Not logged in - Login
< back

Conducting a Business Continuity Risk Assessment

The risk assessment focuses on the risks that are associated with a resource, and then links these risks to an activity that uses these resources. This allows a risk to be raised against a single resource but for it to map onto all of the activities that use it, which reduces the repeating of information.

Multiple risk assessments can be created and managed within Abriska. To allow groups of resources to be included within risk assessments, the concept of an “Entity” is used. An “Entity” is a risk assessment conducted against one or more groups of assets. For example, this could be all resources from a single site, all resources which are used by a specific activity, or just all resources that a are part of a single contact. To view the organisation's risk assessments, click on “Entities” from the organisation homepage. To modify the name, description, or to assign this entity to a contact, click on the entity name and then click “Setup Entity”.

Entity Risk Assessment Flow

Abriska guides the users through an organisation defined workflow that meets the requirements of BS 25999. The default workflow is shown below.

The links available on the sidebar will increase depending on the work stage.

Identify Resources

Resources need to be allocated to each entity to perform a risk assessment. Resources can be allocated to more than one entity to allow central resources to be included throughout organisation risk assessments. To select resources for an entity, click “View Resources” after clicking the entity name. All available resources will be displayed with a filter to allow resources to be filtered by division. Select those that need to be included within this risk assessment by clicking the checkbox next to each resource name.
If resources are added after the risk assessment has been started, Abriska will require that each threat that is related to the newly added resources is reviewed.

Threat identification

To enforce a level of consistency across each risk assessment that is conducted using Abriska, the same organisation threats list is considered each time. If one of the organisation threats is not applicable to a risk assessment (either it is outside of the scope of the assets/resources within the review or it is not a realistic threat) it can be excluded from the entity. To exclude a threat, a justification must be provided.

If a threat is outside those that are linked to a resource associated with this entity, a default justification will be entered into these threats. If a threat is added that is not linked to any of the resources (see Threat to resource mapping), the threat will be highlighted red, as will the flowchart stage.

If additional threats are added at any point, they will appear in this threat list and the risk assessment will be marked as not complete. The reason for this is newly identified organisational threats may need to be considered for this risk assessment.