Introduction

A Business Risk Assessment reviews the risks to the agency mission and determines if they are acceptable or not. If the risks are not acceptable, a determination of how to mitigate them should be described. Business risks are examined at a high level and are not concerned with the particularities of information technology. The reason that business risks are important is to give some perspective on why the information technology infrastructure exists in the first place.

First, it s worth noting that not all agencies require a Business Risk Assessment for their C&A packages. Before you begin trying to figure out how to develop one, make sure a Business Risk Assessment is required. Some agencies may require only a System Risk Assessment that focuses on the technology of the systems and applications rather than the mission. However, to be sure, the Business Risk Assessment is related to the System Risk Assessment. If you develop the Business Risk Assessment correctly, the Sy stem Risk Assessment will look like an extension of it and you will be able to see the relationship between the two. Likewise, you will also see consistencies between the Business Impact Assessment and the Business Risk Assessment.

Discussion of the Business Impact Assessment