Audit and Assurance

Expand all | Collapse all

Development of a BCP

  • 1.  Development of a BCP

    Posted 21 Feb, 2020 08:54
    Hi Guys,

    When developing a BCP, business impact analysis (BIA) and Risk Assessment (RA) play a key role. My question is, which one comes first is it the BIA or RA? and why?

    Kenneth Mararo
    IT Audit

  • 2.  RE: Development of a BCP

    Posted 21 Feb, 2020 21:36
    Risk assessment comes first.
    Once you have identified and assessed likelihood of risk, you come to business impact analysis.
    If likelihood is Zero, you don't proceed to BIA step.

  • 3.  RE: Development of a BCP

    Posted 22 Feb, 2020 00:46
    Hi Kenneth Mararo,

    Among the three (BCP, BIA & RA), 'Risk Assessment (RA)' comes first, because

    Firstly, as per ISO 27001:2013 ISMS standard, sequences of risk assessment of an information system are as follows:

    1. Understanding internal environment.
    2. Understanding Interested parties.
    3. Risk Identification.
    4. Risk Assessment.
    5. Risk Treatment.
    6. Reviewing whether IS objectives have been fulfilled or not.

    Business Impact Analysis (BIA) = Likelihood (Or Probability) X Impact.
    Here, impact comes from risk assessment,
    So, BIA has to be done after the risk assessment is completed.

    Thank you.

    Sharif Hossain
    Internal IT Auditor

  • 4.  RE: Development of a BCP

    Posted 22 Feb, 2020 20:08
    Hello Kenneth,

    The approach is very logical. The best references for this is the Business Continuity Institute Good Practice Guidelines 2019 and the ISO 22301:2019 Business Continuity Management Systems  Requirements.

    The top management of the organization will determine the SCOPE of the BC implementation, taking into consideration the factors such as customer impact, revenue, legal and regulatory requirements, the overall risk to the organization in the event of a particular line of business is interrupted or becomes unavailable.
    Once the organization's products and services for the BC scope are identified, a high-level BIA is conducted to identify prioritized products and services. At this stage you can determine your MTPD (Maximum Tolerable Period of Disruption), RTO (Recovery Time Objective) and RPO (Recovery Point Objective) The next step is to determine all its dependances and again do a BIA on each of the dependencies. At this stage only a Risk Assessment is conducted and develop strategies and plans, to bring up the processes and activities fast enough to meet the RTO expectations.
    In short, this is the approach to developing a Business Continuity Management System.
    Irrespective of size, nature of the business they do, all organizations need to have a fully tested and validated Business Continuity arrangements.

    Hope this will make sense.



    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.

  • 5.  RE: Development of a BCP

    Posted 25 Feb, 2020 01:38
    Hi Nalin,

    Thanks for your response. A follow up question on this...

    At the stage where a risk assessment (RA) is being performed, should the risk assessment focus on risks affecting the key processes identified from the high level BIA or should the risk assessment focus on all risks affecting the business unit?

    Kenneth Mararo
    IT Audit

  • 6.  RE: Development of a BCP

    Posted 25 Feb, 2020 02:17

    Hello Kenneth,


    I am glad you asked that question.


    The first step is for the organisation to analyse business impacts and determine the business continuity priorities and requirements. In this process you need to define the impact types and criteria relevant to the organisational context. Also need to identify processes and activities that support those prioritised activities, and so on. 


    Then you identify the risks of disruption to the organisation's prioritised processes and activities and to the required resources. Risks are then analysed and evaluated to determine which risks require treatment.


    By looking at the risks to the prioritised activities, automatically the risks to the business is also covered.


    If you can get hold of the ISO standard ISO 22301 Business Continuity Management Requirements, it is well stated.


    Please feel free to ask any other clarifications.


    Best regards




  • 7.  RE: Development of a BCP

    Posted 23 Feb, 2020 10:05
    Hi All,

    Interesting question and intriguing as well.

    Risk Assessment should be executed first even before investing in software or hardware products has been committed to note all risks related. Project Planning / Business Case phase.

    BC -  is initiated on existing systems that have been assessed (risk) and subsequently, a workaround control triggers BC that deploys BIA to get a full scope from the eyes of the business to efficiently note and cover operational needs on all existing system end - end in case of foreseen risks.

    S Goba
    IT Professional

    Sanda Goba
    IT Analyst