Using Business Impact Analysis to Inform Risk Management











PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download
.

Using Business Impact Analysis to
Inform Risk Management

by James G. Barr

Docid: 00018036

Publication Date: 2209

Publication Type: TUTORIAL

Preview

The traditional approach to business impact analysis (BIA), with its
roots in mainframe disaster recovery, is to assess the status of an asset
– typically a physical asset like a server or storage system –
one-dimensionally: Is the given asset available or unavailable? But, as
revealed in a new report released by the US National Institute of
Standards and Technology (NIST) entitled “Using Business Impact Analysis
to Inform Risk Prioritization and Response,” the BIA should evaluate the
status of an asset in three value dimensions: availability,
confidentiality, and integrity.

Report Contents:

Executive Summary

[return to top of this
report]

To help safeguard enterprise operations against disasters – either
natural, like hurricane-related flooding or wind damage, or unnatural,
like a ransomware attack – most enterprises develop a business continuity
plan (BCP). The BCP provides for the continuous operation – or rapid
recovery – of critical business functions in the wake of a disaster.

Related
Faulkner Reports
IT Project Risk Management
Tutorial
Preparing a Business
Continuity Plan Implementation

The core BCP planning instrument is the business impact analysis (BIA), a
form of risk analysis in which BCP practitioners answer three principal
questions:

  • What types of disasters are likely to occur, like hurricanes in
    Florida, wildfires in California, or ransomware anywhere?
  • What assets, either physical or digital, might be adversely affected?
  • What critical business functions might be interrupted due to asset
    loss or compromise?

The traditional approach to business impact analysis, with its roots in
mainframe disaster recovery, is to assess the status of an asset,
typically a physical asset like a server or storage system,
one-dimensionally: Is a given asset available or unavailable?

However, as revealed in a new report released by the US National
Institute of Standards and Technology (NIST) entitled “Using Business
Impact Analysis to Inform Risk Prioritization and Response,”1
the BIA should evaluate the status of an asset in three value dimensions:

  • Availability
  • Confidentiality
  • Integrity

With respect to cybersecurity incidents, for example, sensitive digital
assets like employee or customer personally identifiable information (PII)
may be available (at least, apparently), but also:

  • Exfiltrated (or stolen) by a hacker, thereby compromising asset
    confidentiality; or
  • Modified by a hacker, thereby negating asset integrity.

Although digital assets are most at risk from this trifecta of value
exploits (availability, confidentially, and integrity), cyber-physical
systems – in which mechanical (or physical) assets are managed by digital
assets – are also vulnerable. Somewhat ominously from a BIA perspective,
cyber-physical systems form the foundation of the evolving Industrial
Internet of Things (IIoT), meaning more assets – and, thus, more
asset-dependent critical business functions – are at risk, thereby
complicating the development of effective business continuity plans.

Applying
Business Impact Analysis to Enterprise Assets

[return to top of this
report]

Asset Types

In applying business impact analysis to enterprise assets, it is, of
course, critical to identify all enterprise assets and asset types. 
While digital assets are, broadly speaking, similar across industries,
physical assets are often unique.  For example, as Asset Infinity
reminds us, construction assets are different from healthcare assets, and
automotive manufacturing assets are different from hotel assets.

Table 1. Types of Assets Managed by Enterprise Asset Management
in Different Industries2
Construction Healthcare Auto Manufacturing Hotel
  • Excavators
  • Loaders,
  • Bulldozers
  • Trenchers
  • Inventory such as hammers, bolster, chisel, driller, etc.
  • Concrete mixer truck
  • Hoist lift
  • Pile drill machine
  • Polisher
  • Water tanker
  • Inventory such as medicines, gloves, masks
  • Cardio equipment
  • Ultrasound machines
  • ECG machines
  • Surgical pieces of equipment
  • MRI machines
  • X-Ray machines
  • Binocular microscope
  • ICU Bed
  • Refrigerator and so on
  • High-pressure washer
  • Wheel aligner
  • Car washing lift
  • Elevators
  • Air compressor
  • Battery charger and jumper
  • Air conditioning machine
  • Wrench set
  • Inventory such as a hammer, screwdriver, etc.
  • Refrigerators
  • Ovens
  • Chillers
  • Cooking equipment such as spiral mixer, deep fat fryer,
    meat mincer, etc.
  • Water heater
  • Food preparing equipment such as storage rack, dish landing
    table, pot rack, etc.
  • Water treatment plant
  • Generators

Asset Inventory

Ideally, all enterprise assets are recorded and catalogued in the
enterprise Asset Management System. If not, the enterprise should conduct
an immediate whole-enterprise asset inventory, thus enabling business
impact analysis and other asset governance functions.

