What Is Business Recovery Risk?

Business recovery risk refers to a company's exposure to loss as a result of damage to its ability to conduct day-to-day operations. Loss of ability to conduct day-to-day operations may result from supply chain interruptions, damage to a physical location(s), or loss of access to virtual systems, for example.

Key Takeaways

  • Business recovery risk refers to a company's exposure to loss as a result of damage to its ability to conduct day-to-day operations.
  • Loss of ability to conduct day-to-day operations may result from supply chain interruptions, damage to a physical location(s), or loss of access to virtual systems, for example.
  • Analysis of business recovery risk involves categorizing threats according to short-, medium- and long-term impact.
  • Short-term threats may include damage to computer systems or workers' inability to reach the job site due to natural disasters.
  • Medium-term impact threats may include infrastructure failure or loss of staff.
  • Long-term impact threats may include extensive property damage.

Understanding Business Recovery Risk

Analysis of business recovery risk involves categorizing threats according to short-, medium- and long-term impact. Short-term threats may include damage to computer systems or workers' inability to reach the job site due to natural disasters. Medium-term impact threats may include infrastructure failure or loss of staff. Long-term impact threats may include extensive property damage. Firms address business recovery risk within their business continuity plan (BCP). A BCP is created in order to ensure that personnel and assets are protected and are able to function quickly in the event of a disaster. The BCP would therefore create a system of prevention and recovery from potential threats to a company. Risks may include natural disasters—fire, flood, or weather-related events—or cybersecurity attacks. 

After September 11, 2001, business recovery risk become an important component of risk management and disaster recovery plans. The New York Stock Exchange and Nasdaq were closed for four days and bond trading shut down for two days. Clearing and settlement of payment transactions suffered several delays.

An analysis revealed vulnerabilities in the risk management strategies employed by financial institutions. For example, while they had planned for disasters in their buildings, the firms had not planned for area-wide disruptions. Their processes also did not create redundancies to deal with the emergency of a vendor shutdown. The interdependent chain of events after the disaster also emphasized the importance of concerted action, as opposed to individual action, to ensure the continuation of the business.

Business continuity planning and disaster recovery have become a sophisticated discipline with certifications and planning that involves all departments of an institution, from senior management to the security personnel responsible for administration. When developing a business continuity plan, there are generally four steps that a company must follow: business impact analysis, recovery, organization, and training.

During the business impact analysis stage, the company will identify the functions and verious resources that are time-sensitive. In the recovery stage, the company will identify how it is going to recover critical business functions. In the organization stage, it is advisable that the company form a continuity team that will then create a plan to manage the disruption. Finally, in the training stage, members of the continuity team must test their strategy and complete exercises that go over the plan and strategy.