Risk assessment and treatment and business continuity plan

1 - What is the best approach to assess risks where the treatment option would be to set up a business continuity plan?

If a company has a risk register with two risks at the same level, for example, fire and flood. These risks both score the lowest likelihood and highest impact. Typically for IT companies, the likelihood matrix used for assessing risks have low scales, ie the lowest is 10 years+ compared to 100 years+. This is because technology changes rapidly so it is not beneficial to used scales with to high time span. By using these low scales a lot of environmental risks assessed will fall under the same likelihood even though fire will be more likely than a flood. So how can we justify where we want treatment option to be to document a business continuity plan where we see that we only want to create one for fire but not for flood even though they have the same risk level?

Please note that these are only examples. We just need support on how we should go about justifying assessed risk where we see the treatment option is to create a business continuity plan.

It seems to me that you want to adjust the risk assessment to justify the application of a control (documenting a BCP), and this is not a proper approach.

Considering ISO 27001, the risk assessment purpose is to define if a risk is acceptable or not. How to handle unacceptable risks (in this case, by documenting a BCP) is part of the risk treatment.

Considering these, where both fire and flood would be assessed as unacceptable risks, it seems that your likelihood scale is not properly defined and you should review it. For example, instead of using a 10years+ for the lowest scale value,  you should consider a 1year+ value, or other value, so that one risk becomes acceptable and the other doesn't (as you already said, the probability of fire is greater than probability of flood).

2 - And is there a good way to define what will go from risk register to business continuity plans based on impact and likelihood scales? Or will this always be an extra round of assessing from the risk register what needs to go to continuity plans?

From the Risk register you should take the highest risks, and make sure you address those risks in your Incident Reponse Plan, i.e. create a plan how to react to most probable incident situations - such a plan must be part of the Business Continuity Plan.

1 - I don't believe our likelihood scale is off - the 10 years is the least likely and most likely is "within 1 month". As a tech company, our lowest likelihood is "unlikely to happen within 10 years".

We operate with a matrix of 5x5 giving us the example of two risks (flood and fire) scoring the same level of 1x5 but where we only see it fit to create BCP for fire. How do we justify this method wise?

We are not trying to fit the assessment to justify BCP but struggling to understand the line of what justifies BC and what isn't relevant when we have 2 risks at the same level. 

Considering the scenario where you consider your likelihood scale ok, you have these alternatives to justify not creating a BCP for flood:

• Top management accepts the risk as it is (this is one acceptable alternative always available to the organization for any risk it identifies), based on the knowledge that treatment cost is equal or greater than the impact of the risk occurring
• Implement some other controls (e.g., backup, protection of facilities, etc.) to minimize the impact, and then accept the residual risk (even if it is higher than your acceptance criteria)
• Transfer the risk (e.g., by buying insurance), and then accept the residual risk (even if it is higher than your acceptance criteria)

Please note that the easiest way still is adjusting your likelihood scale so flood likelihood is smaller than fire likelihood. For example, you could use a scale like:
5 - likely to happen within 1 month
4 - likely to happen within 1 year
3 - likely to happen within 3 years
2 - likely to happen within 5 years
1 - likely to happen after 5 years