Question

In: Computer Science

In the context of risk assessment (RA), assess the value of a business impact analysis (BIA)....

In the context of risk assessment (RA), assess the value of a business impact analysis (BIA). Compare and contrast the RA process to the BIA process.

Solutions

Expert Solution

Business Impact Analysis (BIA) and Risk Assessment(RA):-

Business Impact Analysis and Risk Assessment: Defined
To understand the relationship between the BIA and risk assessment, we must first have a common understanding and definition of the two processes.

Business Impact Analysis
Avalution defines the BIA as an identification and analysis of business processes/activities (including required resources), with the objective of understanding the impact of downtime, which drives the assignment of recovery objectives and prioritization.

Risk Assessment
Avalution defines the risk assessment as an identification and analysis of business risks that may affect an organization’s ability to deliver its most important products and services, with the objective of understanding the effectiveness of existing controls, as well as additional controls to decrease the likelihood or severity of a disruption.

What’s the difference between BIA and Risk Assessment?

A core difference between the two business continuity tools is that BIA does not directly focus on the likelihood of events, rather, it assumes worst-case scenarios.

The differences that stem from this are summarised in the table below.

BIA

Risk Assessment

An outward-looking analysis of the impacts that may arise when stakeholders are deprived of products and services, as well as an inward analysis of necessary recovery timeframes, tolerances and levels.


An outward-looking assessment, focused on all potential risks and their likelihood, as well as inward-looking, focused on failure modes, the potential impact of events and the existing controls and strategies to mitigate the impact of risks.


A reflection of your organisation's whole-environment situation and what it stands to lose in major disruptions.


Generally gives rise to an ongoing treatment programme, systematically managing the risks you face.


Draws upon information from high-level sources, such as company accounts, market data, plus legal, human, environmental and other impact types, expressed as sources of loss. Analyses dependency to allow impact assessment at granular and deeper levels.

Draws upon the same high-level information and techniques as BIA to determine the impact of events, but also looks much deeper, potentially at all areas of threat, causality, failure, error, omission and so on.

*** Whereas BIA can be conducted without risk assessment, risk assessment can’t reasonably occur without some form of BIA: risk assessment should use BIA to quantify and prioritise the risks it finds.

***As already concluded, BIA is usually used only in business continuity / ISO 22301 implementation; it could be done for information security, but it wouldn’t make much sense. Risk assessment is mandatory for both.

Secondly, the outputs from RA are a bit different from those of BIA – RA gives you a list of risks together with their values, whereas BIA gives you timing within which you need to recover (RTO) and how much information you can afford to lose (RPO).

So, although these two are related because they have to focus on the organization’s assets and processes, they are used in different contexts.

***Which comes first – risk assessment or business impact analysis?

Actually, ISO 22301 allows both approaches, and you might hear many theories on which is better. However, I prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents); further, if you choose the asset-based approach for risk assessment, you will have an easier time identifying all the resources later on in the business impact analysis.


Related Solutions

Risk Assessment and Business Impact Analysis
Describe the differences and similarities between risk assesment and business impact analysis.
Describe what a Business Impact Analysis (BIA)is and create a BIA table to show how an...
Describe what a Business Impact Analysis (BIA)is and create a BIA table to show how an information security manager can use it to evaluate a Customer Relationship Management System?
Business impact analysis (BIA) is an important exercise when developing a business continuity plan. The first...
Business impact analysis (BIA) is an important exercise when developing a business continuity plan. The first step in BIA is to identify critical business activities. Describe in your own words what you think critical activities are and give two (2) examples of such critical activities of a supercomputing centre which provides services to registered users via the Internet. Suppose the BIA team of the supercomputing centre is determining the recover time objective (RTO) of a critical activity that will need...
pros and cons of risk probability and impact assessment, in Qualitative risk analysis?
pros and cons of risk probability and impact assessment, in Qualitative risk analysis?
Develop the contingency planning policy. Conduct the business impact analysis (BIA). Identify preventive controls. Create contingency...
Develop the contingency planning policy. Conduct the business impact analysis (BIA). Identify preventive controls. Create contingency strategies. Develop an Information System Contingency Plan. Ensure plan testing, training, and exercises. Ensure plan maintenance. In 500-750 words, create a sentence outline of an Information System Contingency Plan (ISCP) for your organisation or an organisation you are familiar with, based on the seven steps listed above and described in the NIST 800-34 directive. Your sentence outline should briefly describe each topic of the...
Discuss the impact of control risk assessment on an audit of the financial statements.
Discuss the impact of control risk assessment on an audit of the financial statements.
Explain the contributions of benefit/cost analysis, environmental assessment, and risk assessment to administrative decision-making.
Explain the contributions of benefit/cost analysis, environmental assessment, and risk assessment to administrative decision-making.
Discuss the basics of risk return analysis in the financial context and the statistical tools we...
Discuss the basics of risk return analysis in the financial context and the statistical tools we use to analyze risk and return.
Discuss the basics of risk return analysis in the financial context and the statistical tools we...
Discuss the basics of risk return analysis in the financial context and the statistical tools we use to analyze risk and return. Discuss how we can use this data to structure a portfolio and how we compute both portfolio return and portfolio risk and how diversification reduces overall portfolio risk.
Discuss the basics of risk return analysis in the financial context and the statistical tools we...
Discuss the basics of risk return analysis in the financial context and the statistical tools we use to analyze risk and return. Discuss how we can use this data to structure a portfolio and how we compute both portfolio return and portfolio risk and how diversification reduces overall portfolio risk
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT