We are facing the challenge of integrating business continuity planning and operational risk management. We are struggling to present our management with a meaningful comparative analysis between risk assessment and business impact analysis (scope, objective, input-output). Any ideas?
I've never been a big fan of trying to wedge certain activities into a somewhat arbitrary document category, like risk assessment and business impact analysis. In reality, you are trying to achieve the same thing with both activities -- it just depends at what stage of the incident you are looking at.
A risk assessment involves trying to understand where potential exposure points are. I recommend looking at the problem from the perspective of a business system, which I describe in my book, The Pragmatic CSO, as a set of networking resources, servers and applications that automate a business process. There are many tools to poke at a business system to see potential areas of exposure, including vulnerability scanners and penetration tests for all system components.
A business impact analysis involves understanding what's going to happen to the business if one of these systems goes down. It can apply to any kind of event or incident. This tends to be more of a qualitative analysis, working with cross-functional teams -- including finance and operations -- to understand what isn't going to happen if a system goes down.