| In the risk evaluation phase, there are a | | | | then analysis to understand those |
| number of key areas that must be covered. One | | | | vulnerabilities which would have the greatest |
| of the most important is to understand | | | | impact on your critical business processes |
| probable threats. In an ideal world, which | | | | and the organization. This starts to clarify |
| most of us have noticed does not exist, we | | | | and quantify potential losses, which helps to |
| would identify and protect ourselves against | | | | establish priorities.Following the |
| all threats to ensure that our business | | | | identification of the most probable threats |
| continues to survive. Obviously, we are | | | | and vulnerabilities, an analysis of existing |
| constrained by other factors such as budgets, | | | | controls is needed. This spans physical |
| time and priorities and need to apply cost | | | | security as well as people, processes, data, |
| benefit analysis to ensure we are protecting | | | | communications and asset protection. Some |
| the most critical business functions.A second | | | | controls such as physical security and data |
| important step is to identify all probable | | | | backup are obvious. Other controls required |
| threats and prioritize them. Threats, | | | | are often less obvious, but they can be |
| typically, can be classified in several ways | | | | identified through the risk evaluation |
| such as internal/external, man-made/natural, | | | | process.Once the key building blocks of |
| primary/secondary, accidental/intentional, | | | | critical business functions, most probable |
| controllable/not controllable, warning/no | | | | threats, vulnerabilities and controls are |
| warning, frequency, duration, speed of onset | | | | identified, the next stage is to develop an |
| etc. While classifying threats is helpful in | | | | understanding of the probability of threats |
| terms of understanding their characteristics | | | | factored by the severity or impact of the |
| and potential controls, grouping and | | | | threats. This leads to the business impact |
| understanding by business impact is also | | | | analysis phase which establishes priorities |
| important. Obviously, the same impact can | | | | for protection.The goal is to minimize |
| result from a number of different | | | | threats, impacts and downtime and to mitigate |
| threats.Identifying mission critical business | | | | any losses. Fundamentally, the goal is to |
| processes and systems is another fundamental | | | | protect your people, protect your data, |
| building block of the business continuity | | | | protect your vital communications, protect |
| plan. After your critical business processes | | | | your assets and to protect your brand and |
| and systems and probable threats are | | | | reputation. Overall, of course, the goal is |
| established, the next step is to identify | | | | to ensure your business continues to operate |
| vulnerabilities and loss potential. This | | | | and to do it in a cost-effective way meeting |
| requires an extensive scan of the | | | | standards of reasonable and prudent judgment. |
| organization to identify vulnerabilities and | | | | |