|
Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:
Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain. Most organizations perform some type of risk management activities. They usually include identifying risks that could impact the organization and its reputation, profitability or strategies; or its key assets, business processes, IT systems and locations. Once the most potentially impactful risks are identified and analyzed, they are treated with controls and other mitigation activities to drive down the residual risk within the organization’s tolerable risk limits. This is all well and good, but what if the elements of the organization (e.g., business processes) that the risk could impact are not that critical and how do you know? Let me give you a simple example. A cyberattack could potentially impact both an organization’s financial and non-financial systems. The financial system is probably more important to protect, right? Oftentimes, organizations have no reliable way to identify what is critical versus non-critical causing them to spend the same level of time, attention and resources to protect the less critical areas; this is the ‘tempest in a teapot’ syndrome. It stands to reason that the organization should have a methodology to identify what is critical so that risks can be properly treated relative to what they might impact. Some impact areas and their importance are obvious, such as inputs into the organization’s most important product or service. However, there are so many moving parts to today’s complex enterprises that there must be a methodical way to identify, analyze and prioritize what is truly critical to protect. This methodology is a business impact analysis, or BIA. A BIA is a way to catalog and prioritize business processes and assets, building context to connect risk issues to business impacts. It is a well-known methodology inside business continuity (BC) circles as these teams have performed them for decades to determine what business assets are most important to recover after a disruption. More broadly, the BIA needs to be a prominent part of the framework of a good risk management program. However, often it is not and this is a common problem many organizations’ risk management programs experience. To strategically address business risk, enterprises need a well-rounded program. There are specific areas to include to create a healthy and sound foundation for growth. RSA has implemented the RSA® Archer Suite Ignition program to help organizations do just that – establish a solid risk management program foundation focusing on four fundamental capabilities:
The RSA® Archer Suite provides a common platform to address these processes. You can learn more about the program here: RSA Archer Ignition Program. The Duke of Ormond’s letters to the Earl of Arlington in 1678 put it best – “Our skirmish seems to be come to a period, and compared with the great things now on foot, is but a storm in a cream bowl.” The Duke must have had a good BIA such that he did not have to worry that his risk management program would cause him a ‘tempest in a potty’ (that was for you Elly). For comments, contact me at patrick.potter@rsa.com The post Business Impact Analysis Relieves “Tempest in a Teapot” Syndrome appeared first on Speaking of Security - The RSA Blog. |
