium-sized
business plan for changes and crises, whether it is a
pandemic or another type of disruption.
The Why, What and How of the toolkit
Why – The Halifax Partnership has prepared this guide
to help small- and medium-sized business facing
challenges in a time of crisis.

What – The toolkit is set of guides, templates, webinars

and additional resources which will help businesses with
planning and building resilience to prepare and respond
to crises, whether it’s a pandemic or any other critical
challenge.

How – The toolkit has been designed for busy people

who are juggling many challenges. It can be used to
create a resilience plan to prepare for major disruptions
and crises.
Business resilience overview
A business resilience program helps you to:
Business Resilience Lifecycle
• Understand your business systems, supply
chains, human resources and other types of Business
critical resources Context &
process
impact analysis Continuity risk
& resource assessment
• Examine how each is affected by a understanding
requirements
disruption
• Develop responses to mitigate risks On-going governance, awareness, maintenance &
improvement
• Communicate challenges and train teams
• Develop response plans Business
• Develop resilience and continuity plans and Plan training &
exercising
Plan
development
resilience and
continuity
continue to revise and adapt them. strategy
Toolkit components
1. Impact analysis & 3. Risk assessment
resources guide guide
2. MS Excel workbook 4. MS Excel workbook

Webinar #1 – Business
Context & process Business impact analysis & Resilience Basics
Continuity risk assessment
understanding resource requirements

On-going governance, awareness, maintenance & improvement Webinar #2 – Business

Resilience Lessons from
the Pandemic
Business resilience and
Plan training & exercising Plan development
continuity strategy

Webinar #3 – BCM
Toolkit Walkthrough
14. Resources: 8. Continuity plan 5. Gap analysis &
examples of exercise development guide strategy guide
scenarios and injects 9-12. MS Word plan templates 6. MS Excel workbook
13. Resources: return-to-work 7. Resources: examples
checklist of recovery alternatives
Methodology
Business Continuity Risk Assessment
Risk Assessment Objective & Approach
Objective
The Business Continuity Risk Assessment aims to identify, analyze and evaluate the risks of disruption to a business. This means
analyzing threats and existing safeguards to determine the residual level of risk to your business.

Approach
The Business Continuity Risk Assessment focuses on the risks to critical processes that could result in a major disruption to your
business. It considers safeguards currently in place to mitigate each risk.
The following process is followed:

(1) Risk identification (2) Risk Analysis (3) Risk assessment

Step 1.1 Step 2.1 Step 3.1
Identify business Analyze and evaluate Determine risk
continuity threats relevant safeguards treatment approach

Step 1.2 Step 2.2 Step 3.2

Map threats to Assess exposure and Document the risk

impacted resources residual risk assessment summary
Risk Assessment Approach
The Business Continuity Risk Assessment focuses on the risks to critical processes that could result in a disruption. It also
considers safeguards currently in place to mitigate each risk.
The following steps are conducted:

(1) Risk identification (2) Risk Analysis (3) Risk assessment

This step identifies events that may This step analyzes and evaluates This step determines the best response
disrupt your critical business processes safeguards currently in place to to each potential risk. These could
and highlights the impacted resources. mitigate the impact or likelihood of include “avoiding”, “accepting”,
threats. It also shows the residual “mitigating” or “transferring” the risk.
The business continuity threats are exposure to each risks after existing
identified by the business head and Risks that exceed the risk tolerance of
safeguards are considered. the business must be mitigated or
managers. Members of this group have
knowledge of every aspect of the These insights are discovered in transferred.
business and the wider context of the discussion-based workshops with the The risk treatment is a key input for
market and industry. business head and managers. the overall continuity strategy, which
focuses on selecting remediation and
recovery solutions.
Step 1: Risk Identification
Threats that create business risk can be categorized as the following: deliberate, accidental and natural hazards.
The first step in the risk assessment is to identify threats to your business and determine which aspects of the business they may
disrupt.
The business continuity threats are identified by the business head and managers who have overall knowledge of the business
and industry context. A sample of these threats are presented below.

