In this part of the website we will cover performing a thorough Business Impact Analysis (BIA) and Risk Assessment (RA) which are the building blocks to making you more resilient and providing incredible value to your employees and organization beyond core business continuity.
To build a solid foundation, we must…
- Understand our assets at a detailed level
- Understand threats that can impact our company, the probability of a threat becoming a reality and the level of impact if the threat becomes a reality. We need to address our vulnerabilities and ultimately our risks
- Understand how we can reduce bad risk
- Understand how we can think laterally to identify and take advantage of ‘good risk’ opportunities. The end result can be an increase in revenue and/or a decrease in expenses.
- Understand how we can use situational awareness tools to our advantage
The BIA and RA will help you identify and evaluate potential impacts (including: financial, life/safety, regulatory, legal/contractual, reputational) of natural and man-made events on your assets. Understanding impacts and probable risks enables you to develop controls to prevent, mitigate, transfer or accept the risks.
The BIA combined with the RA also affords you a tremendous opportunity to add value to your company beyond traditional business continuity! Working through these two foundation cornerstones will enable you to connect the dots and analyze your organization from end-to-end at a level of detail that has probably never been attempted. You and management will gain clarity in ways to reduce bad risk and possibly increase revenue and reduce expenses.
Some of the insight you will derive from the BIA includes:
- Understanding which are your most time sensitive processes.
- Understanding how processes map to each other upstream and downstream – from supply chain to customer and every step in between
- Uncovering redundancies
- Identifying single points of failure
- Discovering process improvement opportunities
- Unleashing surprising internal and external revenue generating and cost reduction opportunities!
… all of this actionable information can be a goldmine to your organization.
You can then leverage all of the information you collected in the BIA and the RA to begin understanding threats, vulnerabilities impacts and risks to your organization. You can intelligently present your findings and suggestions to management. Usually you do it through an executive report and meetings. Appropriate actions to deal with each risk can be decided upon and implemented.
After we discuss BIA tips and techniques I will share my tips and techniques on the RA and risk in general:
- Discover why the sometimes controversial, risk assessment is important to your program
- Learn how to approach risk from a business continuity standpoint
- See what a risk assessment is all about.
- Learn how to do a risk assessment
- Discover the importance of understanding situational awareness
- Predicting events
- Mitigation ideas
- Top threats list
- Learn why risk is a moving target and how we can monitor it leveraging technology
Bonus Cyber Security Threat and Remediation post – Learn about Mobile and Desktop Cyber Security and Internet of Things (IOT) risks, insights and tips.
I have major concerns about desktop, mobile, Internet of Things and Cyber Security threats and risks. Cyber risk is the number one concern for many CEO’s. There are people that will cause major harm to our networks and systems if we leave the door open. If your company is like most, then it is critical your networks and systems are up-and-running. Even one serious compromise of a network can seriously impact and even put a company out of business. The kicker is that a lot of breaches and errors originate from employees and contractors – intentionally and unintentionally.
Unfortunately, many critical processes rely on complex systems to operate. There is no going back to doing it manually, as you would in the old days. Remember, a single network compromise, whether it is a virus, worm, malware… can quickly become a major business continuity event – sometimes without a good solution. That will directly impact you.
I suggest after reading related posts on Ultimate Business Continuity you begin taking immediate action. Speak with IT, speak with management. At least get your concerns voiced and in writing. You do not want what happened to SONY, The Democratic National Convention, AWS, GitLab and many other companies and public organizations to become a nightmare for you. Take this seriously and prepare before you turn on your computer one morning and there is a ransomware demand – that you very well might be forced to pay. I hope it does not come to that, but we do not operate on hope.
To give you additional leverage when bringing up these important risks to management I included a post entitled, ‘Cyber breaches = C’s on the hot seat!” Sadly, the list of ousted C’s is growing at an alarming rate. Use the list when communicating the seriousness of cyber threats. I am sure it will get management’s attention.
P.S. If you are not interested in the cyber security technical information simply skip those posts at your own risk. I feel strongly that by reading the information and understanding cyber security threats, vulnerabilities and controls in this section it will help you. Even if you just become familiar with terms like botnet, phishing, malware, ransomware and understand the fundamental differences of each, it will make you more comfortable in meetings with IT, Cyber Security and management. You might even offer some insights that will surprise the right people.