Business Impact Assessment

Business Impact Assessment

A business impact assessment (BIA) identifies an organization’s most critical resources and the threats against those resources.  The BIA is one of four phases of the business continuity planning (BCP) process. The assessment evaluates each threat in terms of the probability of an event occurring and the impact of an event should it occur.  The outputs of the BIA provide quantitative measures that help to prioritize the allocation of business continuity resources.

Business impact assessments are an important component of an effective security program.  If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to understand the role of the business impact assessment in the business continuity planning process.  You need to make sure you understand the quantitative formulas associated with the BIA process and the concepts of asset value, exposure factor, annualized rate of occurrence, single loss expectancy, and annualized loss expectancy.

Quantitative versus Qualitative Analysis

There are two types of analyses used in making business impact assessments.

Quantitative decision-making is based on data that can be measured or counted and is driven by the use of numbers and calculations. The results of a quantitative analysis are often in the form of dollar values.

Qualitative decision-making is based on data that is descriptive in nature, answering questions such as “What would be the potential impact of an employee theft of data.”  It is frequently based at least in part on the opinions of members of the security team and other subject matter experts on topics like reputation, investor/customer confidence, or workforce stability.  The results of a qualitative analysis are often in the form of categories of prioritization such as high, medium, and low.

Determining Asset Value and Exposure Factor

Determining the value of the organization’s assets is fundamental to establishing the business priorities of the BCP and is typically the first step in the quantitative assessment of the business impact assessment.  In determining value, the BCP team creates a list of the organization’s assets and then assigns an asset value (AV) to each one.

In addition to the asset value list, the BCP also compiles a list of risks to the organization.  This list should be as comprehensive as possible and includes both natural and man-made events. A few examples include earthquakes, violent storms, fire, power failures and theft.

The exposure factor (EF) is a measure of the potential damage that a specific risk poses to a specific asset.  EF is expressed as a percentage of an asset’s value. For example, the theft of a laptop might have an EF of 100% because the laptop would be a complete loss, while a hurricane making a direct hit on the building might have an EF of 60% if the BCP team concludes that a hurricane would only destroy 60% of the building.

Computing the Single Loss Expectancy

The single loss expectancy (SLE) is the financial loss that is expected each time a risk is realized. The SLE is calculated using the following formula:


Continuing with the previous examples.  If a laptop’s AV is $1,500 and its EF from theft is 100% then:

SLE = $1,500 x 100% = $1,500

Likewise if the facility’s AV is $1,000,000 and its EF from hurricane is 60% than:

SLE = $1,000,000 x 60% = $600,000.

Computing the Annualized Loss Expectancy

A likelihood assessment evaluates the probability of risks becoming realized.  Some events are more likely than others to occur. Earthquakes, for example, are rare in New England but rather common in Southern California.

For each of the events that have been identified as potential risks to the organization, the BCP makes a determination as to how likely it is that the risk will be realized.  The likelihood is generally stated in terms of an annualized rate of occurrence (ARO) reflecting how many times an organization expects to experience the event each year.  Best practices for determining the ARO for an event include referencing historical data, the experience of the BCP members and others in the organization, and advice from outside experts.

The annualized loss expectancy (ALE) is the financial loss that an organization expects to suffer as the result of realized risks harming assets over the course of one year.  The ALE is calculated using the ARO, which tells us the likelihood of an event impacting an asset, and the SLE, which tells us what the loss will be if the event occurs. The ALE formula itself is simple:


As an example consider that a magnitude 4 earthquake impacting a facility in New York has been given an SLE of $450,000 and an ARO of 2%:

ALE = $450,000 x 2% = $9,000

Having made the ALE calculation the BCP now has an a quantifiable dollar value to assign to the associated risk of an earthquake impacting the facility.  The ALE can be used to understand risk and help set priorities for the protection of assets.

Understanding the business impact assessment is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam.

No Comments

Post A Comment