Business impact and risk management model

Business impact and risk management model

Decorative image: Business impact analysis example showing scores and Business impact level costs: eg 0 = none; 1 < £1,000; 2 > £1,000 < £10,000; 3 > £10,000 < £500,000 ;4 > £500,000 < £1 million ;5 > £1 million < £10 million ;6 > £10 million+

Figure 1: Business Impact Analysis

Business impact analysis (BIA)

Once you have identified the assets of an organisation, the next activity is to undertake a business impact analysis (BIA). The purpose of the BIA is to correlate specific IT components with the critical processes that they support and based on that information, to characterise the consequences of a disruption to the components. Results from the BIA should be appropriately incorporated into the analysis and strategy development efforts for the IT Disaster Recovery Plan, Business Recovery Plans and the Incident Management Plan [NIST 800-34].

This analysis is used to estimate the impact that the loss of confidentiality, integrity or availability presents to the organisation, should the risk you have identified manifest. Risks are associated with assets, and are a function of threat, vulnerability and impact. 

In Figure 1, you can see a table showing measurement of business impact, ascending from '0' to '6' as the cost of the impact increases from '£0' to 'greater than £10 million'.

Decorative image: Risk management standard Diagram showing the approach to risk management with reference to ISO 27005, The process begins with Context (Information about organisation; Criteria; Scope and boundaries; Organisation and responsibilities) then onto Risk Assessment (Risk Identification Risk analysis Risk evaluation) if the assessment is satisfactory then onto Risk Treatment (Modification Retention Avoidance Share) – if not then back to Context. Then if the Risk Treatment is satisfactory, it moves on to Acceptance–if not then back to Context. Communication and consultation (internal, external stakeholders) and  Monitoring and reviewing occur throughout the cycle, informing and being informed by the process at each stage.

Figure 2: Risk management approach

ISO 27005 Risk management standard

This published standard describes an approach to risk management, comprised of four stages, as seen in figure 2 diagram.

It starts with Context, where information about the organisation is gathered. Then the Risk Assessment phase which includes risk identification, analysis and evaluation.

Then, after the risks have been analysed and understood, the Risk Treatment phase can begin.

You can also see that continuous monitoring and communication with stakeholders is built into the process.

As one of the key international standards, ISO 27005 is applicable to all organisations. More information can be found on the ISO website, here.

Risk appetite

Risk management doesn’t occur in a vacuum; it’s there to help the business achieve its objectives. So, the risk manager must understand the business and its priorities, together with the resources it uses and the constraints it works within.

Different organisations have different criteria for deciding how much risk they’re prepared to accept. This is known as their risk appetite.

It’s not uncommon for different business units or departments within the same organisation to have different risk appetites.

What's next?

In the next video, Mark will be introducing you to threat intelligence and the role it plays in threat management. Threat intelligence is a vital part of keeping your organisation secure.

1h 4m

In this course, you’ll be looking at numerous aspects of the risk matrix including the risk and threats involved in big data, the Internet of Things (IoT), the dark web and social media. You'll also be exploring threat intelligence, unified threat management (UTM), and security risk. You'll also see how you can use open-source intelligence (OSINT) and Dark Web Threat Intelligence to help you establish, improve and refine your risk treatment. All of this ensures that your organisation is protected from and alert to the constantly evolving series of information security threats. 

However, before you go on to threat management, let's first review risk and see how it relates to cyber security. 

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.