Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:
- 'A storm in a teacup' – Cicero; or ‘Billows in a ladle’ – translation of Cicero’s writings
- 'A storm in a glass of water' - Netherland
- 'Tempest in a potty' - Hungary
- ‘A storm in a wash-hand basin’, or ‘A storm in a cream bowl’ - England
Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain.
Most organizations perform some type of risk management activities. They usually include identifying risks that could impact the organization and its reputation, profitability or strategies; or its key assets, business processes, IT systems and locations. Once the most potentially impactful risks are identified and analyzed, they are treated with controls and other mitigation activities to drive down the residual risk within the organization’s tolerable risk limits. This is all well and good, but what if the elements of the organization (e.g., business processes) that the risk could impact are not that critical and how do you know?
Let me give you a simple example. A cyber attack could potentially impact both an organization’s financial and non-financial systems. The financial system is probably more important to protect, right? Oftentimes, organizations have no reliable way to identify what is critical versus non-critical causing them to spend the same level of time, attention and resources to protect the less critical areas; this is the ‘tempest in a teapot’ syndrome.
It stands to reason that the organization should have a methodology to identify what is critical so that risks can be properly treated relative to what they might impact. Some impact areas and their importance are obvious, such as inputs into the organization’s most important product or service. However, there are so many moving parts to today’s complex enterprises that there must be a methodical way to identify, analyze and prioritize what is truly critical to protect. This methodology is a business impact analysis, or BIA.
A BIA is a way to catalog and prioritize business processes and assets, building context to connect risk issues to business impacts. It is a well-known methodology inside business continuity (BC) circles as these teams have performed them for decades to determine what business assets are most important to recover after a disruption. More broadly, the BIA needs to be a prominent part of the framework of a good risk management program. However, often it is not and this is a common problem many organizations’ risk management programs experience.
To strategically address business risk, enterprises need a well-rounded program. There are specific areas to include to create a healthy and sound foundation for growth. RSA has implemented the RSA® Archer Suite Ignition program to help organizations do just that – establish a solid risk management program foundation focusing on four fundamental capabilities:
- A process for Issues Management to eliminate ‘churn’ around risk and compliance issues from audits, risk assessments, and internal compliance processes. Check out my Issues Management blog: Facing a Tsunami of issues
- A Business Impact Analysis framework to catalog and prioritize assets and build the context to connect risk issues to impacts to the business;
- The ability to catalog and monitor risks to establish a strategic method to view and understand risk across the enterprise; and
- The ability to identify and track third parties used by the business to understand the emerging ecosystem that affects business risk.
The RSA Archer Suite provides a common platform to address these processes. You can learn more about the program here: RSA Archer Ignition Program.
The Duke of Ormond's letters to the Earl of Arlington in 1678 put it best - "Our skirmish seems to be come to a period, and compared with the great things now on foot, is but a storm in a cream bowl."
The Duke must have had a good BIA such that he did not have to worry that his risk management program would cause him a 'tempest in a potty' (that was for you Elly ;). For comments, contact me at Patrick.firstname.lastname@example.org