In: Computer Science
In the context of risk assessment (RA), assess the value of a business impact analysis (BIA). Compare and contrast the RA process to the BIA process.
Business Impact Analysis (BIA) and Risk Assessment(RA):-
Business Impact
Analysis and Risk Assessment: Defined
To understand the relationship between the BIA and risk assessment,
we must first have a common understanding and definition of the two
processes.
Business Impact Analysis
Avalution defines the BIA as an identification and analysis of
business processes/activities (including required resources), with
the objective of understanding the impact of downtime, which drives
the assignment of recovery objectives and prioritization.
Risk Assessment
Avalution defines the risk assessment as an identification and
analysis of business risks that may affect an organization’s
ability to deliver its most important products and services, with
the objective of understanding the effectiveness of existing
controls, as well as additional controls to decrease the likelihood
or severity of a disruption.
What’s the difference between BIA and Risk Assessment?
A core difference between the two business continuity tools is that BIA does not directly focus on the likelihood of events, rather, it assumes worst-case scenarios.
The differences that stem from this are summarised in the table below.
BIA |
Risk Assessment |
An outward-looking analysis of the impacts that may arise when stakeholders are deprived of products and services, as well as an inward analysis of necessary recovery timeframes, tolerances and levels. |
|
|
|
|
Draws upon the same high-level information and techniques as BIA to determine the impact of events, but also looks much deeper, potentially at all areas of threat, causality, failure, error, omission and so on. |
*** Whereas BIA can be conducted without risk assessment, risk assessment can’t reasonably occur without some form of BIA: risk assessment should use BIA to quantify and prioritise the risks it finds.
***As already concluded, BIA is usually used only in business continuity / ISO 22301 implementation; it could be done for information security, but it wouldn’t make much sense. Risk assessment is mandatory for both.
Secondly, the outputs from RA are a bit different from those of BIA – RA gives you a list of risks together with their values, whereas BIA gives you timing within which you need to recover (RTO) and how much information you can afford to lose (RPO).
So, although these two are related because they have to focus on the organization’s assets and processes, they are used in different contexts.
***Which comes first – risk assessment or business impact analysis?
Actually, ISO 22301 allows both approaches, and you might hear many theories on which is better. However, I prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents); further, if you choose the asset-based approach for risk assessment, you will have an easier time identifying all the resources later on in the business impact analysis.