| In the risk evaluation phase, there are a number of | | | | vulnerabilities which would have the greatest impact |
| key areas that must be covered. One of the most | | | | on your critical business processes and the |
| important is to understand probable threats. In an | | | | organization. This starts to clarify and quantify |
| ideal world, which most of us have noticed does not | | | | potential losses, which helps to establish |
| exist, we would identify and protect ourselves | | | | priorities.Following the identification of the most |
| against all threats to ensure that our business | | | | probable threats and vulnerabilities, an analysis of |
| continues to survive. Obviously, we are constrained | | | | existing controls is needed. This spans physical |
| by other factors such as budgets, time and priorities | | | | security as well as people, processes, data, |
| and need to apply cost benefit analysis to ensure we | | | | communications and asset protection. Some controls |
| are protecting the most critical business functions.A | | | | such as physical security and data backup are |
| second important step is to identify all probable | | | | obvious. Other controls required are often less |
| threats and prioritize them. Threats, typically, can be | | | | obvious, but they can be identified through the risk |
| classified in several ways such as internal/external, | | | | evaluation process.Once the key building blocks of |
| man-made/natural, primary/secondary, accidental | | | | critical business functions, most probable threats, |
| intentional, controllable/not controllable, warning/no | | | | vulnerabilities and controls are identified, the next |
| warning, frequency, duration, speed of onset etc. | | | | stage is to develop an understanding of the |
| While classifying threats is helpful in terms of | | | | probability of threats factored by the severity or |
| understanding their characteristics and potential | | | | impact of the threats. This leads to the business |
| controls, grouping and understanding by business | | | | impact analysis phase which establishes priorities for |
| impact is also important. Obviously, the same impact | | | | protection.The goal is to minimize threats, impacts |
| can result from a number of different | | | | and downtime and to mitigate any losses. |
| threats.Identifying mission critical business processes | | | | Fundamentally, the goal is to protect your people, |
| and systems is another fundamental building block of | | | | protect your data, protect your vital communications, |
| the business continuity plan. After your critical | | | | protect your assets and to protect your brand and |
| business processes and systems and probable | | | | reputation. Overall, of course, the goal is to ensure |
| threats are established, the next step is to identify | | | | your business continues to operate and to do it in a |
| vulnerabilities and loss potential. This requires an | | | | cost-effective way meeting standards of reasonable |
| extensive scan of the organization to identify | | | | and prudent judgment. |
| vulnerabilities and then analysis to understand those | | | | |