Search Disaster Preparedness Blog


Risk Assessment or Business Impact Analysis, Which Comes First?

This is a topic of great debate, and is the chicken or the egg question for contingency planners everywhere. Recently, I was asked to share an infographic that placed the Business Impact Analysis before the Risk Assessment.  While there is nothing wrong with the graphic, and you can see it, Disaster Recovery infographic by Singlehop I am in some disagreement with the placement.

Interestingly enough, I just had a conversation with a colleague, whom I respect, and that works for another large company that provides business continuity and disaster recovery services, on this very topic.

With the creation of the ISO 22301, which does not specifically address the order, but does mention BIA’s first, many businesses are now conducting the BIA first. Here is my personal and professional opinion on why this is both wrong, and a mistake.

Whenever I work with a business, and we are conducting an analysis on their risks and associated impacts, we always do the risk analysis/risk assessment first. I have a great many reasons for doing it in this way, but let me share just a snippet of why we do it this way.

First, let’s look at the Risk Assessment. The Risk Assessment looks at a given hazard.  It measures both, the potential likelihood of the hazard occurring, and the potential impact it may have on the business. This provides you with some system of measurement on how great the risk to your business the hazard will be.

I just want to mention here that there are many methods of scoring the actual measurement to achieve, or arrive at a final hazard score. For instance the National Fire Protection Association (NFPA) 1600 utilizes a method of scoring of High (H), Medium (M), Low (L) for probability of occurrence and the same H, M, L for impact. This provides a score, such as, ML which would be equal to Medium probability of Occurrence with a Low impact.

I use a slightly modified version of the NFPA 1600 model that I developed over the years, but it is generally the same idea. Once we look at all the potential known hazards we take the top 10, top 5, and top 3 hazards respectively to know which hazards are the biggest known threats to the business.  

This process allows us to have a high-level overview of what the greatest risks are to the business, and what the potential impact will be.

Once we arrive here, it is time to take a deep dive into the impact the top threats will have on your business. It also provides us a potential outline of events that are likely to cause major disruptions to the business. This provides us with a scenario to use for context during the Business Impact Analysis.

During the deep dive into the Business Impact Analysis you will look at each individual process, individuals and applications that support each process, the interdependencies between departments and each process has upon each other, the financial impact to the business if this process is disrupted, additional financial impact of fines, penalties, SLA’s, and contractual agreements. Does this process need to be recovered immediately? Can it wait? Should it be on hold indefinitely until operations return to normal? What is the recovery costs associated with each process?

The Business Impact Analysis gets into such fine details of each business process and business unit that it can itself become a disruption. This is why they are done only every couple of years. Usually two years being the norm, but some companies may do them only every five years.

The Risk Assessment, being such a high-level overview can be done monthly, quarterly, or even yearly, with little to no disruption to the businesses normal operations. It also provides an excellent way of tracking emerging and future threats to the business.  

I hope with this you can see where I am coming from, and why a risk assessment should be done both first, and more frequently. Also, as a big proponent of the NFPA 1600 standard, if you have the book, Implementing NFPA 1600 National Preparedness Standard, turning to page 12, and page 19 respectively provides an ordered list where the Risk Assessment comes before the Business Impact Analysis.

The NFPA 1600 Section number 5.3 on Risk Assessments also provides an ordered list of steps that includes identifying hazards, Assess the vulnerability, Analyze the potential impact, and then lastly to conduct a Business Impact Analysis to determine business continuity and recovery strategies.  

I am a big believer in knowing your risks and conducting risk assessments on a regular basis. Performing a BIA with just an overal organizational risk or operational risk falls short of a complete and proper risk assessment.

Also, risk assessments should be tied into your enerprise risk management if you have one and should have controls established for reductions or prevention of risks when possible.


FREE App - The Cost of Downtime Calculator

Cost of Downtime Calculator

It is often difficult to know the true economic impacts to a business from disruptions. Be it a large scale regional disaster. Or a small outage that can occur from applications errors, server downtime, or even a power outage.

Now, I have developed the ultimate Cost of Downtime Calculator. You can visit the Cost of Downtime Calculator page directly on Continuity Company to learn more about the capabilities. We also have an option if you want to add in customized and more accurate calculations directly attributed to your business.

The Cost of Downtime Calculator has options for recovery costs, fines and penalties, contractor costs, employee salaries, and several other options. The App includes an internal help page directing you on how to use it, if needed.

I am very proud of the results that the Cost of Downtime Calculator produces. I am sure you will find it quite accurate for your needs as well. You can also use the Cost of Downtime Calculator to calculate what your Recovery Time Objective (RTO) will cost. You could easily use the app to adjust your RTO and discover the Cost/Benefits of your RTO. Maybe it needs to be shorter, or maybe you can afford to slightly extend the RTO. You can now easily calculate your Maximum Allowable Downtime.

The Cost of Downtime Calculator is FREE to download and use. It is Ad supported and the ads can be turned off for $1.99. The initial app is capable of handling nearly all small businesses and most mid-sized organizations. If you need additional functionality you can purchase an upgrade for $9.99 that should cover all your needs.

My team is currently working on an enhanced functionality update that will be available in 2-3 months after we conduct some additional testing.

We are also working on an additional upgrade for enterprise systems that will allow for more detailed calculations. The future enterprise version will also include a minimum and maximum potential losses.

Below is a screen shot from the Cost of Downtime Calculator App. I hope that you like it and will try it out. Remember it is FREE to download.




Disaster Tip of The Week: Staying Safe In the Summer Heat


Heat is a major killer. In fact heat is the number one weather related killer. During a heat wave in 1980 there were 1250 heat related deaths. In 1995 during a heat wave 700 people in Chicago died. In 2003 during the EU summer heat wave 50,000 people died. In France alone the number of lives lost was about 15,000 people.

