Cyber Security and Risk Management

January 5, 2021
 |  No Comments

Understanding Your Business Risk

In the past, I have had to review business plans for entities wishing to receive economic development help, venture capital, or angle funding. One of my favorite informal questions to business owners was to ask, “What is your Business”?  I used this question to help determine what was the “bread and butter” area of their business (i.e. what provides the business with the income that sustains it). Many owners would respond with what they make or what they sell, which is pretty normal. The ones that understood the solutions, services, or benefits they provided to their customers and how their business provided them were usually more likely to be on the road to success. Knowing the value provided by the business and understanding the uniqueness of the business are very important factors, when you understand these things you began to understand your market.  Later in my review of the business plans and after more due diligence, I usually found that principals and owners that knew their business and markets were more likely candidates to move forward in the funding process.  In a similar fashion, understanding your business, its assets, and the values it provides, is a key element in understanding the risks and threats that may impact the resources and processes that support the business.

One of the items commonly missing from the portfolio of many small to medium sized businesses are Disaster Recovery (DR) and Incident Response (IR) Plans. Most small enterprise may not feel that they are large enough to warrant the formal creation of such documents. Creating even simple or rudimentary DR and IR plans can dramatically help you when either a disaster or incident occurs, because you have already planned with a cooler head what you are going to do when such an emergency arises. In addition, just the process of formulating these plans helps you better understand your business and its risks.

The intention of this series of articles is to help you start to formulate the basis for both a DR and IR plan. We will start with a Business Impact Assessment (BIA) and what we do there will become very useful in the later articles I will be writing because the BIA forms the foundation for many later actions needed for DR and IR plan formulation. DR and IR plans are living document and should be reviewed and revised at least annually due the continually evolving nature if businesses and technology.

What is Risk and Risk Management?

In simple terms, risk is the possibility of something bad happening. The international standard definition of risk for common understanding in different applications is “effect of uncertainty on objectives”.

Risk management refers to the practice of identifying potential risks in advance, analyzing them and taking precautionary steps to reduce/curb the risk.

Six Sigma defines “Business Risk management as subset of risk management used to evaluate the business risks involved if any changes occur in the business operations, systems and process. It identifies, prioritizes and addresses the risk to minimize penalties from unexpected incidents, by keeping them on track.”

The following sections will take you through some of the preparatory steps needed for formulating a Disaster Recovery Plan and an Incident Response Plan. These two plans both address business risk management and in order to formulate them you have to document the main assets, critical processes, resources and dependencies, which allow your business to function.

Business Impact Assessment

The first step in preparing a DR plan is to perform a business impact assessment. You need to think about the items in you business that are critical to its operation. Start by preparing an inventory of assets. This includes hardware inventory, software inventory, information resources and archives (both digital and physical), financial resources, insurance policies, licenses, permits, certifications, existing redundancies (backups, backup sites, etc.). You also need to identify who is responsible for these items ( i.e. who owns and operates them).

Continue by identifying all key personnel roles and responsibilities such as communication resources, public relation resources, emergency service contacts, clients, stakeholders, vendors, financial contacts, legal contacts, all external business resources and their roles. As you look at your lists what are those things which if you lost would cause the most impact to your business? Interview the people with critical roles to make sure you capture what they think are important elements needed for them to perform their roles. This includes the critical processes they handle. From these begin to formulate a list of critical dependencies and a list of critical processes.

Remember you will need to identify the critical processes needed to continue operation after a disaster and until you again have full use of your facilities and systems. These are the processes along with their corresponding applications and systems that must be restored immediately to continue operations.

In my next article I will take you through performing a Threat Assessment to help you identify the risks to your business. We will attempt to identify all potential disasters that may affect your business and give each a threat probability of occurrence. We will then create a procedure covering each identified threat regardless of probability score, with those rated High completed first. Procedures should be distributed to appropriate personnel, reviewed and adjusted as necessary.