Professional Documents
Culture Documents
Lec8-Risk Mitigation Startegry Dev
Lec8-Risk Mitigation Startegry Dev
Lec8-Risk Mitigation Startegry Dev
Lubbad
rlubbad@gmail.com
rlubbad@ucas.edu.ps
Contents
Risk Mitigation in BC/DR
Types of risk mitigation strategies
Risk mitigation process
IT risk mitigation
Backup and recovery considerations
Risk mitigation in Risk Management
Business Continuity is all about risk mitigation, and a risk mitigation plan is essential.
If you are not looking at how to reduce, eliminate, or accept risks, you are missing the mark.
Risk Mitigation in BC/DR plan
• It’s important to develop risk mitigation strategies that match your
company’s profile. (critical needs)
• There is no one-size-fits-all answer in the risk mitigation phase
• You’ll have to create a strategy that meets your company’s financial,
operational, and risk management goals.
• Keep in mind (80/20) rule when developing your strategies:
• Twenty percent of your applications are going to require 80% of
your time, effort, and resources to address appropriately.
• Eighty percent of your applications, then, should only consume
20% of your time, effort, and resources.
Types of Risk Mitigation Strategies
Types of Risk Mitigation Strategies
Important points for each option is the Cost and Time “ short term and long term”
Types of risk mitigation strategies:: Risk acceptance
It is a strategy in which the organization accepts the potential
consequences of a given risk and “do nothing” to avoid, limit, or transfer
the risk.
Is it logical to spend 100,000$ to mitigate Risk costs 1000$???
Acceptance usually has a very low cost associated with managing the risk
(or zero cost) but; This option is very high cost in the aftermath of a
disruption.
Risk acceptance should be evaluated along with the other options to
determine the implications, appropriate actions, and costs of various
mitigation strategies.
Risk acceptance is the least expensive option in the near term and often
the most expensive option in the long term should an event occur
Types of risk mitigation strategies::Risk avoidance
It is a strategy in which the risk is completely avoided.
This might include shutting down critical systems and moving
them in advance of a hurricane.
Avoidance takes the risk to zero but; often has a high cost
associated with it.
Risk avoidance is usually the most expensive of all risk mitigation
strategies, but it has the result of reducing the cost of downtime
and recovery significantly.
The cost is very high early on but it is lower cost after a business
disruption than other strategies.
Types of risk mitigation strategies::Risk limitation
It is a strategy that falls in between acceptance and avoidance. It is a strategy
employing a bit of risk acceptance along with a bit of risk avoidance or an
average of both.
Most companies choose a risk limitation strategy, especially for IT systems
where complete acceptance or avoidance is too costly on either side of a
disruption.
For example, performing daily backups of critical business data
It doesn’t stop a disk drive from crashing; it doesn’t ignore the potential for disk failure.
It accepts that drives fail and when they do, having backups helps you recover in a timely manner
Risk limitation costs an average between acceptance and avoidance both in terms of early costs
and costs after the business disruption.
Examples; installing firewalls to keep networks safe, creating backups to keep
data safe, practicing fire drills to keep employees safe, and more.
Types of risk mitigation strategies:: Risk
transference
It’s strategy that involves handing the risk off to a willing third
party.
In Risk transfer, you usually have to pay some other company
some amount of money to assume that risk.
You my pay to an IT company to manage your security or
databases for you, or an insurance company that will pay for
losses in the event of a business disruption.
Types of risk mitigation strategies:: Risk
transference
Your risk transference will usually cost more as some sort of up-front or
ongoing fee, but that the overall cost usually will be somewhere in the
same area as risk limitation.
One important point to note, is that risk limitation usually has an end-
point cost and finite and known and usually ends at some point in time.
But; risk transference can be ongoing.
Near-term costs of risk limitation and risk transference may appear to
be similar.
It’s important to understand the duration of the cost with regard to
these strategies and the operational implications of each.
Relationship between time and cost for risk
mitigation options:
Risk mitigation process
In order to develop a risk mitigation strategy:
• You first have to know your options.
• you have to look at the various risks, threats, threat sources,
vulnerabilities, and impacts.
• Next, we need to look at the recovery profile including the
recovery requirements, options, timeframe of options (compared
with maximum tolerable downtime or MTD),
• Analyze cost versus the capability of options.
Risk mitigation process: Recovery
Options
Recovery requirements are developed during the risk assessment phase and
include data from the business impact analysis .
You can begin by delineating the key functional areas of your company and
determining the key business processes in each.
Recovery requirements include the time and cost of recovery as well as any
specific processes or procedures required by each functional area of the
company.
If a process is not mission critical (or essential), it is likely not a good
candidate for the expenditure of time and effort to develop mitigation
strategies
Recovery requirements can be categorized even within the functional areas
For example, a recovery requirement category for facilities is alternate office
space. Another category might be a crisis management center or a
communications command center
Risk mitigation process: Recovery
Options
Recovery options are developed for each critical business process or function.
Recovery options must fit within the constraints of the recovery requirement.
Otherwise, they should not be considered as part of the BC/DR process.
The cost and time to implement each type of option varies.
Your primary concern is to develop a list of viable options based on the
business impact analysis data you have;
For example, if you have a requirement for an alternate computing facility,
you have numerous options available including borrowing computer space
from a local firm to setting up a co-location center outside your own
geographic area to using public or private cloud options and many other
solutions in between.
These options, should be listed so they can be included in the subsequent
evaluation steps.
Three Categories of Recovery
options
As needed , Pre-Arranged , pre-established
Risk mitigation process: Recovery
Options
Recovery options usually fall into one of three categories
Each of these can also be considered part of a mitigation strategy,
You can acquire the option As needed
Prearrange for an option,
Or you can pre-establish an option.
Time is one of the major factors in each of these options;
Cost is another factor
Overall utility to the organization is a third factor to explore