Skip to content

Development of Risk Based Business Continuity Plan Using House of Risk Method on Container Terminal

Business Continuity and IT Disaster Recovery Blog

Development of Risk Based Business Continuity Plan Using House of Risk Method on Container Terminal

Author: D R Akbari, R O S Gurning

  1. Introduction

Indonesia is considered as a country which belong to one of the most prone to disaster. Indonesia is geographically located at the intersection of three pivotal earth plate: the Pacific, Indo-Australian, and Eurasian. Therefore, the country has to face frequent and powerful seismic activity, such as earthquake and volcano eruption, and other types of natural disasters, such as tsunami, typhoon, and drought. 12,494 natural disasters in the period of 2002–2012 with 190,087 numbers of casualties were recorded by Indonesian National Agency for Disaster Management. [1] Natural disasters have significant impacts to many aspects of life of the people in the affected areas, and such tremendous event can take a considerable amount of time for recovery. The 2020 New Years Eve Flood of Jakarta in Indonesia reminded us again of the risks of business termination and further impacts on national, regional and global economy through their supply chains, as some buildings such as malls were forced to shutdown due to the flood. [2] Regardless of how complex the business process in the organization, a plan to deal with the disruptions that affect their businesses should be prepared in every organization. Therefore, business continuty plan is suitable in order to ensure that the operational activities of an organization will still operate despite the possible disruptions.

One of the most significant contribution by the private sector for disaster impact reduction is marked by the formulation of Business Continuity Plan/Planning (BCP) or Business Continuity Management System (BCMS) of each enterprise that can reduce damages and help quick restoration from business interruption. ISO 22301 is the business continuity plan internationally recognized standard and currently being used in many business enterprises around the world. ISO 22301:2012 defines BCP as a comprehensive management process that identifies potential disruption that could halt business objectives and could be applied adaptively to each organization’s risk appetite and preferences in managing risk. [3]. Business continuity plan could be implemented, before, during and after the disruption occur. Being one of the most critical components of the disaster recovery strategy, unfortunately, only a few organizations are aware of the significance of BCP and how to implement it.

This could happen because the business continuity plan on each organization will be conducted differently, due to the unique business processes and treatment difference [4]. The nature of an industry which could not afford a downtime makes it important to develop a BCP for a port business, considering the position of port that is near sea body, makes it even more prone to several natural disasters. In this case study, a port that claims itself to be a green port utilizes shore connection technology. A container port will be subject to the development of Business Continuity Plan. Previous research that studies how BCP and maritime industry can be related to one another is one that was done by [4], the study concludes that systematically implementing business continuity plan in ports are vital for maintaining continuity of logistics infrastructure services and a variety of business activities in ports. This research is aimed to identify the possible disruption for container terminal that come in many forms, and rank them based on two properties which are consequence (severity) and frequency.

  1. Method
    2.1 Business Continuity Management

Business continuity management (BCM) is a defined as a management process that identifies risk, threats and disruptions which are a threat to the organization’s continued operations. In order to ensure organisational resilience and effective implementation, BCM also serves as an adaptive framework. BCM is also initially came from risk management, but BCM only deals with risks that could potentially stop the whole business process, which is called disruptions [6]. Because consistenly implementing BCM across different business is an issue, ISO Standards issued a dedicated publication for business management system, ISO 22301. It is established in the publication, a “Plan-Do-Check-Act” (PDCA) model for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organization’s BCMS.

2.2 Business Continuity Plan

Business continuity plan (BCP) is a plan that is developed in order to protect an organization’s assets and could continue key business processes after a disaster with every capabilities necessary, it should be implemented when an unexpected business interruption caused by natural or man-made events occurs [6]. What BCP does is upon the declaration of a disaster, it activates preapproved policies and authorities. BCP also restores the business process for products or services with the least possible cost to the organization and with the least possible time [6]. The BCP framework was made using a common format, to ensure that all plans are appropriate and to determine the priorities of testing and maintenance. 

Each plan must be clearly defined the conditions under which the plan will be carried out, and the person responsible for carrying out each plan. When new requirements are identified, the establishment of an emergency procedure, for example an evacuation plan or anything that changes, the BCP must be renewed. Different approaches may be needed for each service, business function or part of the organization, it is recommended to add a plan to the additional parts added. [7]

2.3 House of Risk

The House of Risk (HOR) is a risk identification and mitigation model which developed from the House of Quality and Failure Modes and Effects Analysis (FMEA) method. In this study, HOR is used to develop a framework for managing supply chain risk [7]. The HOR approach is focused on actions prevention to reduce the probability of the occurrence of risk agent. Risk arises as triggered by the agent of risk. Indeed, by reducing the risk agents means that there are probability of reducing the occurrence between several risk events.

