BCM risk assessment is often conflated with information security risk assessment, particularly in organisations that have already implemented ISO 27001. The standards are related but distinct. Information security risk assessment (ISO 27001) focuses on threats to information assets and their confidentiality, integrity, and availability; BCM risk assessment (ISO 22301) focuses on threats to critical business activities and the resources they depend on. This distinction matters because it produces different risk scenarios, different treatment options, and different controls.
An organisation might assess a data centre outage as an IS risk (""loss of availability of a critical system"") and a BCM risk (""inability to process transactions for 8 hours, resulting in financial loss and customer impact""). The IS risk assessment leads to IT redundancy controls (backup systems, failover). The BCM risk assessment leads to BCM strategy options (alternate processing location, manual procedures, customer communication protocols). The two risk assessments are complementary; neither is a substitute for the other.
This article explains the BCM-specific approach to risk assessment — the risk scenarios that matter most to business continuity, how to prioritise them, and how to translate risk assessment into BC strategy decisions and exercise scenarios.
BCM Risk Assessment vs IS Risk Assessment — Key Differences
The primary subject of IS risk assessment is information assets: databases, systems, repositories, communication channels, documents. The threats are typically confidentiality breach (unauthorised disclosure), integrity compromise (unauthorised modification), or availability loss (system is inaccessible or performs incorrectly). Risk treatment options are controls on the information assets: encryption, access controls, backup systems, security monitoring. The output is a risk treatment plan that specifies which controls will be implemented to reduce risk to acceptable levels.
The primary subject of BCM risk assessment is critical business activities and their resource dependencies: the people who execute the activity, the premises from which it is executed, the technology it depends on, the suppliers it relies on, the data it requires. The threats are disruption events that make the activity impossible to execute: natural disaster (earthquake, flood), cyber incident (ransomware, DDoS), staff unavailability (pandemic, mass illness), supplier failure (bankruptcy, service interruption), utility failure (power outage, telecommunications outage). Risk treatment options are BC strategies that enable the activity to continue despite the disruption: alternate premises, cross-trained staff, system redundancy, dual sourcing, manual procedures. The output is a BC strategy document that specifies which strategies will be implemented to enable recovery within RTO.
The risk scenarios differ significantly. IS risk assessment includes scenarios like ""malicious insider steals customer data"" or ""ransomware encrypts the database"". BCM risk assessment includes scenarios like ""Jakarta office becomes unavailable due to flooding; critical activities must shift to alternate site"" or ""Internet connectivity is unavailable for 24 hours; critical systems must be accessible through degraded connectivity or manual procedures"". The IS scenario is attack-focused; the BCM scenario is operational-impact-focused.
| Dimension | ISO 27001 Risk Assessment | ISO 22301 Risk Assessment |
|---|---|---|
| Primary subject | Information assets (data, systems, processes) | Critical business activities and their resource dependencies |
| Threat focus | Confidentiality, integrity, availability of information | Disruption to operational delivery — any cause |
| Risk scenarios | Cyber attacks, data breaches, system compromise, insider threat | Natural disaster, pandemic, cyber incident, supplier failure, premises unavailability, utility failure |
| Risk treatment options | Technical and organisational security controls (Annex A) | Business continuity strategies — alternate sites, cross-training, dual sourcing, ICT redundancy |
| Output | Risk treatment plan; Statement of Applicability | BC strategy decisions; exercise scenarios; BCP scope |
| Methodology | ISO/IEC 27005 or equivalent | ISO 31000 or equivalent, applied to BCM context |
| Integration point | IS continuity (A.5.29/A.5.30) feeds into BCMS | BCM risk assessment informs IS continuity planning |
BCM Risk Assessment Methodology
BCM risk assessment applies a standard risk management methodology (ISO 31000) to the business continuity context. The process has four stages: threat identification, likelihood assessment, consequence assessment, and risk prioritisation. Threat identification produces a list of external and internal threats that could disrupt critical activities: natural disasters (earthquake, flood, typhoon, landslide), utility failures (power, water, telecommunications), human factors (pandemic, labour disruption, key-person loss), supply chain (supplier failure, transportation disruption), cyber/technology (ransomware, DDoS, system failure), regulatory/legal (new regulation, licence revocation, litigation), and competitive/market (new entrant, market collapse, customer loss).
