Page 572 - ITGC_Audit Guides

P. 572

Assessment Objective: Risk Assessment and Business Impact Analysis (BIA)
Maturity Evaluation
Characteristics of Capability Method of Achievement

Optimizing The results of the risk assessment and Senior management performs as a steering
BIA drive continued enhancement to committee to identify and approve risk
recovery strategies. The execution and and impact conclusions. The steering
review of risk assessments and BIAs are committee recommends changes to the
coordinated with organizational and tech- risk assessment and BIA process, based on
nology change management/due diligence the needs and requirements of the busi-
processes. ness itself.
Managed Senior management supports the formal The results of the risk assessments and
approach to the risk assessment and BIA. BIAs drive the definition and develop-
The establishment of objectives and effec- ment of recovery strategies and solutions.
tiveness are measurable. Both recovery Core business processes and IT applica-
time objectives (RTO) and recovery point tions/systems have been addressed and are
(data loss tolerance) objectives (RPO) are reviewed during the regularly scheduled
established, as is the capacity/capability risk assessment and BIA updates. Senior
at the RTO. The risk assessment process management uses these results to measure
takes into account controls assessment. and manage enterprise-wide risk.
These processes are repeatable and are
executed on a regularly scheduled basis.
Defined A more formal approach has been imple- As part of a formal BC strategy selection
mented regarding assessing risk and and implementation process, a defined
business impact. Management has iden-
PROCESS MATURITY collect/estimate business impact data. to levels of criticality and impacts to
risk assessment, or BIA approach, is estab-
tified an approach to define levels of lished. The strategy selection process also
criticality, supporting a methodology to includes recovery objectives tied directly
Recovery time objectives have been the organization. Executive manage-
defined, and strategies have been selected ment formally drives and approves these
to meet these requirements. Management analyses.
reviews and approves risk assessment and
BIA results.

Repeatable
Management has informally devel-
Business and/or IT management have
oped risk assessment conclusions and discussed and summarized continuity/
recovery priorities, typically as a result availability risks or perceived impacts
of discussions and facilitated sessions, associated with business interruptions.
as opposed to formal analysis. Priorities Preliminary/high-level recovery objec-
are normally focused on the component tives are agreed upon; however a process
level. Management may be unable to fully to measure the effectiveness and reason-
justify recovery strategy funding, given ableness of these objectives is absent.
that business impact information (finan-
cial or nonfinancial) remains incomplete.
Initial Neither a formal nor informal risk assess- Business and/or IT management devel-
ment or BIA has been performed. Business oped “ad hoc” recovery priorities based
and IT management may have developed on perceived levels of importance. Failure
recovery priorities, but these conclusions scenarios and controls assessments remain
are potentially limited to perceived levels incomplete. Measurement criteria have
of importance (focus on their isolated not been established.
knowledge of the business). The orga-
nization has not estimated the impacts
(financial or nonfinancial) associated
with business interruptions.

567 568 569 570 571 572 573 574 575 576 577