2.3.1 House of Risk 1.

The phase 1 of this method is the risk identification phase. Risk identification phase is used to determine the risk agents that has been prioritized for actions. The first stage in this phase is by identifying the activities based in the SCOR model. Next, identify risk events that occur in supply chain activities inside the company. The third stage of this phase is identifying the level of impact (severity) as risk event and severity assessment with an assessment rating. 

The fourth stage, identifies the agent that become the source of the risk. The fifth stage is identifying the correlations between risk events and causative agents risk with correlation values. The sixth stage, determining the value of Aggregate Risk Potential (ARP). ARP can be calculated with the following formula:

Oj is defined as the probability of occurrence of risk agent j, while Si is defined as the severity of the disruption if risk event i occurred, and Rij show the value of causality between risk agent j and risk event i (which is interpreted as how likely risk agent j would cause risk event i. The values then will be analyzed using the equation for prioritizing risk agent that needs to be handled first. The last stage is by ranking the risk agents based on ARP value. Hereby is the following HOR phase image.

Severity is the rating of seriousness due to the failure result. The value of severity risk event with a scale from 1-10 where 1 has no impact and 10 has and extreme dangerous impact. After weighing the severity value later weighing the occurrence value. Occurrence is define as the possibility level of from the cause of the failure. Weighting the value of occurrence on the source of risk with a scale from 1-10, where 1 means almost never happened and 10 means often to happen. Next, by weighing the correlation value between the risk occurs (risk event) and the source of risk (risk agent) along with the scale correlation values.

After being able to determine the aggregate risk potential number based on the risk agent, the determination of preventive action will be asses from the Pareto Diagram. The Pareto diagram hold the law of 80:20, where it enables to prioritize those with a high aggregate risk potential. In this case, the risk agent that will be selected will be based on the 80% or above that has the highest ARP, which this will be contribute the most rather than the other risk agent. In expectation, the 80% or higher risk agent will be prioritized in solving the issue, by determining the preventive action based on this selection.

2.3.2 House of Risk 2.

In the HOR 2, a selection process on choosing a number of risk agents based on the highest ARP value for each risk agents. In HOR 2, it will be more exclusively focusing on the preventive action. The first stage, is by identifying effective preventive actions in related with the occurrence of risk agents. At the second stage, determine the magnitude of the correlation between each action and risk agent. The third stage, calculates the total value of effectiveness in each action. Stage five will determine the level of difficulty in each preventive measure. The sixth stage is supposed to calculate the total effectiveness for difficulty level ratio. The last step of this phase is by ranking each action.

  1. Result and Discussion

The process of compiling the risk potential has 4 types of ways, which are from the author inputs that is based on previous journal, paper, and thesis; conducting a direct observation; conducting an interview towards experts; and a spread questionnaire. The identified risk potential is determined into 33 potential risk, and the events will be classified as either risk agents or risk event, the purpose of this stage is to understand a various types of risk event that may possible to occur because of the affection of a single risk agents.

3.1 Risk Events

A single risk event can be caused by more than one risk agents, therefore it is very important to analyse and identified on how many possibilities that a certain risk event is correlated to a certain risk agents. The list of identified risk agent and risk events are presented on the table below.

The risk event identification table show various types of risk potential that may occur in such a percentage amount of time. The function of determining the risk event is to understand what kind of event that may possibly happen due to the problem of stevedoring process. The value of the impact of the risk event above will come from the assessment of the expert through a questionnaire. The filling of questionnaire is guided by a standard that has been developed for this case study. Below is the standard table.

3.2 Risk Agents

The identification of risk agent is a way in order to understand the possible potential failure that will cause into a possible risk event. Risk agent will then be assess according to the occurrence value. The higher of probability that may happen, the higher the risk agent resulting in the occurrence value. The risk agent is a various points of determination that lead into a risk event. Below are the identified risk agents.

Same with the risk events, the value of the frequency of the risk event above will come from the assessment of the expert through a questionnaire. The filling of questionnaire is guided by a standard that has been developed for this case study. Below is the standard assessment table.