Deliberate threats Accidental threats Natural hazards

• Cyber-attack (sabotage such as • Fire/explosion • Epidemic/pandemic

ransomware) • Equipment/hardware malfunction • Snowstorm
• Labor strike/protest • Power failure • Earthquake
• Physical vandalism/attack • Chemical/hazmat spill • Hurricane
• Theft of critical assets • Software malfunction • Flooding/tidal wave
• Supplier failure/bankruptcy • Extreme cold temperatures
• Industrial accidents
Step 2: Risk Analysis
In this step, workshops are held with the business managers to analyze the disruption risks and threats identified in Step 1. Risks
could affect key resources such as people, suppliers and facilities. The threats are mapped out to show which aspect of the
business they impact.
Threats are analyzed based on two factors: “likelihood” of occurrence and “impact” on the business. Four factors are used to
determine the impact and two factors are used to determine the likelihood.
“Likelihood and “Impact” of risks depend on existing safeguards which reduce the probability of a risk occurring or the impact if it
does occur. These two factors are used to calculate the ‘residual risk’ level once existing safeguards are identified.
Residual risk levels are needed for the next step where they are used to select of risk treatment strategies.

Risk likelihood Risk impact Residual risk

The probability of a threat materializing

and disrupting critical resources and
X The magnitude of damage or disruption
that may be caused after a risk
= The remaining potential exposure after
existing safeguards and controls are
processes (after considering existing materializes (after considering existing
taken into consideration
safeguards) safeguards)
Risk Measurement Scale
Threats are analyzed based on probability and impact on resources and critical processes of the business. Impact is determined
four factors: business impact, geographic extension, damage and recovery capability. The table below shows the factors which
determine probability and impact of threats.
Risk Scoring
Residual risk scores are based on the product of
the highest impact rating and highest probability
rating for each threat, which are assigned after
relevant safeguards are considered.
Risk scores are classified as follows:
• Risk scores of 1-4 without any ‘4-high' ratings
are considered “Low”
• Risk scores of 5-14 are considered
“Moderate"
• Risk scores of 15-25 are considered “High”
The diagram to the right illustrates the risk
scoring matrix:
Step 3: Risk Assessment
Once the risk analysis is conducted and the residual risk levels are determined, businesses must select their response for all risks.
These include:
• Avoid business activity: if the risk cannot be addressed or accepted due to exposure level, you may choose to avoid the high-
risk business activity altogether.
• Accept the risk: if the risk is within your risk tolerance threshold, the risk can be accepted and treated at a later stage through
risk reduction efforts. Risk acceptance must be formally documented by the person responsible for protecting the impacted
resources.
• Mitigate the risk: risks that exceed your risk tolerance threshold must be mitigated or transferred. Risk mitigation includes
implementing additional safeguards to reduce the likelihood and impact of a risk. The safeguards are analyzed and selected in
the business continuity strategy.
• Transfer the risk: you may choose to transfer risks that would otherwise be uneconomical to mitigate internally. This may be
achieved through approaches such as obtaining insurance or engaging third party outsourcers to carry part of the risk.
The risk treatment approach for risks to be mitigated or transferred serves as a key input into the business continuity strategy,
which focuses on selecting remediation (pre-disruption) and recovery (post-disruption) solutions.
Guide
Business Continuity Risk Assessment
Risk Assessment Guide
You will find the following table in the first tab of the risk assessment workbook:
For each identified threat, analyze
Identify the resources (people, facilities/workplaces, and document controls and
Identify credible technologies, third parties, specialized equipment and safeguards currently in place.
threats to your inventory) that might be impacted by each threat.
resources &
determine which Assess if the controls
resource types and safeguards are
they may disrupt. working effectively.
This aims to reduce
the probability of a
risk occurring and/or
reduce the
implications (impact)
if the risk does
materialize.
Risk Assessment Guide
You will find the following table in the first tab of the risk assessment workbook (continued from the previous section):

Rate the risk impact level by specifying a number from 1- 5 for Rate the probability of each threat occurring
each category (business impact, geographic extension, damage from 1-5 through the likelihood of it occurring
and recovery capability). This residual risk should be rated after in the next time periods and your vulnerability
current safeguards have been applied. based on the current safeguards.

This section
includes formulas
which will
automatically
calculate the
residual risk rating
by multiplying
maximum impact
and maximum
likelihood for each
risk.

The residual risk level is automatically classified as Low, Moderate or High based on the
calculated risk score. Risks with a score of 1-4 are considered “Low”, a score of 5-14 with
are considered “Moderate“, and a score of 15-25 are considered “High”.
Next steps
Once the risk assessment is complete, the following next steps should be taken to
determine the risk treatment approaches:

1. Review the results with the management team to ensure alignment of the identified
risks.

2. Obtain sign-off on the results from supervisors/management.

3. Proceed to the next step: business continuity gap analysis and strategy.
 Halifax Partnership Resources:
halifaxpartnership.com/how-we-help/grow-your-business/

Minder Singh Hector Fraser Jason Guidry

[email protected] [email protected] [email protected]
 Thank you.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.
Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is
received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a
thorough examination of the particular situation.