Business risk assessment and impact analysis
Business risk assessment and impact analysis are common in business evaluations. A number of organizations, particularly those planning for near-term events with business continuity implications, are creatively implementing processes designed to reach risk assessment and business impact analysis (BIA) conclusions without analytic processes that span many months.
In terms of working through the key elements of a risk assessment, an organization may not have the time to complete an in-depth, exhaustive analysis of all environmental, man-made, business process, supply-chain and information technology continuity risks.
Additionally, the business continuity project charter may not focus on risk mitigation, but rather on true business continuity strategy design and development. With this in mind, a business continuity steering committee and/or project team may define a realistic worst-case scenario to structure the planning process. This scenario should impact the entire organization.
A worst-case scenario assists in the scoping and planning effort, and provides a framework to assist planners in developing response and recovery strategies. Most organizations find that using a worst-case scenario helps them plan for less significant scenarios all that’s needed are defined escalation procedures toward a worst-case scenario.
An example of an abbreviated BIA follows a format similar to the risk assessment. A facilitator works with a cross-functional team to define impacts at an organizational level, as opposed to a business function or technology level, which in turn assists with the establishment of business process and technology priority levels, recovery objectives and an order of recovery.
Again, this process is designed to reach preliminary conclusions in hours, as opposed to many weeks, using the input of business process owners throughout the organization.
Business risk assessment approaches are varied