Is there a way to integrate business continuity planning and operational risk management?

Is there a way to integrate business continuity planning and operational risk management?

We are facing the challenge of integrating business continuity planning and operational risk management. We are struggling to present our management with a meaningful comparative analysis between risk assessment and business impact analysis (scope, objective, input-output). Any ideas?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I've never been a big fan of trying to wedge certain activities into a somewhat arbitrary document category, like risk assessment and business impact analysis. In reality, you are trying to achieve the same thing with both activities -- it just depends at what stage of the incident you are looking at.

A risk assessment involves trying to understand where potential exposure points are. I recommend looking at the problem from the perspective of a business system, which I describe in my book, The Pragmatic CSO, as a set of networking resources, servers and applications that automate a business process. There are many tools to poke at a business system to see potential areas of exposure, including vulnerability scanners and penetration tests for all system components.

A business impact analysis involves understanding what's going to happen to the business if one of these systems goes down. It can apply to any kind of event or incident. This tends to be more of a qualitative analysis, working with cross-functional teams -- including finance and operations -- to understand what isn't going to happen if a system goes down.

For more information:

  • Contributing writer Ed Moyle offers advice on how to put together a business impact analysis.
  • In this tip, which is part of SearchSecurity.com's Compliance School, expert Richard E. Mackey explains how to approach these control and governance frameworks and why they're helpful in determining how to mitigate risks.

    • This was first published in June 2007