We are facing the challenge of integrating business continuity planning and operational risk management. We are struggling to present our management with a meaningful comparative analysis between risk assessment and business impact analysis (scope, objective, input-output). Any ideas?
Requires Free Membership to View
SearchMidmarketSecurity.com members gain immediate and unlimited access to breaking SMB industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchMidmarketSecurity.com today!
Michael S. Mimoso, Editorial Director
I've never been a big fan of trying to wedge certain activities into a somewhat
arbitrary document category, like risk
assessment and business impact analysis. In reality, you are trying to achieve the same thing
with both activities -- it just depends at what stage of the incident you are looking at.
A risk assessment involves trying to understand where potential exposure points are. I recommend looking at the problem from the perspective of a business system, which I describe in my book, The Pragmatic CSO, as a set of networking resources, servers and applications that automate a business process. There are many tools to poke at a business system to see potential areas of exposure, including vulnerability scanners and penetration tests for all system components.
A business impact analysis involves understanding what's going to happen to the business if one of these systems goes down. It can apply to any kind of event or incident. This tends to be more of a qualitative analysis, working with cross-functional teams -- including finance and operations -- to understand what isn't going to happen if a system goes down.
This was first published in February 2009