How is conducting a BIA different from a risk analysis process?
The business impact analysis (BIA) and risk assessment are usually separate processes but they must be executed concurrently or in parallel. The reasoning is that evaluating impact to the business without assessing the risk does not provide the full picture. We can think of impact as a constant; if the outage of a critical system has a high impact (financial or otherwise) on a business, no matter what we do, the impact of the actual outage remains high. We cannot change the impact; we can only try to prevent the outage.
The risk analysis process is the evaluation of threats, vulnerabilities and probability of occurrence. For example, a threat could be a company operating in an area with unreliable power with at least one failure lasting more than three or four hours per year on average (probability of occurrence) and the vulnerability is the absence of a backup power generator or uninterruptible power supply.
The resulting impact is the outage of an IT system identified as critical during the BIA. Risk also has constants in this context; the threat of a lengthy power failure and its annual occurrence will remain. The only variable is the vulnerability, which can be addressed with the installation of a generator. The threat and probability have not changed and the outage of the critical system would have the same impact, but the risk is mitigated by eliminating the vulnerability.
Related Q&A from Pierre Dorion
With some limitations, Federal Continuity Directives 1 and 2 can be used to help conduct a business impact assessment. Continue Reading
Find out what business impact assessment errors you can most easily identify in this Expert Response from Pierre Dorion. Continue Reading
Pierre Dorion highlights some of the business impact analysis tools available to help companies in this Expert Response. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.