ARL Logo Risky Thinking – On Risk Management, Disaster Recovery, and Business Continuity  
Home / Consulting / Business Impact Analysis and Risk Assessment 21 November, 2008
Risky Thinking
Home Page
BCP Training & Seminars
BCP Consulting
BCP Software
Risk/BCP Articles
Newsletter
Risky Blog
Risk/BCP Glossary
BCP Tools
Risk Resources
Older Articles
Article RSS Feed
Michael Z. Bell
Contact Info

 

 

 

Business Impact Analysis (BIA)
and
Risk Assessment (RA)

A cost-effective business continuity plan must be based on a sound analysis of the business processes, and the risks that those processes face. If you fail to identify a risk or process, you can neither manage the risk nor plan for its consequences.

Together, the Business Impact Analysis and Risk Assessment form the foundation on which successful and cost-effective business continuity plans are laid. What is the most cost-effective recovery strategy? How much is it worth spending to prevent this risk? If a disaster happens, where should I deploy my limited resources? It is the answers to such questions that a Business Impact Analysis and Risk Assessment provide.

We can help you undertake a Business Impact Analysis and Risk Assessment. In a typical assignment we will help you with the following tasks.

Business Impact Analysis

A BIA determines which processes must be recovered quickly following a disruption. It identifies the costs and consequences of a disruption, the dependencies between processes, and the minimum service level that is required during the recovery period for each process. Using this information the order in which processes should be restored, and the resources required during restoration can be determined.

In a typical assignment, the stages are:

  • Agree Terms of Reference and Scope of Work.
  • Identify key staff to be interviewed or surveyed to determine key business processes.
  • Survey or interview staff to determine information about the business processes.
  • Determine the impacts from the disruption of the process which may damage the organization's reputation, its assets, or its financial position.
  • Determine the Recovery Time Objective (RTO) for each process — the time by which the process must be recovered to its minimum service level.
  • Determine the Recovery Point Objective (RPO) — the point to which information must be restored for business objectives to be met — for each process.
  • Determine the Minimum Service Level (MSL) to which a process must be recovered for service expectations to be met, and the resources required to achieve this level of performance.
  • Identify the dependencies between business processes.
  • Summarize the findings in a Business Impact Analysis report.
  • Present results to senior managment to ensure consistency with business objectives..
Risk Assessment

A Risk Assessment identifies the threats that could disrupt the organization's performance, and determines the probabilities and probable consequences of each threat. A Risk Assessment helps determine whether you should ignore a threat, how much you should spend in taking action to reduce a threat, or whether you should plan for the recovery of operations if the threat occurs.

In a typical assignment, the stages are:

  • Agree Terms of Reference and Scope of Work.
  • Identify, working with your staff, the internal and external threats which could disrupt the critical processes identified in the Business Impact Analysis phase.
  • Estimate the probability of such threats.
  • Prioritize the threats according to an agreed formula.
  • Summarize findings in Risk Assessment report.
  • Present results to senior management

At all stages we work closely with you and your staff to ensure that the process, analysis, and results are fully understood and meet your objectives.

If you would like us to work with you to ensure that your business continuity plans are based on a firm, cost-effective foundation, please contact us to arrange an initial tele-conference or meeting.

© Albion Research Ltd. 2008