COOP in DoD – Part #4 of 10 – What’s the Risk?
This is the fourth paper in a set of 10 on Department of Defense (DoD) Continuity of Operations (COOP) that target the oft-overlooked smaller program as a use case. Written as part of the Master’s program in Information Assurance (IA) at Norwich University in 2011 and subsequently submitted to the Federal IT Institute, they provide a complete roadmap to create and operate a compliant, cost-effective, and reliable COOP program throughout DoD.
A Risk Assessment allows the Continuity of Operations (COOP) Practitioner to analyze the prioritized Mission Essential Functions (MEFs) identified by the Business Impact Analysis (BIA) and to determine how best to ensure that those MEFs operate continuously despite hazards and threats. The Department of Defense (DOD) and the Army do not make this assessment easy; beyond simply requiring that commanders implement risk assessments as part of any command decision, tools and techniques are noticeable by their absence. This paper analyzes how a small Army Program can perform a Risk Assessment using a good-practice approach.
This paper starts by reviewing DOD and Army policy guidance in conjunction with commercial practices to create an assessment strategy. Next, the paper applies this strategy to a representative use case drawn from an operational system to demonstrate how a risk assessment can help to ensure the overall COOP posture of the program in a cost-efficient manner. The paper closes by summarizing its findings presenting recommendations for the program manager (PM) to review.