28 2.4 Risk Assessment
2.3 The Risk Manager
A risk manager is someone assigned to deal with overall compliance with
state, federal, and corporate requirements. Coordination between risk man-
agement, information resource recovery, and business recovery planning
activities is highly recommended. The organizations risk manager may be
placed as part of the other support functions in the organization chart. The
risk manager, including information resource management, has the bulk of
recovery responsibilities following an interruption to the overall operations
of the organization.
2.4 Risk Assessment
A key part of the BCP process is the assessment of the potential risks to the
business that could result from disasters or emergency situations. It is neces-
sary to consider all the possible incidents and the impact each may have on
the organizations ability to continue to deliver its normal business services.
This risk assessment section of the BCP should examine the possibility of
serious situations disrupting the business operations and the potential
impact of such events.
2.4.1 Basics Elements of the Risk Assessment Process
Risk assessments, whether they pertain to information security or other
types of risk, are means of providing decision makers with the information
needed to understand factors that can negatively influence operations and
outcomes, so that they can make informed judgments concerning the
extent of actions needed to reduce risk. For example, bank officials have
conducted risk assessments to manage the risk of default associated with
their loan portfolios, and nuclear power plant engineers have conducted
such assessments to manage risks to public health and safety. As reliance on
computer systems and electronic data has grown, information security risk
has joined the array of risks that governments and businesses must manage.
Regardless of the types of risk being considered, all risk assessments gener-
ally include the following elements:
Identifying threats that could harm and, thus, adversely affect critical
operations and assets. Threats include such things as intruders, crimi-
nals, disgruntled employees, terrorists, and natural disasters.
2.4 Risk Assessment 29
Chapter 2
Estimating the likelihood that such threats will materialize, based on
historical information and judgment of knowledgeable individuals.
Identifying and ranking the value, sensitivity, and criticality of the
operations and assets that could be affected should a threat material-
ize, in order to determine which operations and assets are the most
important. This is sometimes referred to as “asset characterization
and will be described later in this chapter.
Estimating, for the most critical and sensitive assets and operations,
the potential losses or damage that could occur if a threat material-
izes, including recovery costs.
Identifying cost-effective actions to mitigate or reduce the risk. These
actions can include implementing new organizational policies and
procedures, as well as technical or physical controls.
Documenting the results and developing an action plan.
2.4.2 Risk Assessment Models
There are various models and methods for assessing risk, and the extent of
an analysis and the resources expended can vary depending on the scope of
the assessment and the availability of reliable data on risk factors. In addi-
tion, the availability of data can affect the extent to which risk assessment
results can be reliably quantified. A quantitative approach generally esti-
mates the cost of risk and risk-reduction techniques based on three things:
1. The likelihood that a damaging event will occur
2. The costs of potential losses
3. The costs of mitigating actions that could be taken
The major advantage of a quantitative impact analysis is that it provides
a measurement of the impacts’ magnitude, which can be used in the cost-
benefit analysis of recommended controls. The disadvantage is that,
depending on the numerical ranges used to express the measurement, the
meaning of the quantitative impact analysis may be unclear, requiring the
result to be interpreted in a qualitative manner. Additional factors often
must be considered to determine the magnitude of impact. These may
include, but are not limited to:

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.