CBCP业务连续性管理专家培训材料Area2.ppt

1,Business Continuity ManagementCourse for Advanced Professionals Introduction,2,Subject Area 2：Risk Evaluation&Control,3,Lesson Overview,The purpose of a risk assessmentMethodology and approachIdentifying and evaluating controls,4,Professional Practices for Business Continuity Professionals,Project Initiation and ManagementRisk Evaluation and ControlBusiness Impact AnalysisDeveloping Business Continuity StrategiesEmergency Response and OperationsDeveloping and Implementing Business Continuity PlansAwareness and Training ProgramsMaintaining and Exercising Business Continuity PlansCrisis Communications Coordination with External Agencies,5,Objectives,Determine the events and external surroundings that can adversely affect the organization and its facilities with disruption as well as disaster,the damage such events can cause,and the controls needed to prevent or minimize the effects of potential loss.Provide cost-benefit analysis to justify investment in controls to mitigate risks.,6,The Professionals Role(1/2),Identify Potential Risks to the OrganizationProbabilityConsequences/ImpactUnderstand the Function of Risk Reduction/Mitigation Within the OrganizationIdentify Outside Expertise RequiredIdentify Exposures,7,The Professionals Role(2/2),Identify Risk Reduction/Mitigation AlternativesConfirm with Management to Determine Acceptable Risk LevelsDocument and Present Findings,8,The Planning Process,Objective Identify existing risks and threats that the organization is exposed to and recommend sageguradsSome key tasks Analyze business risk exposuresPerform risk mitigationSome key deliverables High probability events and exposuresA list of controls and safeguards,Project Planning,Risk Assessment&Analysis,9,What is Risk Assessment?,Process of identifying the risks to an organizationAssesses the critical functions necessary for an organization to continue business operationsA function of risk reduction/mitigationDefines the controls in place to reduce organization exposureEvaluates the cost for such controlsOften involves an evaluation of the probabilities of a particular event occurring.,10,Why Conduct a Risk Assessment?,The purpose of a risk assessment is to Prioritize planning and resource allocationIdentify and mitigate exposuresIdentify the threats,risk,and vulnerabilities in the“disaster chain”,11,Risk Assessment Objectives,Understand loss potentials Threats Risks Probability Vulnerability Impacts,12,Risk Assessment Objectives,Determine vulnerability to potential lossPrimary threatsSelect vulnerabilities most likely to occur,13,Risk Assessment Objectives,Identify existing controls and recommend additional controlsEvaluate the effectiveness of controls and safeguardsIdentify possible exposures,14,Cause and Effect Relationship,Threat,Vulnerability,Risk,Cause,Probability,Effect,Assets,15,Role of Risk Assessment,Identifies what plans need to be developedFocuses on the outcomes of failures,as well as considering the causesRelates primarily to provision of support servicesUsed to identify mitigating actionsTo increase the resilience of service provisionTo facilitate rapid and effective response to any failure,16,Benefits of a Risk Assessment,The results serve as the basis for cost savings through avoidanceJudicious use of finite resources for risk mitigationCan eliminate major downtime events,17,Approach to Data Collection,External ContinentCountryRegionCommunityNeighborhood,InternalIndustryPlantBuildingFloorProcessWork Area,18,Approach to Data Collection,Interviews,questionnaires,&workshop sessionsDocumentation/Infrastructure reviewObservationCorporate documentsSupply chain informationData repositories,19,Information Sources,External International standards ISO,BSI,RIMS*FEMA www.fema.govNational weatherFederal/state climatologyState/County/city emergency managersState/local police&fireLocal groups BRPA,ACP,BCPCommunity public works,Internal Corporate Management Staff Engineering deptContractors Insurance brokers Engineering/design firms Architectural firms Contractors/vendors,20,Categories of Threats,Natural or acts of natureMan-made Political Technological Infrastructure,21,Identify Risk Events,Low probability High severity,Medium probability Medium severity,Medium probability High severity,Fire,Whole building fire,Fire limited to one floor,Fire in basement mailroom,22,Identify Risk Event Probability,Low,Less than once every 25 years“This could happen,but it would be a freak event”,Medium,Once every 5 to 25 years“I saw something similar in the papers recently”“I know someone this happened to”,High,More than once every 5 years“I remember the last time this happened”,23,Risk Analysis,Classify risk&threats Under organizations control Beyond organizations control With prior warnings With no prior warningsStatement of risk:quantitative&qualitativeEvaluate impact of risks and threats on critical business functions,24,Risk Analysis&Exposure Estimation,Threat Likelihood,Risk Scale:High=51 to 100 Medium=11 to 50 Low=1 to 10,25,Identify Risk Event Impact,26,Assess the Potential Impacts,Loss of customer service,Fire in basement computer room,Loss of function,Loss of work in progress,27,Definition of Control,Process,device or procedure that:Deters a threat from occurring Mitigates impact of a threat Reduces effect,but cannot always prevent occurrence,28,Types of Controls,Physical controls Fire suppression/sprinkler systems Access control systems Security guardsProcedural controls Hiring and termination policies Clean desk policy Document receipting,29,Identifying Controls,Identify controls and safeguards to prevent and/or mitigate the effect of the loss potential Security protection Physical protection Physical presenceLogical protection Information backup and protection Information securityLocation of assets Preventative maintenance Personnel procedures,www.fema.gov/kids/games1/htm,30,Recommend Additional Controls,Evaluate impact of risks and exposures on factors essential for conduction business operationsEliminating threat is not possibleSelect controls with highest paybackInclude cost of control and maintenancePrepare cost-benefit analysisPresent results to senior management,31,Layers of Protection,Natural Threats,Physical Security,Logical Security,Emergency,Continuity&,Company Assets,Recovery Plans,Procedures,Man Made Threats,32,Summary,The goal of risk assessment is to identify and determine riskIt is important to recognize and document threats to the organizationIdentifying,improving,and recommending additional controls will lower the risks to your organization,33,Sample RA Results,34,Sample RA Results,35,Sample RA Results,