BCMS 02 Risk Management Rev 01

Introduction to
Risk Assessment and

Business Impact Analysis
A series of Business Continuity
Management System BCM25999
Global Partner for Business Success
Presented by :
Introduction to Risk Assessment and Business Impact Analysis CD1
Introducing
Please interview your neighbour for 5 minutes

Find out
Who he/she is
What dept
What he/she hopes to get out of the Course
What he/she understands about business continuity
Anything else of interest - Sports, Hobbies, Family,
(claim to fame), etc.
Be ready to briefly introduce them to the rest of the Course

Timetable : Day 1
Time Session
09:00 09:15 Section 0 : Introduction & Timetable
09:15 10:15 Section 1 : Introduction to Business Continuity Management
System
10:15 10:30 Tea & Coffee Break
10.30 12:30 Section 2 : Business Impact Analysis
12:30 13:30 Lunch Break

13:30 15:30 Section 3 : Continuity Recovery Requirement Analysis
15:45 17:00 Section 4 : Risk Assessment

Timetable : Day 2
Time Session
09:00 10:15 Section 4 : Risk Assesment
10:30 12:30 Section 4 : Risk Assement exercise
12:30 13:30 Lunch Break

13:30 15:30 Section 5 : BIA and Risk Assessment Management
Section 5 : Company BIA and RARC exercise
15:45 16:45 Section 5 :Company BIA and RARC exercise
16:45 17:00 Course Summary & Close for the day

Course objectives
Understand the purpose of business impact analysis and

risk assessment
Understand the methodology of Business Impact Analysis
and Risk Assessment
Manage and measures the risk

Introduction to
1 Business Continuity
Management System

What is BCM ?
holistic management process that identifies potential

threats to an organization and the impacts to business
operations that those threats, if realized, might cause, and
which provides a framework for building organizational
resilience with the capability for an effective response that
safeguards the interests of its key stakeholders, reputation,
brand and value-creating activities
Clause 2.4

What is BCM ?
Business continuity management involves managing the

recovery or continuation of business activities in the event
of a business disruption, and management of the overall
programme through training, exercises and reviews, to
ensure the business continuity plan(s) stays current and
up-to-date.

Standards for Business Continuity Management
BS 25999-1:2006 Part 1: Code of Practice

BS 25999-2:2007 Part 2: Specification
NFPA 1600:2007
MS 1970:2007
SS 540:2008
ANZ 5050
HB 221:2004 Australia
HB 292:2006
HB 293:2006

BCM Lifecycle

PDCA cycle applied to BCMS processes

BCM Documentation Requirement
BCM Policy including scope and principles

Risk and Threat assessment
BCM Strategies including papers supporting the choice of the strategies adopted
Response plans
Incident Management Plans
Business Continuity Plans
Departmental Business Resumption Plans
Exercise Schedule and reports
Awareness and training programme
Service level agreements with customers and suppliers
Contracts for third party recovery services such as workspace and salvage


Exercise 1.1
Working in a group, discuss the

difference:
Emergency Response vs Disaster
Recovery vs. Business continuity

Business Impact
2 Analsyis


BS 25999-1 Business Impact Analysis and Risk

Assessment

Comparison between Business Impact Analysis

and Risk Assessment
The Business Continuity Institute 2007

Business Impact Analysis (BIA) (Cl. 4.1.1)


Criticallity
Level of criticallity of process-product-services

Impact Classification
Time
8 hr Vital
24 hr Critical
3 day Essential
5 day Important
10 day Non Critical
30 day Deferrable

Impact vs Time
The service level versus time when the incident occurs
Incident

MTPoD vs RTO
Invocation Lead Time
Investigatio
Incidient n process Decision Recovery Process
Normal Catch up Normal
reporting (Damage making (RTO)
process assessment process
)
Disruption
Maximum Tolerable Period of Disruption (MTPoD)

Case Study 2.1
Understanding Impact over the

time

Exercise 2.2
Impact over the time

Recovery Time Objectives
MTPD


Data collection Questionaries

Basic Information
Timeframe for resuming operation
Location
Peak and valley period
Impact
Organization resistance
Factors to consider
Volume of jobs
Contractual, legal
Key Tools
Peoples , skills set
Equipment, IT , Telco,
Data
Dependencies internal external

Case study 2.3
Sample of Interview check list

Sample of BIA report

Continuity Recovery
3 Requirement
Analysis

Continuity Recovery Requirement Analysis
Collect information on the numbers of the resources required

to resume and continue the business activities at a level
required to satisfy the organization obligations
This is the phase on MTPD, while the service level is not on

the normal stages but still acceptable by the organization

Continuity Recovery Requirement Analysis
to estimate the resources and facilities and

services that each activity will require at resumption
Invocation Lead Time

Investigatio
Incidient n process Decision Recovery Process
Normal Catch up Normal
reporting (Damage making (RTO)
process assessment process
)
Disruption
Maximum Tolerable Period of Disruption (MTPoD)

Purpose of Continuity Requirement
Provide the resources information from which an

appropriate recovery strategy can be
determine/recommended
Identify resources requirement resulting from activity
dependencies that exist both internally and externally

