analysis is inextricably linked with
disaster recovery. assessment of the
risks which may lead to disaster is
essential in the determination of
what controls are appropriate to the
situation. Again, however, risk
analysis is often made more
difficult than necessary.
Threat & Vulnerability Assessment
and tool was designed to simplify
matters, and to make risk analysis
more widely accessible through
automation. It is now probably the
most widely used product and method
in the world
02/19/2014 Business continuity objectives -
Business continuity objectives are, along with the business impact analysis,
probably one of the most difficult elements of ISO 22301 implementation. Most of
the business continuity implementers have problems like these: Which types of
objectives exist? What are they used for? How are they set?
Purpose of business continuity objectives
Victor Janulaitis, the CEO of Janco Associates, said, "What gets measured
gets managed.: The same goes for business continuity if you don't know how
well you are doing, you will have a very difficult time steering your
business continuity in the desired direction. And it is exactly this desired
direction that is an essential part of measurement: setting the
Types of objectives
There are at least two levels for which you need to set objectives:
1) Strategic objectives
for your whole Business Continuity Management System, and
2) Tactical objectives
Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), Minimum
Business Continuity Objectives (MBCOs), and exercising and
Of course, depending on the size and complexity of your organization, you can
choose to add another layer of objectives e.g., at the level of
individual organizational units (departments, business units,
02/12/2014 Using spreadsheets to manage risk is risky -
Spreadsheets are universally loved. Why? Because they give everyone their own
version of the truth, with complete autonomy to update and amend them as often
as they like, without interference from anyone else. However, while spreadsheets
might be great tool at an individual level they are completely un-scalable, and
therefore totally unsuitable for compiling and analysing information
enterprise-wide, or even for individual projects.
When applied to a risk management scenario, the potential horrors magnify.
Who knows what risks are lurking in a spreadsheet so far undiscovered, with all
around thinking that they have ticked the box and that risk is managed.
Using spreadsheets and emails to manage risk, is a very risky approach.
Here are the main reasons that does not work:
- Lack of integrity spreadsheets are easily manipulated.
Anyone could make changes to data to help present a better picture. This could
be to cover up a situation once it has happened, to help move blame or
mitigate responsibility, or to present a situation or opportunity in a better
- No audit trail you cant easily check who changed what
when. You have no guarantee of the provenance of data supplied, and you
cant see how it may have changed over time.
- Deadlines missed spreadsheets dont have any workflows
or processes built into them. So while someone may request a review, some
information or an audit, if there is no response, there is no mechanism to
highlight missed deadlines.
- No consistency with no formal structure, each time a
new spreadsheet is set up the formatting will be different.
- Difficult to compile information risk management
information could be held within hundreds of spreadsheets across the
organization. Compiling them is a very long and arduous task.