and risk assessment from a business continuity perspective?
ISO 22301, the International Standard for Business Continuity Management, aptly defines business continuity as the “capability of an organisation to continue the delivery of products and services within acceptable timeframes at pre-defined capacity during a disruption”. A critical component in fulfilling this capability and developing a sound business continuity management system (BCMS) is conducting a business impact analysis (BIA) and a risk assessment.
With a BIA, the organisation is seeking to identify the priorities for recovering disrupted activities (business processes) in terms of timescale, level of activity and required resources. The central concept of BIA is that recovery priorities should be based on the impact that would be sustained in the event of a business disruption.
With a risk assessment, the organisation is seeking to identify events that could cause a business disruption and then determine which of these are unacceptable and, therefore, areas where further treatment is required. These treatments include improving business continuity (BC) capabilities as well as other risk reduction measures, for example an IT risk could be reduced by implementing further redundancies within your own infrastructure or migrating to a Cloud IT infrastructure. The process should consider your organisation’s risk appetite, the basis of risk evaluation and acceptance decisions.
The outputs from the BIA and risk assessment provide the foundation for the development of response strategies and the BC plans designed to deliver the optimal resumption of activities.
of ISO 22301?
In addition to the existence of a BIA and risk assessment process, ISO 22301 specifically requires that:
- The determination of risks requiring treatment is based upon their analysis and evaluation
- The BIA includes a determination of the:
– ‘Maximum tolerable period of disruption’ (MTPD) for each activity
– ‘Prioritised timeframe’ for resuming disrupted activities
– Specified ‘minimum capacity’ of resumed activities
– Required resources for each activity and their interdependencies.
and risk assessment software play?
BIA and risk assessment software can support the organisation by automating some of the processes involved in:
- Identifying the organisation’s key products and services, critical activities and required resources interrelated areas, processes and resources. Specialist software will help replace multiple spreadsheets and supporting documents and can aggregate information from multiple sources
- Identifying, analysing and evaluating the risks which could either cause a disruption or could affect the recovery of the organisation.
As such, specialist software can help you better understand what is critical to your business and to treat identifiable risks to improve your business continuity response.