Likelihood assessment is relative, not absolute. The assessment asks: for each threat, what is the probability that it will occur in the next 12 months? Likelihood is typically scored as Low (0–20%), Medium (20–50%), or High (50%+). For example, in Jakarta, flooding is High likelihood; earthquake is Medium likelihood; hurricane is Low likelihood. Likelihood should be assessed based on historical data and expert judgment, not on hope that “it has not happened to us, so it probably will not”.
Consequence assessment is the impact on critical activities if the threat materialises. Consequence is typically scored as Low (impact is contained, recovery is straightforward), Medium (impact is significant, recovery is complex, financial loss is moderate), or High (impact is widespread, recovery is difficult, financial loss is substantial). Consequence assessment should leverage the BIA outputs: if the BIA identified that Activity X has a 4-hour MAO, then a threat that would disable Activity X has at least Medium consequence (financial loss reaches significant threshold by 4 hours).
Risk prioritisation ranks scenarios by risk magnitude. A high-likelihood/high-consequence threat (e.g., flooding in Jakarta) ranks higher than a low-likelihood/high-consequence threat (e.g., earthquake) or a high-likelihood/low-consequence threat (e.g., minor IT service outage). The top 3–5 risk scenarios from this prioritisation become the focus of BC strategy investment and the exercise scenarios for the year.
| KEY IDEA | BCM risk assessment drives two things: strategy and exercises. High-likelihood, high-impact threats to critical activities should drive continuity strategy investment — if flooding is a high-likelihood threat to the Jakarta headquarters, the premises strategy must address it. And the top 3–5 risk scenarios from the assessment become the exercise scenarios for the year — which means the exercise tests the capabilities that are most likely to be needed. Risk assessment without these two applications is a compliance document rather than a management tool. |
Threat Landscape for Indonesian Organisations
Indonesian organisations face a distinctive threat landscape shaped by geography, climate, regulatory environment, and digital maturity. Natural disasters are a persistent and high-likelihood threat: earthquakes along the Java fault lines and the Sumatra subduction zone pose significant risk to Western Indonesia, particularly Java and Sumatra; annual flooding affects Jakarta, Semarang, and Bandung during the wet season; and tropical storms occur seasonally. These are not speculative risks; they are recurring events that disrupt operations repeatedly in affected locations.
Cyber threats have grown significantly in both frequency and sophistication. Ransomware is the highest-growth threat, with multiple major incidents affecting Indonesian financial institutions and government agencies in 2022–2024. Data breach risk is heightened by Indonesia’s UU PDP (Undang-Undang Perlindungan Data Pribadi), which creates regulatory liability for data loss. DDoS attacks against public-facing systems are frequent, particularly during geopolitical tensions or activism campaigns.
Regulatory disruption is a medium-likelihood threat in Indonesian financial services: new regulations (recently, the OJK regulations on digital banking, BI regulations on digital payment systems) require rapid operational change; OJK and BI examinations can reveal deficiencies that require corrective action; and compliance failures can result in sanctions or licence restrictions. Supply chain risk is elevated by dependence on a small number of critical suppliers for key services (cloud hosting, telecommunications, payment systems) and by limited dual-sourcing options in some categories.