BIA Steps

As applied to an individual enterprise asset (or asset class), the
business impact analysis process proceeds in two steps:

  1. Determining asset (or asset class) value
  2. Determining asset (or asset class) risk

Asset Value

To determine the value of an asset (or asset class), NIST recommends
itemizing the benefits provided by the asset (or asset class) “in light of
its contribution to the enterprise.”  Benefits may be measured in
terms of:

  • Mission – Including direct or indirect support to
    corporate or agency products and services.
  • Finance – Benefits that will improve the
    enterprise’s earnings (net revenue or return on investment for a
    government entity) or that will support fiscal capital and free cash
    flow for a business.
  • Reputation – Attributes that enable stakeholders
    (e.g., citizens, shareholders, regulators, partners) to view the
    enterprise in a favorable light and contribute to its well-being.”3

For medium or high value assets (or asset classes), a further
determination of asset (or asset class) risk is indicated.

Asset Risk

To determine the risk to a particular asset (or asset class), NIST
recommends the following four-part process (as depicted in Figure 1):

Part A – “Identification of
the [enterprise’s] relevant assets [and asset classes] and their
valuation.”

Part B – “Determination of
potential threats that might jeopardize the confidentiality, integrity,
and availability of those assets [or asset classes].”

Part C – “Consideration of
vulnerabilities or other predisposing conditions of assets [or asset
classes] that make a threat event possible.”

Part D – “High-level
evaluation of the potential consequences if the threat source (part B)
exploits the weakness (part C) against the [enterprise] asset [or asset
class] (part A).”4

Figure 1. Elements of Asset Risk Determination

Figure 1. Elements of Asset Risk Determination

Source: NIST5

Asset Management

Having determined the value and related risk to enterprise assets and
asset classes, the enterprise Risk Management function can then proceed to
reduce enterprise risk via the usual means:

Risk Avoidance – Refrain, as
possible, from employing “risky” assets or asset classes. Seek less risky
alternatives.

Risk Mitigation – “Harden”
any risky assets or asset classes. This might mean, for example,
implementing additional anti-malware measures or, in the case of a
physical asset, implementing biometric access controls.

Risk Toleration – Accept
“reasonable” risk-related losses. For example, maintaining an enterprise
presence in Florida means exposing hard assets to hurricanes and other
wind and water events, and performing periodic physical recoveries as a
result.

Risk Transfer – Transfer risk
responsibility to another party or parties. The cloud computing industry
was largely founded on this operational option.

Using
Business Impact Analysis to Inform Risk Management

[return to top of this
report]

With a basic understanding of how business impact analysis can be applied
to enterprise assets, we can now entertain a discussion of how business
impact analysis can inform risk management, specifically risk
prioritization and response.

According to NIST, while business impact analysis has historically been
used to determine availability requirements for business continuity, the
process can be extended to provide [a] broad understanding of the
potential impacts to the enterprise mission from any type of loss. The
management of enterprise risk requires a comprehensive understanding of
the [critical] functions (i.e., what must go right) and the potential risk
scenarios that jeopardize those functions (i.e., what might go
wrong).Enterprise leaders need a methodology to determine which assets
enable the achievement of mission objectives, and to evaluate the factors
that render assets as critical and sensitive. 

Based on those factors:

  • Enterprise leaders provide risk directives (i.e., risk appetite and
    tolerance) as input to the BIA.
  • System owners then apply the BIA to developing asset categorization,
    impact values, and requirements for the protection of critical or
    sensitive assets. 

The output of the BIA enables consistent prioritization, response, and
communication regarding [enterprise risk, including] information security
risk.

