The aim of this chapter is to detail the differences between business impact analysis (BIA) and risk assessment, learn concepts that are related to BIA, understand the differences between inherent and residual risk, and finally, review how BIA can be used to ensure business continuity (BC) and effective disaster recovery planning.

In this chapter, we will cover the following topics:

• Differentiating between BIA and risk assessment
• Key concepts related to BIA
• Understanding types of risk

With that, let us dive into the first section, in which we will understand the differences between BIA and risk assessment.

BIA and risk assessment are related terms but not the same. In my experience, many practitioners use the terms interchangeably, which is incorrect.

BIA is the process of identifying critical business processes for an organization by assessing the impact of a disaster on that process. The primary objective of BIA is to determine systems, processes, or tools that will impact the identified business process in a positive or negative manner and then prioritize the recovery of business-defined critical services that support strategic objectives and goals.

As a risk practitioner, it is important to determine which critical services should be protected in case of a disaster. The BIA conducted by an organization will support the risk practitioner in recommending a reasonable and appropriate risk response and guide senior management in selecting appropriate mitigation strategies.

A risk assessment is the process of identifying threats...

Before we move forward with looking at additional concepts in the BIA realm, it would be helpful to differentiate between two major terms that are often incorrectly used interchangeably. These terms are disaster recovery (DR) and BC.

DR refers to the ability to restore the data and applications that run the business, that is, data centers, servers, or other infrastructure, and how quickly data and applications can be recovered and restored. The speed at which data and applications can be recovered and restored is a crucial aspect of DR. Alternatively, BC planning refers to a strategy that lets a business operate with minimal or no downtime or service outage. It can be said that DR is a subset of BC planning. It is a broader strategy that aims to ensure uninterrupted business operations with minimal to no service disruptions.

It can be inferred that DR is a component of the overall BC planning. An example of DR could be a scenario where an organization...

Risk and opportunity are two sides of the same coin. As such, it is inevitable that an organization that is looking to expand into new territories and harness the presented opportunities will encounter risks. The goal of a risk practitioner is to manage this risk so that an organization can continue to leverage these opportunities while balancing risk.

There are three types of risks that a risk practitioner should be aware of – inherent risk, residual risk, and current risk. Let us review each of these in detail:

• Inherent risk: The level of risk present without considering the actions or controls that will be implemented. This is the risk that is ever-present and is specifically not avoided.
• Residual risk: The level of risk after implementing the controls is considered residual risk. Residual risk is calculated by subtracting the effectiveness of control from the inherent risk. Residual Risk = Inherent Risk – Implemented Controls...

At the beginning of this chapter, we learned about the differences between risk assessment and BIA. We learned that the primary goal of BIA is to determine how quickly critical business operations should be recovered in case of an incident to avoid further damage; however, the primary goal of a risk assessment is to identify potential threats to an organization and surface the risks and implement adequate measures.

We then learned about related concepts, such as BC, DR, RPO, RTO, and MTD, which speak to how an organization should determine the recovery objectives of critical systems. In the next section, we switched gears to learn more about inherent risk, residual risk, and current risk, which helps risk managers quantify the remaining risks after all the controls are implemented.

In the next chapter, we will learn about risk response and control ownership, which also marks the beginning of Domain 3 – Risk Response and Reporting per the official CRISC exam outline...

1. Which of the following statements is false regarding risk assessment and BIA?
   1. BIA helps us identify the RPO, RTO, and MTD for critical assets.
   2. Risk assessment helps us identify risk mitigation plans.
   3. A successful business continuity plan needs BIA.
   4. BIA and risk assessment are the same.
2. Which of the following is backward-looking in relation to BIA?
   1. RPO
   2. RTO
   3. MTD
   4. SSO
3. Which of the following helps identify the time for which a critical asset can remain unavailable without significantly impairing the business?
   1. RPO
   2. RTO
   3. MTD
   4. SSO
4. The risk after implementing controls is called ___.
   1. Current risk
   2. Residual risk
   3. Inherent risk
   4. Total risk
5. The risk after implementing controls in a real-time scenario against threats is called ___.
   1. Residual risk
   2. Inherent risk
   3. Current risk
   4. Total risk

1. D. Risk assessment and BIA are not the same.
2. A. The recovery point objective (RPO) helps an organization identify how much data they can lose with minimum impact on services and hence it’s backward-looking.
3. B. The recovery time objective (RTO) helps an organization determine the time for which it can be unavailable without impacting the business.
4. B. Residual Risk = Inherent Risk – Controls.
5. C. Current risk is the residual risk in a real-time threat scenario.