BIA and Risk Assessement
Hi
I am done with BIA with 3 departments and now I am working on the BC strategy and BC Risk Assessement. I need some help in clarifying the doubt with example that how will RA going to help me in my BC strategy and BC plan in a more rounded manner.
I am not able to understand the link between the RA and BC plan and strategy.
I need a simple example to understand the link between the three.
Please can anyone answer my question.
Thanks
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
The information from risk assessment can be used to prioritize which activities to focus first on your BC plan, by indicating which business processes are under greater risk.
For rating critical services considering the results of a risk assessment, you can consider the value of the risks, or the number of risks, associated with a specific service. For example, you can have a service with two high risks associated with it and other with ten medium risks associated with it. Considering your context, in terms of risks maybe the second service is more critical, and you should focus your BC plan on it.
Additionally, once you have identified the most critical services based on risk assessment, you can use the information as input for your company's business continuity strategy, so you can devise the strategy considering the most relevant risks and include proper actions to maximize the chances of success.
In the Business continuity strategy, you should define when and how the mitigation/avoidance will be made - the higher the risk, the sooner you should try to mitigate it.
This article will provide you a further explanation about risk assessment and business continuity plan and BC strategy:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
- Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
HI Rhand
Thanks for the reply. I will highly appreciate if you can give me one example of risk which has been done for a BIA process. Also as per you answer, should I perform RA only for the process which I have in BIA? If thats the case should I consider RA w.r.t People , process and technologies boundarries? or should I consider operatrional and business risks as well?
Thanks
1 - Thanks for the reply. I will highly appreciate if you can give me one example of risk which has been done for a BIA process.
Answer: First is important to note that risks are not identified as part of a BIA process. Risk assessment and BIA are different processes. From risk assessment you can identify risks that can help you prioritize on which business process to perform BIA first. For BIA it is irrelevant which risks might materialize - the only relevant thing is the duration of the outage (irrespective of the incident).
Examples of risks that can be identified and used to prioritize business processes to apply on BIA are fire, earthquake, bomb threat, and interruption of power supply.
To see how such risks can help understand which business processes a BIA should cover first, I suggest you take a look at the demo of this template: https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/
For further information, see:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
2 - Also as per you answer, should I perform RA only for the process which I have in BIA? If that’s the case, should I consider RA w.r.t People , process and technologies boundaries? or should I consider operational and business risks as well?
Thanks
Answer: In case your purpose is to ensure business continuity, considering the ISO 22301 standard, which provides requirements for business continuity management, then you should apply RA only for the process which you have in BIA (which are all the processes included in the Business Continuity Management System scope).
Regarding risk categories, ISO 22301 does not prescribe which ones to apply, so you can define the ones that better fit your needs.
To see how documents compliant with ISO 22301 BIA and RA looks like, please take a look at the free demos of these toolkits:
- ISO 22301 Business Impact Analysis Toolkit https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/
- ISO 27001/ISO 22301 Risk Assessment Toolkit https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
Comment as guest or Sign in
May 29, 2021