Business Recovery Risk

What Is Business Recovery Risk?

Business recovery risk refers to a company's exposure to loss as a result of damage to its ability to conduct day-to-day operations. Loss of ability to conduct day-to-day operations may result from supply chain interruptions, damage to physical locations, or loss of access to virtual systems, among other losses.

Understanding Business Recovery Risk

Analysis of business recovery risk involves categorizing threats according to short-, medium- and long-term impact. Short-term threats may include damage to computer systems or workers' inability to reach the job site due to natural disasters. Medium-term impact threats may include infrastructure failure or loss of staff. Long-term impact threats may include extensive property damage.

Firms address business recovery risk within their business continuity plan (BCP). A BCP is created in order to ensure that personnel and assets are protected and able to function quickly in the event of a disaster. The BCP would create a system of prevention and recovery from potential threats. Risks may include natural disasters — such as fire, flood, or weather-related events — or cybersecurity attacks. 

After the terrorist attacks of September 11, 2001, business recovery risk become an important component of risk management and disaster recovery plans. Bond trading was closed for two days and resumed trading on September 13. The New York Stock Exchange and Nasdaq reopened on September 17, after the longest suspension of trading since the Great Depression. Clearing and settlement of payment transactions suffered several delays.

An analysis revealed vulnerabilities in the risk management strategies employed by financial institutions. For example, while they had planned for disasters in their buildings, the firms had not planned for area-wide disruptions. Their processes also did not create redundancies to deal with vendor shutdowns. The interdependent chain of events after the disaster also emphasized the importance of concerted action, as opposed to individual action, to ensure the continuation of the business.

Business continuity planning and disaster recovery have become a sophisticated discipline with certifications and planning that involves all departments of an institution, from senior management to the security personnel responsible for administration. When developing a business continuity plan, there are generally four steps that a company must follow: business impact analysis, recovery, organization, and training.

During the business impact analysis stage, the company will identify the functions and resources that are time-sensitive. In the recovery stage, the company will identify how it will recover critical business functions. In the organization stage, the company forms a continuity team that will then create a plan to manage the disruption. Finally, in the training stage, members of the continuity team must test their strategy and complete exercises that review the plan and strategy.