How the risk analysis process and conducting a BIA differ


How the risk analysis process and conducting a BIA differ

How is conducting a BIA different from a risk analysis process?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

The business impact analysis (BIA) and risk assessment are usually separate processes but they must be executed concurrently or in parallel. The reasoning is that evaluating impact to the business without assessing the risk does not provide the full picture. We can think of impact as a constant; if the outage of a critical system has a high impact (financial or otherwise) on a business, no matter what we do, the impact of the actual outage remains high. We cannot change the impact; we can only try to prevent the outage.

The risk analysis process is the evaluation of threats, vulnerabilities and probability of occurrence. For example, a threat could be a company operating in an area with unreliable power with at least one failure lasting more than three or four hours per year on average (probability of occurrence) and the vulnerability is the absence of a backup power generator or uninterruptible power supply.

The resulting impact is the outage of an IT system identified as critical during the BIA. Risk also has constants in this context; the threat of a lengthy power failure and its annual occurrence will remain. The only variable is the vulnerability, which can be addressed with the installation of a generator. The threat and probability have not changed and the outage of the critical system would have the same impact, but the risk is mitigated by eliminating the vulnerability.

This was previously published on

This was first published in August 2012