Necessary Resources

Factors that affecting the Recovery

Requirement
Quantity of the resources required over the time to

maintain the business function at an acceptance level and
within the max torelable period of disruption
Extra activities might occurs out of normal period

Exercise 3.1
Continuity Recovery Requirement

Analysis

4 Risk Assessment

Risk assessment (Cl. 4.1.2, 4.1.3)
Establishing the context
Risk assessment
Risk identification
Communication Monitor
and and
Consultation Risk analysis Review
Risk evaluation
Risk treatment

Risk assessment
Risk identification
all significant threats potentially affecting the critical
activities are identified
understand the vulnerabilities of critical activities and
supporting resources
the risks are owned



Are critical asset something that is something to

you?


Poor Threat Assessment ?


T T
T R RR
Ctrl
T
V V
Asset
T V V
Ctrl Ctrl
RR RR T

Vulnerability Profiling (T and V pairings)
Vulnerabilities Threats Assets
Lack of communication between Malicious destruction of Physical

HR and IT group in respect of data & facilities Software
terminated employees leading to Information
terminated employees still having
access to system.
Lack of identification and Masquerade Data

authentication mechanisms
Lack of physical security over Eavesdropping Data

data communications closets or hubs
Lack of policy restricting the Social Engineering Software

provision of information by staff Data
over the phone
No business continuity plan Earthquake, fire,

flood, Information storm, vermin,
power Software People fluctuations,
etc. Global Partner for Business Success
Exercise 4.1
Identify Asset Process

Identify Threat And Vulnerability

Likelihood

Case study 4.2
Evaluation of Threat, Vulnerability,

and Likelihood


Risk assessment
Risk analysis
with varying degrees of detail depending upon the risk,
the purpose of the analysis, and the information, data
and resources available
qualitative or quantitative, or a combination of these.
an iterative process, being repeated as more data
become available.
reviewed and revised risk could be split or aggregated

Poor Risk Management ?

Risk assessment
Risk evaluation
categorized and prioritized
compare levels of risk with the risk appetite
Risk Control
Manage and reducing the Risk by controlling the threat
and vulnerability
Substitute object which harmless
Eliminate risk
Engineering control Security System, Back up, Gen Set
Procedural control

Risk treatment
Avoid risk
Cannot influence and/or manage
Too costly
Seek risk
Desirable potential consequence
Pursue an opportunity
Modify risk
Optimize potential opportunities
Minimize threats
Changing likelihood and consequences
Transfer risk
Risk sharing insurance, partnership
Outsource
Retain risk
Acceptable residual risk
Exceed threshold but too costly

Exercise 4.3
Risk Analysis and Risk Control


Exercise 4.4
Risk Analysis and Risk Control 2

Manage the BIA and

5 Risk Assesment

Manage BIA and Risk Assesment





Exercise 5.1
Business Risk Analysis and


Q&A

BCMS 02 Risk Management Rev 01

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BCMS 02 Risk Management Rev 01

Hochgeladen von

Copyright:

Verfügbare Formate

Introduction to

Risk Assessment and

Global Partner for Business Success

Please interview your neighbour for 5 minutes

Global Partner for Business Success

12:30 13:30 Lunch Break

Global Partner for Business Success

12:30 13:30 Lunch Break

Global Partner for Business Success

Understand the purpose of business impact analysis and

Global Partner for Business Success

Global Partner for Business Success

holistic management process that identifies potential

Global Partner for Business Success

Business continuity management involves managing the

Global Partner for Business Success

Standards for Business Continuity Management

BS 25999-1:2006 Part 1: Code of Practice

Global Partner for Business Success

Global Partner for Business Success

PDCA cycle applied to BCMS processes

Global Partner for Business Success

BCM Documentation Requirement

BCM Policy including scope and principles

Global Partner for Business Success

Global Partner for Business Success

Working in a group, discuss the

Global Partner for Business Success

Global Partner for Business Success

Global Partner for Business Success

BS 25999-1 Business Impact Analysis and Risk

Global Partner for Business Success

Comparison between Business Impact Analysis

The Business Continuity Institute 2007

Global Partner for Business Success

Business Impact Analysis (BIA) (Cl. 4.1.1)

Global Partner for Business Success

Global Partner for Business Success

Level of criticallity of process-product-services

Global Partner for Business Success

The service level versus time when the incident occurs

Global Partner for Business Success

Global Partner for Business Success

Case Study 2.1

Understanding Impact over the

Global Partner for Business Success

Impact over the time

Global Partner for Business Success

Global Partner for Business Success

Data collection Questionaries

Global Partner for Business Success

Case study 2.3

Sample of Interview check list

Global Partner for Business Success

Global Partner for Business Success

Continuity Recovery Requirement Analysis

Collect information on the numbers of the resources required

This is the phase on MTPD, while the service level is not on

Global Partner for Business Success

Continuity Recovery Requirement Analysis

to estimate the resources and facilities and

Invocation Lead Time

Global Partner for Business Success

Purpose of Continuity Requirement