3.3 Identification of Correlation between Risk Agent and Risk Event

The risk agents and risk event that has been determined from the table of identification relation between risk agents and risk event, will then be classified based on the calculated correlation between the risk event and risk agents. Each risk event is possible to occur by various risk agents, therefore from the table below the assessment will determine the value of correlation between a certain risk events that is related with a various risk agents. The standard assessment for the correlation is below.

3.3 Assessment Result

The next step is the assessment. This was accomplished by distributing questionnaire to relevant position such as managers or above, in this research the total of 7 employee of the Container Terminal has successfully filled the questionnaire. The following table determines the calculation of ARP value based on the assessment of severity value, occurrence value, and correlation between risk agent and risk event value. Based on the overall ARP calculation of each risk agent, the further step is by adjusting the ARP value from the biggest value to the lowest value. The ranking table will be able to determine priority for mitigation action for each risk agents. The risk agent that has the biggest ARP value will be acquired the highest priority to obtain the mitigation action. The higher the ARP value, the further it will be prioritized in order to obtain the mitigation action. In this research, the risk agents that contribute the 85% of ARP will be studied further in order to obtain the preventive action needed.

The aggregate risk potential graph can be seen on the table below, the calculated values are between 120 and 2130. There is only one risk agent with an ARP value of above 1,500, which is natural disaster warning from BMKG; there are four risk agents with ARP value between 1,000 and 1,500; six risk agents with an ARP value between 500 and 1,000; and the rests (11) have an ARP value below 500. It is also could be concluded that six risk agents contribute to about 85% of the total ARP values and the other 6 risk agents only contribute to 15 percent of the total ARP.

The Pareto diagram shown above illustrates there is a huge variations between the degree of importance of reducing the probability of occurrence of each risk agent. Naturally, a company should prioritize those with high-aggregate risk potentials, because the highest ARP means it contribute most to the loss endured by the company.

After receiving the ARP value of each risk agent, the next steps is by determining the risk evaluation that will become the main reference in order to procede a preventive action. It occurred that the highest risk agent that placed the 1st rank is a risk agent with a code (A1), which is BMKG disaster warning. Meanwhile the lowest risk agent that resulting an ARP value is (A7), which is theft by employee. Based on this ranking assessment of ARP value, the mapping of ARP assessment will be conducted through the aforementioned Pareto Rules. The Pareto Rules will ease and determines the result to discover which risk agent that has the highest concerns. The top 6 risk agents that contribute 85% of total ARP are: (1) BMKG disaster warning; (2) External theft; (3) Management policy failure; (4) Sabotage; (5) Employee mass demonstration; (6) Pandemic.

  1. Conclusion

This research is trying to answer the question about which events are at risk of disrupting the business process in a Container Terminal. Based on the research and analysis of possible disruption using House of Risk model in Teluk Lamong Container Terminal, from 12 risk agent that has been determined, there are 6 risk agent that is being prioritized to prevented/mitigated in order to reduce major impact for the business. The highest ARP contribution is occupied as follows: (1) BMKG disaster warning; (2) External theft; (3) Management policy failure; (4) IT sabotage; (5) Employee mass demonstration; (6) Pandemic. The author noted that the usage of BCP is vital for reducing disruption at ports, for which the proposed risk events severity assessment & risk agents frequence assessment are powerful to properly undertake BCP preparation. In this regard, it is concluded that further mitigation or preventive action development is needed for improving performance of the BCP.

BRCCI – Business Resilience Certification Consortium International (

We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:
1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.
2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices.
3. 5-day CRP (Cloud Resilience Professional) This 5-day seminar is designed for professionals seeking expertise in cloud computing and resiliency management. You will gain a comprehensive knowledge of cloud foundation principles, best practice strategies for building resilient cloud environments, and essential cloud continuity and disaster recovery planning techniques.
4. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:

  • ISO 22301: Business Continuity Management Systems – Requirements
  • NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
  • ITIL: Information Technology Infrastructure Library

For information on the above program, please contact BRCCI (www.brcci.org1-888-962-7224).

On Key

Related Posts

ICR Standard

ICR Standard Author: Dr. Akhtar Syed Download PDF Section 1.0 – Introduction The Integrated Continuous Resiliency (ICR) standard, developed by BRCCI (, is a comprehensive

What is ISO 22301 standard?

What is ISO 22301 standard? Author: Andrea Patricia Sanchez Dominguez Download PDF 1. Introduction The Standard ISO 22301 was proposed in 2012 as a new