BIA vs. Risk Assessment: Webinar Q&A
Organizational resilience is achieved by strategically combining two key processes. The most effective approach is to perform a business impact analysis (BIA) and a risk assessment together. This will highlight how they work together to strengthen organizational resilience, each playing a unique role.
Our recent webinar, "Business Impact Analyses vs. Risk Assessments: Why You Should Do Both, " which you can download here, drew a record-breaking crowd of over 200 attendees. It underscores a shared awareness of the importance of cybersecurity, with a staggering 94% expressing concerns about cyberattacks and breaches. However, a small group (5-6%) remains unsure about the need for a risk assessment. Some are confident in their current practices, while others find the process daunting. On a positive note, a significant majority (76%) have participated in a Business Impact Analysis (BIA). Despite this, a slight 6% are still hesitant due to misconceptions about its complexity, mirroring concerns with risk assessments.
These insights underscore the imperative for comprehensive education and advocacy to demystify these processes and ensure that every organization can effectively navigate the complex task of risk management.
We looked to Kiana Freeman, CBCP expert, to demystify these questions.
Q: Isn’t a risk assessment only as good as the person’s knowledge of possible risks? For example, performing a cybersecurity risk assessment requires knowing all the possible threats, which may not be known or thought of. It’s the “you only know what you know” problem. (Internet Support Director, Financial Services)
Correct; that is why it’s recommended to have multiple people in your agency complete a risk assessment together as a team effort. Resources such as the USGS, CDC, academic research and many more should be used to complete a risk assessment. By having multiple participants, and utilizing multiple resources, the risk assessment will incorporate a more robust hazard and threat list. You can also use a consultant or risk assessment platform incorporating multiple threats.
Q: Do you have an example of how you've used the results from both an RA & BIA? Heat map? (BC Plan Administrator, Financial Services)
Results from a risk assessment set an organization up for success by understanding what types of training, exercises, and preparedness strategies the agency/organization needs to take. Before COVID, pandemic planning was not always incorporated into a risk assessment. Having that gap created many issues for organizations once COVID rolled around. Once a risk assessment is completed, the organization can look at mitigation strategies, policies, and response operations for tackling that threat. Risk assessments at a basic level increase the situational awareness for employees about what types of threats/hazards they should be aware of. A heat map is a great way to gain buy-in from an organization's stakeholders, boards, and decision-makers. The colored visual puts threats/hazards into perspective for those who do not work in the disaster world every day.
The results from a Business Impact Analysis set an organization/agency up to begin developing operational plans for responding to an incident. It is one of the first steps in building a continuity plan and is critical to helping outline an agency's gaps. This then sets up the agency with the knowledge of what gaps need to be filled so that there is no delay when an incident occurs.
Q: Every line of business will have a subjective view of risk and criticality. How can a business develop a common language within this "risk" space so that when a business line states a critical process, it aligns with other critical processes with a similar quantitative magnitude of impact? (Director of Crisis Management, Professional Services)
While the level of risks and criticality will vary from organization to organization, the language is similar across all industries. It is important to set clear definitions and understandings with your organization on what language you will follow before conducting a risk assessment or business impact analysis. Many consultants will create a glossary or term list for an organization to ensure that all individuals, regardless of location, use the same language. It is also important to clarify terminology with stakeholders and partners to ensure all parties are on the same page. Risk assessments and a BIA should not be completed by one department/person. It should be completed as a team effort to ensure everyone is on the same page with the language, risk level, and criticality of that risk.
Q: Many organizations practice the "head in the sand" tactic to approach risk management. Ignorance of risk can be fatal to businesses. What is the best approach to overcome resistance to those who restrict our ability to conduct one, how do we show ROI? (Vice President, Unknown Industry)
Developing a risk assessment is not always everyone’s priority. It is important to share with stakeholders the statistics that are out in the field on how many dollars organizations lose if proper risk assessments, plans and training are not in place. Starting important conversations early on and frequently is one of the best strategies to get everyone thinking about risk assessments. Case studies are a great tool to utilize when talking about risk assessments and the importance of implementing this project.
Q: What types of training or certifications do you recommend in training/growing knowledge in the business continuity "world" for new or seasoned employees? (IT Manager, Financial Services)
There are so many resources to utilize in the world of business continuity. Certified Business Continuity Professional (CBCP) is one of the certifications provided by the Disaster Recovery Institute International (DRII) that individuals can work to complete to become certified. Many organizations, like Preparis, have CBCP professionals to help create training and provide expertise on how to increase an organization's resilience.
Q: Is there a list of possible risks that organizations should consider? (BC & Records Management Analyst, Financial Services)
While risk assessments are not one size fits all, many consultants recommend considering four main categories of threats with multiple types of hazards in each category. These categories are:
- Natural Hazards (hurricane, earthquake, winter storm, etc.)
- Human-impacted (bomb threat, active threat, workplace violence, etc.)
- Technological/Cyber (cyber-attack, ransomware, system failure, power, etc.)
- Business Operational (supply chain disruption, employee strike, vendor risk, etc.)
Q: How are you defining a COOP vs BCP? (Medical Service Provider)
Continuity of Operations Planning [or COOP] and Business Continuity Plans [BCP] have small differences in elements depending on the industry type. Government agencies commonly use COOP, as the Department of Homeland Security has set it up FEMA, whereas private organizations may use BCP. It is important to check with your agency and insurance to see their requirements when setting up your plans. Some financial organizations may require a BCP and disaster recovery plans due to their insurance regulations.
Q: I might have missed it, do you have templates to get us started? (Senior Manager of Business Resiliency, Engineering Software)
Preparis has a handful of resources that can be used to get you started. Our Tabletop Exercise templates can be downloaded here. Don’t wait! Empower your team to navigate the complexities of cyber threats with resilience and precision.