I am so confused about Business Impact Analysis vs Risk Assessment
Could you please explain to me the difference between them?
Thanks.
Asked
Active
Viewed 1,854 times
-3
-
3Without more details about what's confusing you, I'd like to point you to other sources, like: [this](http://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/) or [this](https://www.linkedin.com/pulse/risk-assessment-business-impact-analysis-what-comes-first-goh) – Jedi Aug 07 '16 at 12:49
-
1We generally require that people do some research on their questions before posting. Can you tell us what you *do* understand about these terms. – schroeder Nov 24 '16 at 22:01
2 Answers
3
Those two things fill up some standards on it's own. A quick overview of them may help to understand the differences:
Business Impact Analysis: The goal of a BIA is to identify the key products / services of the organization. This means: if the company's main purpose is to deliver Software as a Service to it's customers, the processes relevant to deliver it are more important than others. Not as relevant are processes like accounting. To determine which services products are the most relevant for the company, you can take a lot of criteria into consideration:
- How much revenue is created by the service / product and how big would be the loss in case of malfunction?
- How long can the service fail / malfunction until it becomes a problem for the company?
- How big would the impact of a malfunction of the service / product be to the reputation of the company or existing contracts (SLAs)?
- How big would be the impact on the environment / well-being of others?
- ...
Standards that could help you are for example: ISO 22313 and ISO 22301
Risk Assessment: Risk assessment is kinda the sum of:
- Risk identification: what things cold negatively impact the assets of the company (e.g.: fire could harm the hardware in the data center, a pandemic would result in a loss of human resources, the malfunction of a virtual cluster could result in an inability to deliver service x)
- Risk analysis: after identifying the risks you evaluate the likelihood and possible consequences of each one. This can happen via a qualitative, semi-qualitative or quantitative way.
- Risk evaluation: you check the risks you analysed before against the risk appetite of the company and generate a prioritized list to define which risks you work on (reduce) first.
- After this step risk treatment would be next.
Standard that could help would maybe be ISO 27005
Main differences - The goal of the BIA is to identify the most critical services / products - Risk assessment isn't limited to just critical services / products but to the whole company. It's about organization, processes, personell, physical environment, software, hardware, knowledge, ....
sam
- 103
- 11
0
The Output of the Two BIA and RA is different
RA Output : Impacts, likelihood, counter measure controls. BIA Output : BC strategies, recovery prioritization, RTO & RPO
The Inputs are different as well, thus both differ from each other.
-
I don't feel your answer adds any new information that the other answer didn't... – MiaoHatola May 04 '17 at 12:01