Business Impact Analysis (BIAs) and Threat and Risk Assessments (TRAs) are two long-standing components of any business continuity standard and methodology. They remain two of the most critical inputs toward any BCM program, as major strategy and funding decisions will be made based on their results and how critical they are to the enterprise.
The two studies have long been separated and not integrated. ?Yet, more than just an understanding of threats and risks, a risk assessment also includes determining whether mitigation measures can cost-effectively be implemented to lower the probability of the risk?s occurrence or lessen its impact. By looking at the BIA results and risk assessment results in a single view, management can gain a firmer understanding of where the most critical business functions reside and can apply a comparative risk rating to a particular site. By integrating the BIA and risk assessment results in this way, management will be able to make more informed business decisions on how to better allocate funds to reduce risks and determine which risks it is willing to assume.
At MHA, we have believed that the two need to be integrated as the combined studies provide a comprehensive snapshot of business process criticality and site risk all in one. ?We typically produce a one page BIA and TRA summary for a site with the following information:
- List of the most critical business units and processes at the site
- List of the top five threats (e.g.,, hurricane, flooding, terrorist attack, etc.) to the site housing the business processes
- Status of the mitigating controls (e,g, backup power, network redundancy, physical security) at the site
- Site risk rating which is dependent on critical business units, threats and state of the mitigating controls
A site with critical business units (e.g., 24 hours or less), a list of threats with high probability and a low state of mitigating controls will have a high site risk rating indicating management attention is needed to reduce risks and exposures. ?Now, on the flip side, even if you have a site with highly critical business units and high probability threats but have an above average level of mitigation, your site risk rating will be lower indicating the site is better prepared to deal with a threat.
So, integrate the two studies for each of your most critical sites and calculate your risk rating scores. ?Present management with your results, focusing on the sites with the highest risk ratings. ?Even small improvements in mitigation can make ?a big difference.
?
?
Source: http://mha-it.com/2012/09/integrate-the-bia-and-risk-assessment-study/
paula abdul cinnamon challenge lou dobbs rock salt david letterman march of dimes james randi
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.