Home' RMIA : RMIA 2015 Contents 52
Consequence is a risk management metric designed to
consider the question: 'What is the outcome of a threat
striking?' For example, the consequence of a fire damaging
a call centre is that staff may be injured. So, a consequence
category with a scale would be consulted to determine
a consequence level. In this example, the consequence
category of staff safety or OHS might have a five-tiered
scale, where Level 1 might describe minor injuries such as
cuts and abrasions, and Level 5 might describe the death
of one or more people.
On the other hand, impact is a business continuity metric
designed to consider the question: 'What is the outcome
if the business activity stops?' If fire damaged the call
centre, then the impact of not providing the service to the
customers may be that the customers find another provider
and never return. In this example, the impact category of
market share may have a five-tiered scale, where Level 1
might describe a small percentage of sales permanently
lost (for example, five per cent) as customers move to
other suppliers, and Level 5 might describe a catastrophic
percentage of lost customers (for example, 25 per cent) that
would cause the organisation to fail.
Unlike consequence, impact in a BC context has an
additional dimension: time. The impact of the call centre
stopping (regardless of the cause) for one day, then one
week, then one month, is a growing loss of market share.
On the other hand, once the fire has been extinguished,
additional staff are not injured some time later.
When determining how time-critical a business activity is,
risk managers consider the likelihood of the threat striking:
what is the probability or chance of a fire damaging the call
centre, which, when combined with a consequence scale,
results in a risk rating?
It is incredibly risky to develop a business continuity
strategy based on the risk of a threat striking. Why?
Because knowing that there's a possibility of being struck
by fire once every four years doesn't stop you from having
a fire next week, or being hit by another threat that no-one
has thought of. The impact of an activity stopping is not
influenced by the likelihood of a threat happening. This is
why those responsible for BCM struggle with standards
and guidelines that require the business impact analysis
to include likelihood when determining business activity
To be clear, I am not advocating that BC should replace risk
management. On the contrary; I'm a firm believer that risk
assessment is fundamentally important, as we must protect
the organisation from threats. My point is that the risk
framework should not define the continuity requirements. I
find two common mistakes when undertaking a business
impact analysis (BIA) driven from a risk management
1. The categories are defined and tiered for a risk
management conversation; that is, they are threat-
based consequence categories.
2. The definition of each tier contains subjective terms; for
example, 'serious', 'small', 'significant', 'major', 'many',
If this applies to your BIA framework, I urge you to
re-evaluate your impact categories and scale definitions.
Once you have the right basis for your BC capability, you
need to make sure that you have the right BC capability
for your organisation's requirements. When thinking about
right-sizing your organisation's BC capability, there are
two spheres of cost for consideration: the cost of the
operational disruption, and the cost of the continuity
capability implemented. Hopefully, the link between these
two spheres is strong in your organisation -- sadly, I see
many organisations in which this is not the case.
The cost of operational disruption over time can be
In September 2013, a survey of 2316 BC and IT security
professionals in 37 countries across 20 industries found that:
1. a minor outage of 20 minutes resulted (on average) in a
$1 million cost
2. a moderate outage of two hours resulted (on average)
in a $4.25 million cost
3. a substantial outage of seven hours resulted (on
average) in a $14.25 million cost.
The survey split the costs into the following categories:
• Business costs
3 reputation and brand damage
3 lost productivity
3 lost revenue due to system availability problems
3 compliance and regulatory failure
Links Archive RMIA 2016 Navigation Previous Page Next Page