Business Impact Analysis (BIA) is the process of determining the impact to the business if a risk is realised, including consideration of worst-case scenarios.
They are used to set the highest level of impact / damage that should be used when assessing risk at Micro level. Business impacts should be set without considering countermeasures (as countermeasures considered/assessed in the risk assessment). Whilst a business impact considers worst case scenario, a balance needs to be struck between plausibility, likelihood and hindsight so that realistic and importantly, manageable Business Impacts are agreed.
The default Business Impact (that can be altered) uses 5-scoring to allow for a blending of standard HMG with CNI impact levels and NIST 800-30.
Risk Appetite is the level and type of risk that you are prepared to accept (and not accept) in achieving your mission / objectives.
Good governance requires organisations identify and manage the risks to their business; this involves risk stakeholders determining the levels of risk that they are prepared to tolerate in pursuit of their business/mission objectives. This determination or risk appetite, will influence an organisation’s strategy, plans and policies, which in turn determines risk tolerance levels for individual business activities and enable the delegation of risk management responsibilities with clear thresholds. HM Treasury publish five levels of risk appetite that other organisations may wish to use in support of the production of their own information risk.
Business Impact Analysis (BIA) is the process of determining the impact to the business if a risk is realised, including consideration of worst-case scenarios.
Risk Appetite is the level and type of risk that you are prepared to accept (and not accept) in achieving your mission / objectives.
These both combine to create a BIRA. Why have a BIRA? To understand the Impact to the business and the Risks the business will accept! Have an agreed risk appetite for the mission and its supporting services, people and technology
Read each of the risk areas to see which apply for your focus of the scope – by default they are set to not applicable
Review the recommended Security Properties and see if they fit your use case. These will be used in default BIRAs that can be loaded when starting a BIRA Assessment.
In the event of a custom BIRA, you will have to define the Security Properties yourself with score values to assess on. You can refer to the Business Impact and Risk Appetite sections for inspiration.
When a custom BIRA has been created and/or loaded we recommend working through the Business Impact and then the Risk Appetite for one Risk Area at a time, within the BIRA Tool – this will allow for an easier logic flow completing the impact for each of the security properties (bad outcomes) and adding any notes that might be useful) before then applying the risk appetite.
Once all risk areas have been considered the tool notes completion of a worst case (Suggested impact) for you to consider and then to select the actual impact level agreed for each applicable security properties. Once the overall impact has been selected, repeat the same logic for the overall risks appetite, again for each applicable security properties.
Select an overall appetite for the whole analysis and add text to back up the decision. Whilst the BIRA is now complete, agree the frequency of update e.g. Annual, Half yearly, Quarterly – This will be dependant upon the service and/or mission , its criticality or frequency of change. As a minimum a review is recommended at least annually.