CBCP业务连续性管理专家培训材料_Area2.ppt

1,Business Continuity Management Course for Advanced Professionals Introduction,2,Subject Area 2： Risk Evaluation & Control,3,Lesson Overview,The purpose of a risk assessment Methodology and approach Identifying and evaluating controls,4,Professional Practices for Business Continuity Professionals,Project Initiation and Management Risk Evaluation and Control Business Impact Analysis Developing Business Continuity Strategies Emergency Response and Operations Developing and Implementing Business Continuity Plans Awareness and Training Programs Maintaining and Exercising Business Continuity Plans Crisis Communications Coordination with External Agencies,5,Objectives,Determine the events and external surroundings that can adversely affect the organization and its facilities with disruption as well as disaster, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss. Provide cost-benefit analysis to justify investment in controls to mitigate risks.,6,The Professionals Role (1/2),Identify Potential Risks to the Organization Probability Consequences/Impact Understand the Function of Risk Reduction/Mitigation Within the Organization Identify Outside Expertise Required Identify Exposures,7,The Professionals Role (2/2),Identify Risk Reduction/Mitigation Alternatives Confirm with Management to Determine Acceptable Risk Levels Document and Present Findings,8,The Planning Process,Objective Identify existing risks and threats that the organization is exposed to and recommend sagegurads Some key tasks Analyze business risk exposures Perform risk mitigation Some key deliverables High probability events and exposures A list of controls and safeguards,Project Planning,Risk Assessment & Analysis,9,What is Risk Assessment?,Process of identifying the risks to an organization Assesses the critical functions necessary for an organization to continue business operations A function of risk reduction/mitigation Defines the controls in place to reduce organization exposure Evaluates the cost for such controls Often involves an evaluation of the probabilities of a particular event occurring.,10,Why Conduct a Risk Assessment?,The purpose of a risk assessment is to Prioritize planning and resource allocation Identify and mitigate exposures Identify the threats, risk, and vulnerabilities in the “disaster chain”,11,Risk Assessment Objectives,Understand loss potentials Threats Risks Probability Vulnerability Impacts,12,Risk Assessment Objectives,Determine vulnerability to potential loss Primary threats Select vulnerabilities most likely to occur,13,Risk Assessment Objectives,Identify existing controls and recommend additional controls Evaluate the effectiveness of controls and safeguards Identify possible exposures,14,Cause and Effect Relationship,Threat,Vulnerability,Risk,Cause,Probability,Effect,Assets,15,Role of Risk Assessment,Identifies what plans need to be developed Focuses on the outcomes of failures, as well as considering the causes Relates primarily to provision of support services Used to identify mitigating actions To increase the resilience of service provision To facilitate rapid and effective response to any failure,16,Benefits of a Risk Assessment,The results serve as the basis for cost savings through avoidance Judicious use of finite resources for risk mitigation Can eliminate major downtime events,17,Approach to Data Collection,External Continent Country Region Community Neighborhood,Internal Industry Plant Building Floor Process Work Area,18,Approach to Data Collection,Interviews, questionnaires, & workshop sessions Documentation/Infrastructure review Observation Corporate documents Supply chain information Data repositories,19,Information Sources,External International standards ISO,BSI,RIMS* FEMA National weather Federal/state climatology State/County/city emergency managers State/local police & fire Local groups BRPA,ACP,BCP Community public works,Internal Corporate Management Staff Engineering dept Contractors Insurance brokers Engineering/design firms Architectural firms Contractors/vendors,20,Categories of Threats,Natural or acts of nature Man-made Political Technological Infrastructure,21,Identify Risk Events,Low probability High severity,Medium probability Medium severity,Medium probability High severity,Fire,Whole building fire,Fire limited to one floor,Fire in basement mailroom,22,Identify Risk Event Probability,Low,Less than once every 25 years “This could happen, but it would be a freak event”,Medium,Once every 5 to 25 years “I saw something similar in the papers recently” “I know someone this happened to”,High,More than once every 5 years “I remember the last time this happened”,23,Risk Analysis,Classify risk & threats Under organizations control Beyond organizations control With prior warnings With no prior warnings Statement of risk: quantitative & qualitative Evaluate impact of risks and threats on critical business functions,24,Risk Analysis & Exposure Estimation,Threat Likelihood,Risk Scale: High =51 to 100 Medium = 11 to 50 Low =1 to 10,25,Identify Risk Event Impact,26,Assess the Potential Impacts,Loss of customer service,Fire in basement computer room,Loss of function,Loss of work in progress,27,Definition of Control,Process, device or procedure that: Deters a threat from occurring Mitigates impact of a threat Reduces effect, but cannot always prevent occurrence,28,Types of Controls,Physical controls Fire suppression/sprinkler systems Access control systems Security guards Procedural controls Hiring and termination policies Clean desk policy Document receipting,29,Identifying Controls,Identify controls and safeguards to prevent and/ or mitigate the effect of the loss potential Security protection Physical protection Physical presence Logical protection Information backup and protection Information security Location of assets Preventative maintenance Personnel procedures,/kids/games1/htm,30,Recommend Additional Controls,Evaluate impact of risks and exposures on factors essential for