Threat Management,
Risk Management,
Business Continuity
Flow chart for Business Continuity, Threat, and Risk Management
John Glenn, MBCI
Linked to this small file is a 3-page PDF file illustrating the flow of a typical threat/risk management/business continuity program.
Threat Management,
Risk Management,
Business Continuity
The difference between a "PROGRAM" and a "PROJECT" is that the former is never-ending; it requires on-going attention (maintenance, exercises) to assure it always is up-to-date, while the later has a beginning and an end; if it is not maintained as a program, it must be started from scratch each time - in the final analysis, it is the more expensive option; the greater Return On Investment (ROI) comes from the program approach.
Threat Management,
Risk Management,
Business Continuity
A "good" program - or project - includes ALL threats/risks from ALL directions: the typical internal human, technology, and environmental risks to external risks that include both traditional vendors (e.g., utilities, suppliers) but non-traditional vendors (e.g., money lenders, insurance) and non-vendor risks that include - but certainly are not limited to - customers and competition, the economy, politics, local and national, and rumors, among many, many other things.
Threat Management,
Risk Management,
Business Continuity
The related PDF does not attempt to list threats/risks; it merely outlines the typical steps in a survival program.
Threat Management,
Risk Management,
Business Continuity
The third page of the PDF provides a suggested document layout, and identifies what typically is public information versus sensitive information. Making a certain amount of "generic" information available to the world is good business practice, but there is no reason to share information that could help competitors.
Threat Management,
Risk Management,
Business Continuity
The PDF is itself generic; it is intended only as a guide. The task-centric flow chart does NOT tell anyone HOW to accomplish a task; each practitioner needs to tailor his or her approach to the organization for which the work is being performed.