Expert Advice Community

Guest

BIA and Risk Assessement

  Quote
Guest
Bills Created:   May 25, 2021 Last commented:   May 29, 2021

BIA and Risk Assessement

Hi 

I am done with BIA with 3 departments and now I am working on the BC strategy and BC Risk Assessement. I need some help in clarifying the doubt with example that how will RA going to help me in my BC strategy and BC plan in a more rounded manner. 
I am not able to understand the link between the RA and BC plan and strategy. 
I need a simple example to understand the link between the three. 
Please can anyone answer my question.

Thanks

 

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 27, 2021

The information from risk assessment can be used to prioritize which activities to focus first on your BC plan, by indicating which business processes are under greater risk.

For rating critical services considering the results of a risk assessment, you can consider the value of the risks, or the number of risks, associated with a specific service. For example, you can have a service with two high risks associated with it and other with ten medium risks associated with it. Considering your context, in terms of risks maybe the second service is more critical, and you should focus your BC plan on it.

Additionally, once you have identified the most critical services based on risk assessment, you can use the information as input for your company's business continuity strategy, so you can devise the strategy considering the most relevant risks and include proper actions to maximize the chances of success.

In the Business continuity strategy, you should define when and how the mitigation/avoidance will be made - the higher the risk, the sooner you should try to mitigate it.

This article will provide you a further explanation about risk assessment and business continuity plan and BC strategy:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/01academy/emy/ademy/my/knowledgebase/risk-assessment-vs-business-impact-analysis//
- How to write business continuity plans? https://advisera.com/27001academy/01academy/emy/ademy/my/blog/10/04/08/how-to-write-business-continuity-plans/
- Can business continuity strategy save your money? https://advisera.com/27001academy/01academy/emy/ademy/my/blog/10/03/15/can-business-continuity-strategy-save-your-money/

Quote
0 0
Guest
Bills May 27, 2021

HI Rhand

Thanks for the reply. I will highly appreciate if you can give me one example of risk which has been done for a BIA process. Also as per you answer, should I perform RA only for the process which I have in BIA? If thats the case should I consider RA w.r.t People , process and technologies boundarries? or should I consider operatrional and business risks as well?

Thanks

 

Quote
0 0
Expert
Rhand Leal May 29, 2021

1 - Thanks for the reply. I will highly appreciate if you can give me one example of risk which has been done for a BIA process.

Answer: First is important to note that risks are not identified as part of a BIA process. Risk assessment and BIA are different processes. From risk assessment you can identify risks that can help you prioritize on which business process to perform BIA first. For BIA it is irrelevant which risks might materialize - the only relevant thing is the duration of the outage (irrespective of the incident).

Examples of risks that can be identified and used to prioritize business processes to apply on BIA are fire, earthquake, bomb threat, and interruption of power supply.

To see how such risks can help understand which business processes a BIA should cover first, I suggest you take a look at the demo of this template: https://advisera.com/27001academy/01academy/emy/ademy/my/documentation/examples-of-disruptive-incident-scenarios/

For further information, see:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/01academy/emy/ademy/my/knowledgebase/risk-assessment-vs-business-impact-analysis//
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/01academy/emy/ademy/my/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

2 - Also as per you answer, should I perform RA only for the process which I have in BIA? If that’s the case, should I consider RA w.r.t People , process and technologies boundaries? or should I consider operational and business risks as well?

Thanks

Answer: In case your purpose is to ensure business continuity, considering the ISO 22301 standard, which provides requirements for business continuity management, then you should apply RA only for the process which you have in BIA (which are all the processes included in the Business Continuity Management System scope).

Regarding risk categories, ISO 22301 does not prescribe which ones to apply, so you can define the ones that better fit your needs.

To see how documents compliant with ISO 22301 BIA and RA looks like, please take a look at the free demos of these toolkits:
- ISO 22301 Business Impact Analysis Toolkit https://advisera.com/27001academy/01academy/emy/ademy/my/iso22301-business-impact-analysis-documentation-toolkit/
- ISO 27001/ISO 22301 Risk Assessment Toolkit https://advisera.com/27001academy/01academy/emy/ademy/my/iso-27001-22301-risk-assessment-toolkit/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 25, 2021

May 29, 2021

Suggested Topics

Kamil Created:   Jul 22, 2021 ISO 27001 & 22301
Replies: 2
0 0

Risk owner problem

Guest user Created:   Jul 20, 2021 ISO 27001 & 22301
Replies: 1
0 0

Question about BIA form