The British Standards Institution define risk treatment as the “process of developing, selecting and implementing controls” and as “development and implementation of measures to modify risk”.
Using the Risk Assessment and Impact Analysis previously carried out this stage involves considering the treatment of each risk listed, that is, considering what actions can be taken to reduce the likelihood of an event occurring and/or reducing its impact should the event occur. This is called mitigation activity.
When the activity to reduce the score is identified and the impact of implementing it is considered then the risk should be re-scored.
This helps to assess the appropriateness of the risk mitigation activity and sets an agenda for making improvements. It will also set a basis for monitoring of risks and continual assessment of same.
For all businesses the Risk Assessment and Impact Analysis is a key step needed in advance of working on a Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP) within it, as it identifies specific risk exposure and scenarios to plan for.
Business Continuity Plan (BCP)
The British Standards Institution define BCP as: “a holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response to safeguard the interest of its key stakeholders, reputation, brand and value-creating activities.”
The identified scenarios and mitigation activity can be encompassed in the BCP.
When it comes to managing a very significant or serious scenario, such as loss of premises, then it is important to also have a well-defined, documented and tested Disaster Recovery Plan (DRP).
Disaster Recovery Plan (DRP)
A DRP is prepared for use in the event of a serious loss such as a significant IT failure, fire or flood to assist in the initial steps for the recovery of the business.
The DRP may identify key stakeholders and roles and responsibilities. It may identify key activities and steps to take immediately following a disaster.
It may define different disaster types to know when exactly to initiate activity, which is not always obvious, and what steps to take for each. For example it may define tolerance levels to know when to call a disaster e.g. acceptable period without power.
It may hold key information to be relied upon, or identify from where this is available e.g. staff contact details.
The BCP builds upon the DRP by setting out the longer term plans for restoration of “business as usual” in the aftermath of a disaster.