Risk and Issue Management in BCM / DR Programs

Let’s face it, there’s some level of risk in everything we do.  We work to ensure that the risks never come to pass by mitigating them and monitoring situations.  If the situation escalates maybe our risk becomes an actual issue.  This is true for when we build our BCM/DR programs as well.  As we work at developing our plans and processes, we run the risk of collecting and incorporating the wrong information or missing information altogether, which only impacts our BCM/DR plans and processes.

To keep on track, not only are we to ensure we’ve got all the necessary components but we must manage the risks and issues that crop up during our planning, development and execution phases.  Regardless of what BCM/DR methodology you subscribe to – and some don’t subscribe to any one in particular, they just take the best from every methodology and utilize those components – risk and issue management is key to ensuring you stay on track with your schedule, budget, scope and resources.

So how do we manage our risks and issues?  What even distinguishes a risk from an issue?  Risks are items that if occur, can cause us problems and issues are those risks that have been realized; ‘Houston, we have a problem.’

Understanding how to manage your risks and issues will take you a long way and will – in the end – make your BCM/DR planning road much smoother.  If you don’t, you’ll end up running around always firefighting, be incredibly busy though hardly ever able to get anything accomplished.

Let’s look at what risks and issues really are, how to manage and track them and some tools you can leverage to ensure your BCM/DR program keeps moving forward and not tripping over everything on its path.

  1. Decision Log:  Log any decisions that are made on your project.  For example, why you won’t be performing a Risk Analysis or why you decided to build an internal Technology  Recovery strategy rather than using an external strategy (i.e. 3rd  party vendor).
  2. Risks:  Risks are items that have the potential to impact  your project either by resources, schedule or budget.  In project management terms that’s called the triple constraint.  It doesn’t mean that it’s a guarantee they will occur but that there is the potential of them occurring and hampering your work.  An example could be the availability of a Single Point of Knowledge (SPoK) that is assigned to too many initiatives and doesn’t have sufficient time to spend with you.  As a result, the schedule will be impacted.  By the way, when you document a risk make it an “If / Then” statement: IF ‘x’ occurs THEN  ‘Y’ will be impacted.  Follow that up with a mitigation strategy on how you’ll try to mitigate the risk from      ever occurring and give some specific checkpoint dates to go with your  strategy.  It could come down to something simple such as reviewing ‘x’ on a bi-weekly basis to ensure things are on track and the risk isn’t escalating in probability…and severity.  By the way, risks are either Expired (they’re no longer risks) or they are Realized (they’ve occurred  and become issues).
  3. Critical Risks:  In simple terms, they are risks that have  a very highly likelihood of occurring but haven’t occurred yet.  Usually, when a risk is escalated to a critical risk the mitigation strategies kick in rather quickly and everyone rallies together to ensure it doesn’t become an issue.
  4. Issues:  An issue is a risk (critical and  non-critical) that has occurred and is impacting your project / BCM program.  Each issue must have some  level of devised action plan in place so that the issue is resolved and the roadblock is removed from what you’re trying to accomplish.

Managing risks and issues is vital to ensuring your BCM project success and this goes for all phases of the project, not just the initial phases.  We work in an industry where we state that ‘anything can happen’ and that is true for projects as well; it can be derailed at anytime by anything.

Often, we’re aware that something could hinder our progress but we don’t properly monitor it to ensure it doesn’t become an issue for us.  With disasters, we monitor the coming storm (i.e. hurricanes…) but we don’t monitor the coming storm that can be something like a change in technology strategy, which might have an impact on the overall TRP strategy we’re putting together.  So monitor the risks and issues or else you might find yourself in trouble.

© StoneRoad


Check out www.stone-road.com for details.


 “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at www.stone-road.com, www.amazon.com & www.volumesdirect.com


One thought on “Risk and Issue Management in BCM / DR Programs

  1. Pingback: Risk and Issue Management in BCM / DR Programs - Disaster Recovery

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s