How Risk Quantification Can Help Your Business Continuity Program
For a lot of industries, Business Continuity (BCP) and Disaster Recovery (DR) is a requirement; however, a lot of the time the programs are minimalistic in nature. One of the biggest challenges is getting stakeholders on the same page. The general idea is:
“Nothing has ever happened here, so why should I be concerned about it?”
This should make any risk person shiver when they hear this. To get buy-in from Executive Management or even Department/Business Management you want to be able to explain your story and have data to back it up.
Quantification Supports Better Continuity Planning
Quantifying risk using Factor Analysis of Information Risk (FAIR) allows organizations to provide relevant information to key stakeholders. One of the biggest benefits of the standard FAIR risk model is the use of a “common language” to identify and communicate about risks.
Even from organization to organization, the terms "Business Continuity Planning", "Business Resiliency", "Disaster Recovery" and the like are used to talk about anything from the recovery of the business to just the recovery of the technology. Any BCP person knows there is a difference between BCP and DR planning. That is why having the right information and knowing what to communicate is truly important.
Identify And Measure Key Risk Components
In general, the process starts with identifying what “assets” you are concerned with and determining “how much risk is associated with each of them”. From there, completing a Business Impact Analysis (BIA) should be much easier. This is especially helpful when attempting to build a program from the ground up. But even more advanced programs can benefit from Risk Quantification.
BCP/DR alone is only a portion of a comprehensive Risk Management program. Risk Quantification, on the other hand, fits into many facets, if not all facets of a quality Risk Management program.
What Quantification Looks Like
Below is an example of how your BIA can benefit from Risk Quantification. In this example a manufacturer who had a key system go down for 4 hours that was essential to their manufacturing process. They were not able to manufacture their product during this time. Being able to quantify your information for your organization allows it to see what it means in business terms to have a key system or business function become unavailable. This is a crucial step to any BIA.
The RiskLens cyber risk quantification platform uses the FAIR standard to quantify risk on a consistent basis. This methodical approach to assessing and communicating about risk can help with your BCP program and also provide a solid foundation for your overall Risk Management program.