Skip to main content
Français
Become a Member
Canadian Bar Association Logo
search
menu

3. Risk Assessment

3.1 Risk Scenarios

Identify potential risk scenarios; avoid focusing on highly specific or unlikely events (such as detailed natural disaster scenarios). Instead, the emphasis should be on understanding the operational impact that various disruptions could have on the firm's ability to function.

Examples follow (replace/edit as required).

Scenario

  1. Office fire or flood
  2. Office inaccessible but undamaged
  3. IT infrastructure failure
  4. Cloud service failure
  5. Cyber attack

3.2 Confidential Information Impact

For each scenario listed in section 3.1, identify what confidential information (i.e. personally identifiable information (PII) and client confidentiality) may be compromised. For each distinct type of information, specify what action is required and which of the firm’s policies and procedures govern those actions.

Examples follow (replace/edit as required).

Information Action Required Reference Documentation (Location)
  1. Client confidentiality
 Notify the impacted client(s) Notify the law society Breach Notification Procedures (DMS – document #12345)
  1. Personally identifiable information
 Notify anyone who may have been impacted Notify the law society Breach Notification Procedures (DMS – document #12345)

3.3 Business Impact

For each scenario listed in section 3.1, assess the probability and impact, then prioritize accordingly.

Examples follow (replace/edit as required).

Scenario Probability Impact Priority
  1. Office fire or flood
 L M 4
  1. Office inaccessible but undamaged
 M M 3
  1. IT infrastructure failure
 M M 3
  1. Cloud service failure
 L H 3
  1. Cyber attack
 H H 1

3.4 Service Impact

For each scenario listed in section 3.1, list what critical services you expect to be temporarily unavailable or permanently lost.

Examples follow (replace/edit as required).

Scenario Service Impact
  1. Office fire or flood
  • Physical files permanently lost
  • Office equipment permanently lost
  • Conference rooms permanently lost
  • End user computers permanently lost
  • IT infrastructure permanently lost
  • Workspaces permanently lost
  1. Office inaccessible but undamaged
  • Physical files temporarily unavailable
  • Office equipment temporarily unavailable
  • Conference rooms temporarily unavailable
  • End user computers temporarily unavailable
  • Office data temporarily unavailable (be specific here – e.g. work product, email, reference material, etc.)
  • Workspaces temporarily unavailable
  1. IT infrastructure failure
  • Temporary loss of office-dependent services (be specific here, e.g. internet, local networking, wireless, printing, fax, email, etc.)
  • Office data temporarily unavailable or permanently lost (be specific here, as above)
  1. Cloud service failure
  • Temporarily loss of cloud-dependent services (be specific here, as above)
  • Cloud data temporarily unavailable or permanently lost (be specific here, as above)
  1. Cyber attack
  • Data compromised or lost
  • Legal and/or regulatory breach
  • Loss of client confidence
  • Reputational damage

3.5 Recovery Objectives

For each service identified in section 3.4, assign RTO and RPO, if applicable. These concepts are intended to apply to the recovery of digital services which can be restored as they were at some point before the incident, as opposed to restoration from physical disaster scenarios. As such, this table will not include all service items.

Examples follow (replace/edit as required).

Service RTO1 RPO2
Work product stored at the office 24h 12h
Internet failure at the office 24h 24h
Local networking failure at the office 24h 24h
Wireless at the office 24h 24h
Printing at the office (i.e. no printers working) 24h 24h
Telephone at the office 24h 24h
Fax at the office 24h 24h
Work product stored in the cloud 24h 12h
Email – future delivery 4h n/a
Email – historical content 24h 1h

End Notes

1 We need this service available within <time>

2 We need things back the way they were <time> before the incident