Public- and private-sector enterprises must maintain a continual
understanding of:

  • Potential business impacts
  • The risk conditions that might lead to those impacts
  • The steps being taken

Use of the BIA methodology to categorize the criticality and sensitivity
of enterprise assets enables effective risk management, and the subsequent
integration of reporting and monitoring at the enterprise level to ensure
that risk and resource utilization are optimized in light of the value of
those assets.6

BCP 2.0

[return to top of this
report]

As previously mentioned, a business continuity plan (BCP) provides for
the continuous operation or rapid recovery of critical business functions
in the wake of a disaster. The BCP concept is predicated on the notion
that an enterprise – either a private sector company or public sector
agency – is what it does, i.e., it exists to perform a prescribed set of
business (or, in the case of an agency, governmental) functions. 
When the conduct of these functions, particularly the critical or vital
variety, is disrupted due to a disaster, such as a fire, flood, explosion,
or pervasive malware attack, the BCP prescribes how each critical function
can (or will be) continued until normal operations are restored.

Potential interventions range from:

  • Deferring execution, temporarily downgrading a critical function to
    non-critical.
  • Negotiating – again, temporarily – a reduced critical function
    “service level.”
  • Dividing a critical function into executable and non-executable
    sub-functions, thus enabling the delivery of the executable elements.
  • Executing a critical function with non-enterprise resources, perhaps
    by partnering with another enterprise in the same industry.
  • Executing a manual, i.e., non-technology-oriented, critical function
    workaround.
  • Outsourcing a critical function to a third-party provider.
  • Reclassifying a critical function as non-critical.

Importantly, the traditional business continuity plan (call it BCP 1.0)
has always been deployed in response to an availability
crisis. Some key asset (like a data center) or asset class (like
Internet-delivered cloud services) has been rendered unavailable due to
some form of disaster, and the critical functions that rely on that
missing asset or asset class have, likewise, been disabled or disrupted.

Emerging from the NIST analysis is an opportunity to expand the business
continuity planning paradigm (call it BCP 2.0) to encompass disasters
related to availability, confidentiality (or privacy), and integrity. BCP
2.0 would combine:

  • Reactive procedures, aimed at responding to an availability,
    confidentiality, or integrity incident; and
  • Proactive procedures, aimed at preventing an availability,
    confidentiality, or integrity incident.

In the latter case, BCP 2.0 would be exercised on a regular and ongoing
basis – much like security management, financial management, and other
risk management disciplines.

Building a BCP 2.0 Practice

In addition to executing the main BCP mission – providing for the
continuous operation or rapid recovery of critical business functions in
the wake of a disaster – the BCP 2.0 manager would be responsible for
preventing – or mitigating the impact of – actual or potential
availability, confidentiality, or integrity events. 

To build her practice, the BCP 2.0 manager will assemble – over time – a
set of audit procedures designed to help ensure that enterprise assets are
– and will remain – available, confidential, and possess the requisite
integrity.

Among the likely issues addressed by these audit procedures:

Is all enterprise equipment (IT and other)
maintained consistent with applicable vendor and industry standards and
guidelines?

Are vendor-supplied software patches regularly
applied?

Is all access to sensitive, confidential, or
proprietary data granted on a need-to-know or need-to-use basis?

Are all digital data encrypted at-rest and
in-transit?

Are all paper or hardcopy data stored in
locked filing cabinets, vaults, or offices?

Is each employee receiving on-going security
awareness training?

Is the enterprise engaging third-party
penetration testers to help surface network security exposures?  Are
such holes being promptly plugged?

Are backup data samples retrieved and restored
on a regular basis to validate the data backup and recovery regimen?

Are all enterprise contingency plans –
Business Continuity, Disaster Recovery, Crisis Management – updated and
tested on an annual basis, or on the occasion of a major organizational or
operational change?

Are all enterprise activities related to
Business Continuity, Disaster Recovery, Crisis Management, Emergency
Management, Safety Management, Security Management, and the like tightly
integrated and transparent?

[return to top of this
report]

References

About the Author

[return to top of this
report]

James G. Barr is a leading business continuity analyst
and business writer with more than 40 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this
report]