Page 223 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 223
Business Impact Assessment
Once your BCP team completes the four stages of preparing to create a
business continuity plan, it’s time to dive into the heart of the work—
the business impact assessment (BIA). The BIA identifies the
resources that are critical to an organization’s ongoing viability and
the threats posed to those resources. It also assesses the likelihood
that each threat will actually occur and the impact those occurrences
will have on the business. The results of the BIA provide you with
quantitative measures that can help you prioritize the commitment of
business continuity resources to the various local, regional, and global
risk exposures facing your organization.
It’s important to realize that there are two different types of analyses
that business planners use when facing a decision.
Quantitative decision-making Quantitative decision-making
involves the use of numbers and formulas to reach a decision. This
type of data often expresses options in terms of the dollar value to
the business.
Qualitative decision-making Qualitative decision-making
takes non-numerical factors, such as reputation, investor/customer
confidence, workforce stability, and other concerns, into account.
This type of data often results in categories of prioritization (such
as high, medium, and low).
Quantitative analysis and qualitative analysis both play an
important role in the BCP process. However, most people tend to
favor one type of analysis over the other. When selecting the
individual members of the BCP team, try to achieve a balance
between people who prefer each strategy. This will result in the
development of a well-rounded BCP and benefit the organization
in the long run.
