This blog highlights some frequently asked questions about the RA process. I find it useful to address some readers’ queries before this book begins.
RA is about identifying the most probable threats to an organisation and analysing the related vulnerabilities of the organisation to those threats.
In addition, it involves assessing the adequacy of controls relative to the organisation's potential threats.
BIA involves identifying the critical business functions within the organisation and determining the impact of not performing the business function beyond the maximum acceptable outage.
The types of criteria that can be used to evaluate the impact include:
All potential threats must be identified. Thereafter, an assessment must be made to determine the likelihood of such threats occurring and their impact on the organisation’s assets.
Prioritising risks and evaluating the organisation’s vulnerabilities and controls will improve understanding of how those threats affect the organisation.
In doing so, the Organisation BCM Coordinator establishes the link among threats, vulnerabilities, risks and controls.
In short, the Organisation BCM Coordinator will have identified the organisation's threat and risk profile.
Critical assets will be identified, and their impact assessed and prioritised. RA may be performed to identify threats and the magnitude of the risks against these critical assets.
By doing so, the Organisation BCM Coordinator establishes the link among asset criticality, the impact of their unavailability, the cost of unavailability, and the level of risk.
In short, the Organisation BCM Coordinator understands the organisation’s critical assets and follows up with an RA to identify threats and risks that contribute to the impact identified in the BIA study.
There are various reasons an organisation would want to manage risks during the BCM planning. They are:
The Executive Management is charged with showing that “due diligence” is performed during decision-making processes for any organisation. RA:
With an effective RA process in place, the necessary controls and safeguards will be implemented.
By learning the basic RA concepts, the organisation can then use them to determine:
The result of the RA exercise enables the Executive Management to examine all currently identified threats and concerns, prioritise vulnerability levels, and then select an appropriate level of control or accept the risk.
The goal of RA is not to eliminate all risks but to provide management with a tool to reduce risks to an acceptable level. The greatest benefit of an RA is to determine whether it is prudent to proceed.
Before an organisation starts its RA, it will need to ascertain the following:
RA is an examination of the interrelationships among assets, threats, vulnerabilities, and controls (countermeasures) to determine the current level of risk.
Residual risk is the level of risk that remains after considering all controls in place, vulnerability levels, and related threats.
Ultimately, the residual risk must be accepted as is or reduced to an acceptable level.
When a given threat is poised to exploit a vulnerability, controls must be in place to reduce vulnerability because the asset is what needs to be protected. The impact will then result from threat activity through residual risk.
Risk assessment can be viewed from a simple cause-and-effect perspective. In Figure 2-2, threats are the “Cause”, vulnerability the “probability”, and risk the “Effect” on the organisation’s assets. The terms used are explained below:
There are three types of threats used to demonstrate the three vulnerability levels: high, medium, and low.
This is a common question because one international BC institute lists it as the 2nd Subject Area of the professional practices, while another lists it as the 3rd.
The argument over whether RA or BIA should come first reflects a lack of understanding of the practical aspects of implementing BC plans, since the quest to determine their correct sequencing is purely academic.
One may want to consider performing RA first if no such review has ever been conducted before.
In most situations I have encountered, established organisations have conducted some form of risk analysis through IT security reviews, physical security reviews, or as part of the enterprise risk management exercise.
BIA should be conducted first when there is an urgent need to determine the financial and non-financial impacts on an organisation to justify the implementation of the BC project.
Extracted from "Chapter 2: Frequently Asked Questions for Risk Analysis & Review"
To know more about our blended learning program and when the next course is scheduled, feel free to contact our friendly course consultant colleagues via sales.ap@bcm-institute.org. They are the BL-B-3 Blended Learning BCM-300 ISO22301 BCMS Implementer and the BL-B-5 Blended Learning BCM-5000 ISO22301 BCMS Expert Implementer.
|
Please feel free to send us a note if you have any questions. |
||