Business Impact Analysis

Risk Management

Business Impact Analysis

There will often be many active pieces within an organization. Some may be critical for the organization’s infrastructure, and others may be not as essential for the survival of the company. When conducting a business Impact Analysis (BIA) one needs to consider what is it, that brings actual value to the company. A company’s wealth and value is not only decided upon by its monetary value, but its cultural and social values as well. By first off, we need to establish ‘what value are we creating’ and thereafter ‘who do we create value for’ in order to get an idea of the organization’s output and paint a picture of the overall process.

By reviewing the following steps, we can in a systematic way review relevant elements for our company’s value creation. The steps are as follows:

  1. Value creation: Who are we creating value for? To understand this business model, we need to identify potential hazards that can cause disruption to our operations. In this step, you can use models such as Porters Value Chain and Business Model Canvas.
  1. Identification of critical activities: In this step we pool in a bunch of processes, which together constitute an activity. For example, the production line makes value for us, so we need to recognize where potential disruptions within this productionline would be critical for our operations.
  1. Mutual dependencies: Which activities rely on each other to function? In this part, it is also relevant to consider how dependent we are on our suppliers. Do we have an alternative suppliers, in case our Tier 1 is unable to perform their part?
  1. The robustness of critical activities:  How do we test our robustness? In this step we test the minimal operative level. For example, if the power is out, can we still keep an overview of our logistics on paper rather than electronics? The system’s robustness is defined by being able to absorb disruptive activities, whilst keeping our operative integrity? An analysis can be conducted by doing the following:
  2. Identifying vulnerabilities/minimum operational levels.
  3. Identify where an increase in resources can strengthen our robustness.
  4. Different types of exercises can also help in this phase (e.g. contingency plans).
  1. Internal and external ressources: The ressources that the company is reliant on, such as:
  2. Infrastructure; roads, stand-alone systems.
  3. Physical ressources; storage/inventory, equipment,
  4. Intellectual ressources; skills, employees educational background, capabilities.
  1. Maximum Tolerable Downtime (MTD): MTD describes the point where an organization is unable to keep their operational integrity after a disruptive event (post-crisis). The costs of restoration is so high that it would not be worth it.
  1. Recovery Time Objective (RTO): RTO describes when management wishes for an activity to be back up and running. RTO requires resources and therefore an allocation of economic funds. The RTO can be influenced by mitigating intervention, by having Risk Management as an integral part of the organization.

This figure can help illustrate what the MTD and RTO means during a disruptive event.

Risk Assessment, step 3

This risk tool post is about the third step in a risk assessment, so if you haven’t read the first two post, we recommend you read the first post to find out why it is so important to do a risk assessment in your organization and how to get started! 

Step 3: Develop strategies to reduce risk and vulnerability   

Once the threats have been identified and evaluated, and the risks rated, the next step is to consider what can be done to reduce risks to an acceptable level. Developing security strategies is a critical step in ensuring that before committing staff, resources and the firm’s reputation, the firm has taken all reasonable steps to minimize the risk.   
In general, there are two possible courses of reducing exposure to risk:

Mitigation measures to reduce risk should focus on both prevention (reduce the probability) and reaction (reduce the impact). By doing this, you can reduce the level of residual risk from the level originally assigned to each threat identified, and thereby improve your ability to deliver your program.   

For example, we could reduce the exposure the to the risk of spreading with COVID-19 by:

Damon P. Coppola (2015) “Introduction to international disaster management”  

European interagency security forum (2020) “Security to go: A risk management toolkit for humanitarian aid agencies 

Humanitarian Practice Network (2010) “Good practice review – Operational security management in violent environment” 

Risk assessment, step 2

This risk tool post is about the second step in a risk assessment, so if you haven’t read the first post, we recommend you to read the first post to find out why it is so important to do a risk assessment in your organization and how to get started!   

Step 2: Evaluate the hazards and rate the risk  

Once you have identified the types of hazards in step 1, you may face in the project, you will need to evaluate each of them and rate the level of risk to the staff, the firm and its project. This step helps clarify how severe (or not) the risk is, and how much priority it must be given.  

Note: The risk rating is derived from a combination of the probability that an incident will occur and the level of impact it will cause

There exist different risk rating systems, depending on the project, geographically, nationality, staff or regionality. Below are two tables you can use to determine the risk rating for each hazard that has been identified. However, in a new situation where firms and organizations have not recently been undertaken, it may be necessary to use data from similar projects combined with current information from sources.

Tip: The definitions for each level should be agreed across the firm to make it possible to compare different contexts!

First, this assessment helps identify areas that are priorities for your project or the firm, specifically those risks that are more likely to happen and whose impact if they happen would be moderate to critical.
Second it helps in determining when a risk has become too high for projects to continue.

The tables could end up depicts the following conclusions from a discussion in the team:


Damon P. Coppola (2015) “Introduction to international disaster management” 

European interagency security forum (2020) “Security to go: A risk management toolkit for humanitarian aid agencies” 

Humanitarian Practice Network (2010) “Good practice review – Operational security management in violent environment” 

Risk Assessment, step 1

How to work with the risk 

Before you deal with the risk, you need to identify what hazards exist in your workplace, and how likely they are to become a risk. After this you can decide what mitigation or control measures are needed.  

What is a risk assessment? 

The risk assessment is a systematic process which is designed to allow individuals or firms without any specific security background to conduct a basic security risk assessment as part of any wider assessment process. The tool evaluate the potential risk that may be involved in a projected activity or undertaking.  

This assessment tool is broken down into three steps which are needed to eliminate or control risks: 

This post will only focus on the first step of the risk assessment. Are you interested to learn more,  keep in touch – we’ll post the 2nd step in a week! 

Step 1: Identify the hazards 

Look critically at your organization’s context in terms of operational processes, sources of risks and the outcome.  
There are a wide variety of hazards that can affect the firm entering a new context. Below are some of the most common classifications of hazard to consider.  

Tip: You and your employer must systematically check and track for possible hazards in a risk log or register! 

Damon P. Coppola (2015) “Introduction to international disaster management”  

European interagency security forum (2020) “Security to go: A risk management toolkit for humanitarian aid agencies”  

Humanitarian Practice Network (2010) “Good practice review – Operational security management in violent environment”