Question

In the context of risk assessment (RA), assess the value of a business impact analysis (BIA). Compare and contrast the RA process to the BIA process.

Answer 1

Business Impact Analysis (BIA) and Risk Assessment(RA):-

Business Impact Analysis and Risk Assessment: Defined
To understand the relationship between the BIA and risk assessment, we must first have a common understanding and definition of the two processes.

Business Impact Analysis
Avalution defines the BIA as an identification and analysis of business processes/activities (including required resources), with the objective of understanding the impact of downtime, which drives the assignment of recovery objectives and prioritization.

Risk Assessment
Avalution defines the risk assessment as an identification and analysis of business risks that may affect an organization’s ability to deliver its most important products and services, with the objective of understanding the effectiveness of existing controls, as well as additional controls to decrease the likelihood or severity of a disruption.

What’s the difference between BIA and Risk Assessment?

A core difference between the two business continuity tools is that BIA does not directly focus on the likelihood of events, rather, it assumes worst-case scenarios.

The differences that stem from this are summarised in the table below.

BIA	Risk Assessment
An outward-looking analysis of the impacts that may arise when stakeholders are deprived of products and services, as well as an inward analysis of necessary recovery timeframes, tolerances and levels.	An outward-looking assessment, focused on all potential risks and their likelihood, as well as inward-looking, focused on failure modes, the potential impact of events and the existing controls and strategies to mitigate the impact of risks.
A reflection of your organisation's whole-environment situation and what it stands to lose in major disruptions.	Generally gives rise to an ongoing treatment programme, systematically managing the risks you face.
Draws upon information from high-level sources, such as company accounts, market data, plus legal, human, environmental and other impact types, expressed as sources of loss. Analyses dependency to allow impact assessment at granular and deeper levels.	Draws upon the same high-level information and techniques as BIA to determine the impact of events, but also looks much deeper, potentially at all areas of threat, causality, failure, error, omission and so on.

*** Whereas BIA can be conducted without risk assessment, risk assessment can’t reasonably occur without some form of BIA: risk assessment should use BIA to quantify and prioritise the risks it finds.

***As already concluded, BIA is usually used only in business continuity / ISO 22301 implementation; it could be done for information security, but it wouldn’t make much sense. Risk assessment is mandatory for both.

Secondly, the outputs from RA are a bit different from those of BIA – RA gives you a list of risks together with their values, whereas BIA gives you timing within which you need to recover (RTO) and how much information you can afford to lose (RPO).

So, although these two are related because they have to focus on the organization’s assets and processes, they are used in different contexts.

***Which comes first – risk assessment or business impact analysis?

Actually, ISO 22301 allows both approaches, and you might hear many theories on which is better. However, I prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents); further, if you choose the asset-based approach for risk assessment, you will have an easier time identifying all the resources later on in the business impact analysis.