The temperatures in my area has been over 100⁰ F for the last week and looks to continue that way well into this weekend. While this is not out of the ordinary for where I live there is another factor that coupled with this can cause issues. As of today there is a major transportation strike and many more cars are out on the road.

During such times the National Weather Service will issue heat related warnings. These warnings are as follows:

  • Excessive Heat Watch - Conditions are favorable for an excessive heat event to meet or exceed local Excessive Heat Warning criteria in the next 24 to 72 hours.
  • Excessive Heat Warning - Heat Index values are forecasting to meet or exceed locally defined warning criteria for at least 2 days (daytime highs=105-110° Fahrenheit).
  • Heat Advisory - Heat Index values are forecasting to meet locally defined advisory criteria for 1 to 2 days (daytime highs=100-105° Fahrenheit).

Heat-Related Illness Symptoms and First Aid


  • Symptoms:
    • Painful muscle cramps and spasms usually in legs and abdomen
    • Heavy sweating
  • First Aid:
    • Apply firm pressure on cramping muscles or gentle massage to relieve spasm.
    • Give sips of water, if nausea occurs, discontinue water


  • Symptoms:
    • Heavy sweating
    • Weakness
    • Cool, pale, clammy skin
    • Weak pulse
    • Possible muscle cramps
    • Dizziness
    • Nausea and vomiting
    • Fainting
    • Normal temperature possible
  • First Aid:
    • Move person to a cooler environment
    • Remove or loosen clothing
    • Apply cool, wet cloths
    • Fan or move victim to air conditioned room
    • Offer sips of water. If nausea occurs, discontinue water. If vomiting continues, seek immediate medical attention.

HEAT STROKE (or sunstroke)

  • Symptoms:
    • Altered mental state
    • Possible throbbing headache, confusion, nausea, dizziness, shallow breathing
    • High body temperature (106°F or higher)
    • Skin may be hot and dry, or patient may be sweating
    • Rapid pulse
    • Possible unconsciousness
  • First Aid:
    • Heat stroke is a severe medical emergency. Summon emergency medical assistance or get the victim to a hospital immediately. Delay can be fatal.
    • Move the victim to a cooler, preferably air-conditioned, environment
    • Reduce body temperature with a water mister and fan or sponging
    • Use fan if heat index temperatures are below the high 90s
    • Use extreme caution
    • If temperature rises again, repeat process
    • Do NOT give fluids

Safety and Social Media - Before You Post That Read This

Before You Post To Social Media Read This Post

I'm a big fan of Social Media. I use it to engage with my fans, clients, potential clients and keep up with friends. What you never really see me doing is posting pictures of my family, sure there are a few but I limit how much I post. If I had kids, I would never post publicly viewable photos of them.

Another thing I do not do on Social Media is post photos with my home in them. I also never discuss where I am. At least not at the time I am away or anything like that. Some of you may call me crazy, paranoid and some may even laugh. That's fine. Most of you also don't have thousands of strangers reading what you put online and trying to connect with you either. Don't get me wrong, I'm not famous by a long shot. But let me explain a few things.

First, there are people out there who look for these things. They will track you down, they will find you, and when they do, they will likely break into your home. I'm not kidding. There are many reports of this occurring. Also, when we purchased a new home a few years ago we had a break in and were robbed. The good news. There wasn't much to take, just a few things that we had just purchased and placed in the garage for safe keeping. 

I've since turned the house into a fortress, got an alarm system (we were getting anyway, but waiting till the move took place), and a nice beautiful living alarm/deterrent we call Luna. Anyway, that is not what this post is really about.

You see, my wife knows someone that was recently robbed. This person posts frequent pictures of the inside of their home. Also, those of you with kids, taking those innocent photos of them playing sports, or in front of their school, or wearing the team jersey. It seems to me the internet has made it easier for the nefarious would be stalker who is looking to do something evil.

Sure, I may be paranoid. But, paranoid and being safe never really hurt anyone. So next time. Before you post something. Think. Am I exposing myself to harm in a way I would never do if I knew someone was watching me?



Choosing The Right Bug-Out-Bag Can Be The Difference

There are humdreds of posts out there on putting your Bug-Out-Bag together. What to include in it, what not to include in it, essentials, just-in-case, and so on. I've even done a few posts like that including - The most important Thing You Should Consider When Creating a Bug-Out-Bag. What few do talk about is how to choose the right Bug-Out-Bag for you.

First, should come fit and with fit comfort. You don't want to lug around a bag weighing 50, 70, 80 or even 100 pounds of weight without it being comfortable. Also, you want it to fit right. The most practical choice for many is the backpack and you want to be certain you can wear it and be able to move freely with it on.

Second, You want to be able to access at least some items rapidly and easily. Certain bags lend themselves to this category easily, others do not. Also, depending on your size and body type it may be easier for you to use one type of bag but the same bag for someone else they may have difficulty reaching an item.

With both of these thing in mind, going out and trying different types of bags on for size may be best. This is especially true if you have never tried one before. If you are unsure, go to a camping goods or outdoor store and ask for help. Many of the stores have people trained to help you find the right fit. A good idea is if you find one that you would be comfortable hiking or camping with, it will likely make a good Bug-Out-Bag. The only exception here is that I would not choose a brightly colored bag.

The next thing to consider is what you need to place into the bag, and how much the maximum weight you want the bag to be at. Then find ways to reduce the pack load any way you can.

Finally, make sure that you are able to carry everything you need inside that Bug-Out-Bag that you would need to reach your destination. Another good idea is to have places with items cached along the route you will be traveling.

Below are some of the types of bags I use. Yes, I have different ones, but I also use them to show other people. The most important thing about choosing the right Bug-Out-Bag is picking the right one for you.