| Threat Category | Indonesian-Specific Scenarios | Likelihood | Key BCP Implication |
|---|---|---|---|
| Natural disaster — seismic | Earthquake (Java fault lines, Sumatra subduction zone); tsunami coastal risk | High in high-risk zones | Premises unavailability strategy; evacuation procedures; alternate site outside fault zone |
| Natural disaster — weather | Annual flooding in Jakarta, Semarang, Bandung; tropical storms | Very high in flood-prone areas | Flood early warning integration; document protection; infrastructure elevation |
| Cyber incident | Ransomware (highest growth threat); data breach; DDoS on public-facing systems | High and increasing | ICT continuity plans; offline backup; manual workaround procedures |
| Power infrastructure | Extended outages outside Java; grid instability; UPS/generator failure | Medium-High outside Java | Generator maintenance; UPS testing; critical system power prioritisation |
| Pandemic / mass illness | 30%+ staff unavailability; office closure; supply chain disruption | Low (post-COVID); Medium for new variants | Remote working capability; succession planning; supplier diversification |
| Critical supplier failure | Cloud provider outage; sole-source software vendor; internet connectivity provider | Medium | Dual-sourcing; contractual BCM requirements; manual fallback |
| Regulatory disruption | New regulation requiring immediate operational change; OJK/BI examination | Low-Medium | Regulatory monitoring process; compliance agility in BCPs |
| Telecommunications | Mobile network failure during major disaster; internet outage | Medium during disasters | Satellite backup; out-of-band communication; radio/physical messenger protocols |
Integrating BCM Risk Assessment with Enterprise Risk Management
BCM risk assessment is typically one component of enterprise risk management; many Indonesian financial services organisations now maintain a single enterprise risk register that includes IS risk, operational risk, BCM risk, compliance risk, and strategic risk. Integration requires clear role definition: the BCM team is responsible for identifying threats to business continuity and assessing their impact on critical activities; the enterprise risk team is responsible for consolidating risk assessment across all categories and determining organisation-wide risk appetite and risk treatment priorities.
The integration point is typically the risk prioritisation stage. After BCM risk assessment produces a prioritised list of threats, that list is submitted to the enterprise risk governance process (often a risk committee or chief risk officer) for review and prioritisation against other enterprise risks. This ensures that BCM risk treatment (strategy and exercise investment) is aligned with organisation-wide risk appetite and that BCM risks are not being over-treated or under-treated relative to other risks.
| IMPORTANT | Likelihood assessment in BCM risk is relative, not absolute. An earthquake affecting the Jakarta headquarters is a “low probability” event in any given year — but it is a “high consequence” event that warrants significant BCM investment because the impact would be catastrophic and long-lasting. BCM risk assessment should weight consequence heavily, particularly for high-consequence scenarios where the organisation has no recovery capability. A low-probability catastrophic threat with no mitigation warrants more BCM investment than a high-probability moderate-impact threat that is already partially mitigated. |
Translating Risk Assessment into Exercise Scenarios
The practical output of BCM risk assessment is the exercise scenario. After risk prioritisation has identified the top 3–5 risks, those scenarios should become the scenarios for the organisation’s exercise programme in that year. If flooding is identified as the top BCM risk to the Jakarta headquarters, an exercise scenario should test the premises recovery plan and the alternate site activation. If ransomware is identified as a top-3 risk, an exercise scenario should test the ICT continuity procedures, manual workaround activation, and crisis communication.
Translating risk scenarios into exercise scenarios requires adding detail and operational realism. A generic risk scenario (""Jakarta office unavailable due to flooding"") becomes an exercise scenario when specific injects are added: ""it is 08:00, staff have just arrived and flooding is occurring in real-time; primary office access is blocked; IT systems are offline; what do you do in the first 30 minutes?"" The specificity makes the exercise realistic and stressful, which is where the true test of BCM capability occurs.
| BITLION INSIGHT | The 2024 PDNS ransomware incident in Indonesia provided a real-world validation of BCM risk assessment priorities. Organisations that had assessed cyber incidents as a top-3 BCM threat and built ICT continuity plans with offline backups and manual fallback procedures recovered within hours or days. Organisations that had not assessed cyber risk in their BCMS context — treating it as an IT security matter rather than a BCM matter — discovered that their BCPs assumed system availability and had no tested manual procedures. The distinction between ”we have an IT DR plan” and ”we have a BCM plan that addresses ICT unavailability” was tested and found consequential. |