Integrating risk assessment and business impact assessment in the public crisis management sector

Abstract

Risk and Vulnerability Assessments (RVAs) are often conducted by public sector organizations to prevent or prepare for hazards and threats. In Sweden, practitioners increasingly adopt approaches that are based on Business Continuity Management (BCM), where Business Impact Assessments (BIA) are used to gain organizational understanding, in favor of more traditional risk assessments. Both processes can be valuable to an organization and they have synergies that can be exploited. In the present paper, a method integrating risk assessment and BIA is suggested. The method was developed through a three-year collaboration with the municipality of Malmö, Southern Sweden, where a design science approach was used to ensure scientific rigor and practical relevance. The suggested method, adapted primarily to municipal departments, was implemented and evaluated longitudinally in a number of iterative phases and provides results perceived as useful by end users. Compared to previous suggestions on how to integrate BIA and risk assessment, our method intentionally limits the workload and complexity of the method in favor of practical applicability in a context where persons responsible for crisis management are not necessarily experts on risk and business impact assessment methods. In addition, the method includes features that have not been included in previous integrations of BIA and risk assessment, such as capability assessments related to critical functions in the occurrence of undesirable events using BIA-type of organizational mapping as an input. Finally, the method also includes steps to facilitate sharing information between municipal departments concerning dependencies and capabilities.