Risk assessments and impact analysis are critical activities to help organizations understand their exposure to potential business disruptions. By carefully analyzing risks and their potential consequences, companies can develop effective strategies to prevent, detect and respond to adverse events. This proactive approach is a key component of a robust business continuity and operational resilience program.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full document here.

The Cloud Security Alliance (CSA) is a leading organization that promotes best practices for secure cloud computing. Their Cloud Controls Matrix (CCM) provides a comprehensive set of security controls mapped to various industry standards.

For more background, check out:

• CSA Cloud Controls Matrix Overview
• NIST SP 800-34 Rev. 1 Contingency Planning Guide
• ISO 22301 Business Continuity Management Standard

Who should care?

This control is relevant for:

• Business continuity managers looking to identify and mitigate risks to critical business functions
• IT managers responsible for ensuring systems and data are available to support the business
• Risk managers needing to quantify the organization's risk exposure and treatment strategies
• Compliance officers aiming to meet regulatory requirements around operational resilience

What is the risk?

Without a thorough risk assessment and impact analysis, organizations may be blindsided by disruptive events. This could lead to:

• Extended outages of critical systems and services
• Loss of sensitive data
• Financial losses due to interrupted business operations
• Reputational damage from failing to serve customers

While the specific risks will vary for each organization, common threats include natural disasters, cyber attacks, supply chain disruptions, and pandemics.

A well-executed risk assessment and impact analysis will identify an organization's key risks, along with their likelihood and potential impact. This information then drives the development of appropriate prevention, detection and response capabilities.

What's the care factor?

Business continuity managers and other leaders should treat risk assessments and impact analysis as a high priority.

These activities are foundational for an effective resilience program. Without a clear understanding of risks and impacts, subsequent continuity strategies and plans are likely to be inadequate.

Additionally, regulators are increasingly expecting organizations to have mature operational resilience capabilities. Failing to conduct proper risk assessments could lead to compliance issues and scrutiny from authorities.

That said, the level of rigor and frequency of these assessments should be commensurate with each organization's risk profile and appetite. Lower risk or less critical functions may warrant a lighter touch approach.

When is it relevant?

Risk assessments and impact analysis should be conducted in scenarios such as:

• Development of a new business continuity program
• Major changes to the organization's risk landscape (e.g. moving to the cloud)
• Regularly scheduled reviews (e.g. annually)
• After significant organizational changes (e.g. mergers, new product lines)

They are less relevant for smaller, incremental changes to existing processes and systems. The effort of a full assessment may outweigh the benefit in those cases.

Organizations should define clear criteria for when to perform risk assessments in their business continuity policy.

What are the trade offs?

Conducting risk assessments and impact analysis consumes time and resources. Workshops, interviews, data analysis, and documentation all take people away from other activities.

There may be a temptation to cut corners or perform assessments too infrequently, especially if the organization has not recently experienced any major disruptions. Leaders need to invest adequate resources to match the level of risk facing the business.

These activities can also be quite revealing. Business owners may be uncomfortable exposing vulnerabilities and gaps in their areas. Fostering an open, blameless culture is key to getting an accurate picture of the organization's risks.

How to make it happen?

To enact this control:

1. Assign ownership of the risk assessment process to an accountable leader (e.g. Chief Risk Officer, Head of Business Continuity)
2. Define program objectives and risk assessment scope
3. Identify key risks to people, processes, technology, facilities, and supply chains
   • Interview process/system owners
   • Review past incident data and industry threat reports
   • Brainstorm emerging risks and "black swan" events
4. Analyze and score each risk based on likelihood and impact
   • Quantify financial, reputational, and other impacts where possible
   • Confirm risk appetite and tolerance with leadership
5. Prioritize risks and determine appropriate risk treatments
   • Options include avoid, mitigate, transfer, or accept each risk
6. Perform business impact analysis
   • Define critical products, services, and processes
   • Determine recovery time and point objectives (RTO/RPO)
   • Estimate internal and external dependencies
   • Identify minimum resources required to recover
7. Document results and brief key stakeholders for feedback
8. Use outputs to inform overall business continuity strategy and plan
9. Integrate risk assessments into broader enterprise risk management processes
10. Repeat assessments at defined intervals or triggers

What are some gotchas?

Some key considerations when implementing this control:

• Ensure the right stakeholders are involved to get a complete view of risks/impacts
• Don't neglect frequently changing areas like third-party relationships
• Carefully protect sensitive information uncovered in the assessment process
• Watch for inconsistencies or gaps across business units performing separate assessments
• Strike a balance between qualitative and quantitative risk measurements
• Validate risk data and impact estimates with an independent party if possible
• Be realistic about resource requirements for assessments and subsequent risk treatments

Specific technical permissions and resources will depend on the systems and methodologies used to perform the assessments. Some common needs:

• Read access to configuration management databases (CMDBs), asset inventories, network diagrams, etc. (AWS Config, AWS Systems Manager Inventory)
• Permissions to interview system owners and review application architectures
• Access to risk management tools to document and track risks (AWS Audit Manager)
• Licenses for business impact analysis (BIA) software

What are the alternatives?

Some alternative approaches to risk assessments and impact analysis:

• Rely solely on external consultants to perform assessments
  • Pros: Independent expertise and perspective
  • Cons: Less knowledge transfer to internal teams, ongoing cost
• Perform only high-level qualitative assessments
  • Pros: Quicker and less resource intensive
  • Cons: Lack of detailed data to support decisions
• Skip detailed risk analysis and focus on addressing known issues
  • Pros: Faster improvements to obvious gaps
  • Cons: May miss systemic vulnerabilities or "unknown unknowns"
• Decentralize assessments with limited oversight
  • Pros: Greater speed and business unit autonomy
  • Cons: Inconsistent results, lack of aggregated risk view

Ultimately, the chosen approach needs to match the organization's culture and risk management maturity. The CSA recommended practice provides a balanced, structured methodology as a starting point.

Explore further

• ISACA Risk IT Framework
• FAIR Institute Risk Management Resources
• CIS Critical Security Control 7: Continuous Vulnerability Management
• ISO 31000 Risk Management Guidelines
• AWS Risk & Compliance