Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - A Guide to Effective Business Continuity in Support of the Year 2000 Challenge

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

4.0  Analyze

In order to make sound decisions regarding potential actions that will ensure business continuity, governance personnel must achieve a clear understanding of the department's exposure to risks and related business interruptions. Clearly defined risk attributes provide this required knowledge and can be acquired through analyzing the risks found in the previous step. A lack of understanding of the potential negative consequences of Year 2000 related risks may prevent departments from pro-actively dealing with potential crises and minimizing the impact on their programs and services.

4.1 Process

The Integrated Business Continuity Approach

Note: Risk analysis is based on the SEI "Analyze" process [CRM Guidebook, Chapter 5, Page 37].

Departments must convert the risk information, gathered in the "identify" step, into decision-making information. In addition to defining the risk attributes such as probability, impact, timeframe, source, response and priority, departments must relate the risk information to assets and functions.

  1. Probability: The likelihood that the risk will materialize;
  2. Impact: The loss or impact on the Year 2000 Project and business continuity if the risk materializes;
  3. Timeframe: The period in which the risk may materialize;
  4. Source: The source of the risk;
  5. Response: The department's response to the risk; and
  6. Priority: The priority or rank of the risks within the department

This analysis will allow departments to clearly understand the potential impact of risk on business continuity and to take the appropriate management actions to address the risks.

This information will be obtained through the use of workshops with technical and functional personnel and various other techniques identified herein. The analysis phase will also complement the risk analysis with a the definition of the business continuity requirements and the assessment of the department's capability in the area of business continuity.

4.2 Data Flow

Figure 5 – Analyze Data Flow

Figure 5 – Analyze Data Flow

The following data inputs are required:


Table 5: Analyze Data Inputs
Data Input Description
Risk Information Sheet(s) Risk Information Sheets as defined in the "Identify" step including the risk statement and context.
Function Prioritization and Asset Mapping Document Contains the prioritized business functions using pre-defined criticality criteria and maps mission-critical business functions to assets.
Business Continuity Artifacts A list of business continuity artifacts such as existing business resumption plans and disaster recovery plans that should be used in support of the analysis function.


The deliverables for this task include:

  1. Risk information sheet(s) with risk attributes (probability, impact, timeframe, source, response, priority and risk management strategy);
  2. Risk assessment report; and
  3. Business continuity statement of requirements and capability assessment. This assessment should be a textual statement of the requirement for business continuity activities, based on the results of the risk analysis. It should also include an assessment of the department's capability to respond to business interruptions.

4.3 Techniques and Tools

Table 6 provides a summary of the techniques and tools used for this activity. Details of the techniques and tools can be found in the appendices or the referenced documents.

Table 6: Analyze Techniques and Tools
Activity Techniques and Tools
  • "Analyze" Detailed Procedures
    (Appendix L)
  • Risk Information Sheet (Appendix I)
  • SEI Continuous Risk Management Taxonomy-based Questionnaire Interviews [Chapter A-33, page 495]
  • Tri-level Attribute Evaluation [CRM Guidebook, Chapter A-38, Page 521];
Risk Assessment
  • Sample Risk Assessment Report – Table of Contents (Appendix M)
Business Continuity Statement of Requirements and Capability Assessment
  • Business Continuity Requirements Definition Detailed Procedures
    (Appendix N)

4.4 Guidelines and Tips

The following are guidelines and tips that can facilitate the performance of this activity:

  1. Combine risk identification and analysis activities in order to optimize participant's time;
  2. Go qualitative first and support big risk items with more quantitative analyses;
  3. Focus on "Top-N" risks;
  4. Conduct the risk analysis in a workshop setting with Year 2000 Project key stakeholders in order to provide a department-wide view, particularly for the "response" attribute;
  5. Acknowledge risks that have materialized and are now problems. This will provide sufficient exposure to ensure that these problems are dealt with.
  6. Collect all types of documents that may contain business resumption elements such as standard operating procedures, operations manuals, maintenance procedures, etc.