Chapter 30 - Risk Assessment

Abstract

This chapter discusses the concept and practical application of risk management. It looks at the broad business perspective, the practical business continuity and disaster recovery planning perspective, and the IT-centric perspective. It looks at risk management to provide the understanding of the overall process, and then delve into the risk assessment process. Business continuity and disaster recovery planning begins with a thorough risk assessment. Risk assessment is part of a larger risk management process found in most businesses. The four major components of the business continuity (BC)/disaster recovery (DR) risk assessment are threat assessment, vulnerability assessment, impact assessment, and risk mitigation strategy development. In order to perform a thorough threat assessment, one needs to look at threats and threat sources both internal and external to the company. It is often helpful to assess risk based on the potential risks to people, process, technology, and infrastructure. The methods used to gather data for any of the assessment phases typically include questionnaires, interviews, document reviews, and research. Questionnaires can be helpful in structuring desired input but also can have the downside of containing built-in biases, often unintentionally. Interviews can be conducted with subject matter experts and yield more useful information than questionnaires but may also generate a lot of tangential or unneeded data. Reviewing documents and performing research can supplement the questionnaire and interview process. Risk assessment activities will end up generating a list of threats and threat sources that one will be able to evaluate.