《CBCP业务连续性管理专家培训材料Area2.ppt》由会员分享,可在线阅读,更多相关《CBCP业务连续性管理专家培训材料Area2.ppt(35页珍藏版)》请在三一办公上搜索。
1、1,Business Continuity ManagementCourse for Advanced Professionals Introduction,2,Subject Area 2:Risk Evaluation&Control,3,Lesson Overview,The purpose of a risk assessmentMethodology and approachIdentifying and evaluating controls,4,Professional Practices for Business Continuity Professionals,Project
2、 Initiation and ManagementRisk Evaluation and ControlBusiness Impact AnalysisDeveloping Business Continuity StrategiesEmergency Response and OperationsDeveloping and Implementing Business Continuity PlansAwareness and Training ProgramsMaintaining and Exercising Business Continuity PlansCrisis Commun
3、ications Coordination with External Agencies,5,Objectives,Determine the events and external surroundings that can adversely affect the organization and its facilities with disruption as well as disaster,the damage such events can cause,and the controls needed to prevent or minimize the effects of po
4、tential loss.Provide cost-benefit analysis to justify investment in controls to mitigate risks.,6,The Professionals Role(1/2),Identify Potential Risks to the OrganizationProbabilityConsequences/ImpactUnderstand the Function of Risk Reduction/Mitigation Within the OrganizationIdentify Outside Experti
5、se RequiredIdentify Exposures,7,The Professionals Role(2/2),Identify Risk Reduction/Mitigation AlternativesConfirm with Management to Determine Acceptable Risk LevelsDocument and Present Findings,8,The Planning Process,Objective Identify existing risks and threats that the organization is exposed to
6、 and recommend sageguradsSome key tasks Analyze business risk exposuresPerform risk mitigationSome key deliverables High probability events and exposuresA list of controls and safeguards,Project Planning,Risk Assessment&Analysis,9,What is Risk Assessment?,Process of identifying the risks to an organ
7、izationAssesses the critical functions necessary for an organization to continue business operationsA function of risk reduction/mitigationDefines the controls in place to reduce organization exposureEvaluates the cost for such controlsOften involves an evaluation of the probabilities of a particula
8、r event occurring.,10,Why Conduct a Risk Assessment?,The purpose of a risk assessment is to Prioritize planning and resource allocationIdentify and mitigate exposuresIdentify the threats,risk,and vulnerabilities in the“disaster chain”,11,Risk Assessment Objectives,Understand loss potentials Threats
9、Risks Probability Vulnerability Impacts,12,Risk Assessment Objectives,Determine vulnerability to potential lossPrimary threatsSelect vulnerabilities most likely to occur,13,Risk Assessment Objectives,Identify existing controls and recommend additional controlsEvaluate the effectiveness of controls a
10、nd safeguardsIdentify possible exposures,14,Cause and Effect Relationship,Threat,Vulnerability,Risk,Cause,Probability,Effect,Assets,15,Role of Risk Assessment,Identifies what plans need to be developedFocuses on the outcomes of failures,as well as considering the causesRelates primarily to provision
11、 of support servicesUsed to identify mitigating actionsTo increase the resilience of service provisionTo facilitate rapid and effective response to any failure,16,Benefits of a Risk Assessment,The results serve as the basis for cost savings through avoidanceJudicious use of finite resources for risk
12、 mitigationCan eliminate major downtime events,17,Approach to Data Collection,External ContinentCountryRegionCommunityNeighborhood,InternalIndustryPlantBuildingFloorProcessWork Area,18,Approach to Data Collection,Interviews,questionnaires,&workshop sessionsDocumentation/Infrastructure reviewObservat
13、ionCorporate documentsSupply chain informationData repositories,19,Information Sources,External International standards ISO,BSI,RIMS*FEMA www.fema.govNational weatherFederal/state climatologyState/County/city emergency managersState/local police&fireLocal groups BRPA,ACP,BCPCommunity public works,In
14、ternal Corporate Management Staff Engineering deptContractors Insurance brokers Engineering/design firms Architectural firms Contractors/vendors,20,Categories of Threats,Natural or acts of natureMan-made Political Technological Infrastructure,21,Identify Risk Events,Low probability High severity,Med
15、ium probability Medium severity,Medium probability High severity,Fire,Whole building fire,Fire limited to one floor,Fire in basement mailroom,22,Identify Risk Event Probability,Low,Less than once every 25 years“This could happen,but it would be a freak event”,Medium,Once every 5 to 25 years“I saw so
16、mething similar in the papers recently”“I know someone this happened to”,High,More than once every 5 years“I remember the last time this happened”,23,Risk Analysis,Classify risk&threats Under organizations control Beyond organizations control With prior warnings With no prior warningsStatement of ri
17、sk:quantitative&qualitativeEvaluate impact of risks and threats on critical business functions,24,Risk Analysis&Exposure Estimation,Threat Likelihood,Risk Scale:High=51 to 100 Medium=11 to 50 Low=1 to 10,25,Identify Risk Event Impact,26,Assess the Potential Impacts,Loss of customer service,Fire in b
18、asement computer room,Loss of function,Loss of work in progress,27,Definition of Control,Process,device or procedure that:Deters a threat from occurring Mitigates impact of a threat Reduces effect,but cannot always prevent occurrence,28,Types of Controls,Physical controls Fire suppression/sprinkler
19、systems Access control systems Security guardsProcedural controls Hiring and termination policies Clean desk policy Document receipting,29,Identifying Controls,Identify controls and safeguards to prevent and/or mitigate the effect of the loss potential Security protection Physical protection Physica
20、l presenceLogical protection Information backup and protection Information securityLocation of assets Preventative maintenance Personnel procedures,www.fema.gov/kids/games1/htm,30,Recommend Additional Controls,Evaluate impact of risks and exposures on factors essential for conduction business operat
21、ionsEliminating threat is not possibleSelect controls with highest paybackInclude cost of control and maintenancePrepare cost-benefit analysisPresent results to senior management,31,Layers of Protection,Natural Threats,Physical Security,Logical Security,Emergency,Continuity&,Company Assets,Recovery
22、Plans,Procedures,Man Made Threats,32,Summary,The goal of risk assessment is to identify and determine riskIt is important to recognize and document threats to the organizationIdentifying,improving,and recommending additional controls will lower the risks to your organization,33,Sample RA Results,34,Sample RA Results,35,Sample RA Results,
