Business Recovery Risk

Key Takeaways

• Business recovery risk includes threats like supply chain disruptions and loss of virtual systems.
• A business continuity plan (BCP) helps protect assets during disasters or cyberattacks.
• Effective business continuity plans require analysis, recovery strategies, organization, and training.
• The 9/11 attacks highlighted the need for area-wide disaster planning in risk management.
• Business continuity involves coordination across all departments, from management to security.

What Is Business Recovery Risk?

Business recovery risk is a company's exposure to losses when disruptions halt day-to-day operations. Causes can include supply chain interruptions, natural disasters, damage to physical sites, or loss of access to virtual systems. A business continuity plan helps protect people and assets while restoring operations quickly, with greater emphasis on these strategies after events such as the 9/11 attacks.

Elements of Business Recovery Risk

Analysis of business recovery risk involves categorizing threats according to short-, medium- and long-term impact. Short-term threats may include damage to computer systems or workers' inability to reach the job site due to natural disasters. Medium-term impact threats may include infrastructure failure or loss of staff. Long-term impact threats may include extensive property damage.

Firms address business recovery risk within their business continuity plan (BCP). A BCP is created in order to ensure that personnel and assets are protected and able to function quickly in the event of a disaster. The BCP would create a system of prevention and recovery from potential threats. Risks may include natural disasters— such as fire, flood, or weather-related events—or cybersecurity attacks.

Evolution of Business Recovery Strategies

After the terrorist attacks of September 11, 2001, business recovery risk become an important component of risk management and disaster recovery plans. Bond trading was closed for two days and resumed trading on September 13. The New York Stock Exchange and Nasdaq reopened on September 17, after the longest suspension of trading since the Great Depression.1 Clearing and settlement of payment transactions suffered several delays.

An analysis revealed vulnerabilities in the risk management strategies employed by financial institutions. For example, while they had planned for disasters in their buildings, the firms had not planned for area-wide disruptions. Their processes also did not create redundancies to deal with vendor shutdowns. The interdependent chain of events after the disaster also emphasized the importance of concerted action, as opposed to individual action, to ensure the continuation of the business.

The Four Stages of Business Continuity Planning

Business continuity planning and disaster recovery have become a sophisticated discipline with certifications and planning that involves all departments of an institution, from senior management to the security personnel responsible for administration. When developing a business continuity plan, there are generally four steps that a company must follow: business impact analysis, recovery, organization, and training.

During the business impact analysis stage, the company will identify the functions and resources that are time-sensitive. In the recovery stage, the company will identify how it will recover critical business functions. In the organization stage, the company forms a continuity team that will then create a plan to manage the disruption. Finally, in the training stage, members of the continuity team must test their strategy and complete exercises that review the plan and strategy.