Wed. Feb 1st, 2023
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    he flag
    ja flag
    lv flag
    pl flag
    pt flag
    es flag
    uk flag

    Content Assessment: Managing Enterprise Risk? Using Business Impact Analysis to Inform Risk Prioritization and Response (NIST)

    Information - 92%
    Insight - 91%
    Relevance - 93%
    Objectivity - 94%
    Authority - 93%



    A short percentage-based assessment of the qualitative benefit of the new paper from NIST on the use of business impact analysis to inform risk prioritization and response.

    Editor’s Note: NIST (National Institute of Standards and Technology) is a non-regulatory agency of the United States Department of Commerce that focuses on promoting innovation and industrial competitiveness. NIST develops and maintains technical standards and guidelines that help ensure the security, interoperability, and reliability of information systems and technologies. NIST is important to cybersecurity, information governance, and legal discovery professionals because its standards and guidelines provide a common framework for organizations to follow in order to protect their information systems and data from threats. This includes standards for cybersecurity, data privacy, and information governance, as well as guidelines for managing electronic records and conducting legal discovery. The recently published NIST Interagency report, Using Business Impact Analysis to Inform Risk Prioritization and Response, explores and presents considerations for using business impact analysis (BIA) to develop a broad understanding of the potential impact of any type of loss on the mission of an enterprise. The report may be beneficial for cybersecurity, information governance, and legal discovery professionals seeking to better understand how to consider how Cybersecurity Risk Management (CSRM) and Enterprise Risk Management (ERM) through the construct of an integrated BIA process.

    NIST Interagency Report*

    Using Business Impact Analysis to Inform Risk Prioritization and Response

    By Stephen Quinn, Nahla Ivy, Julie Chua, Matthew Barrett, Larry Feldman, Daniel Topper, Greg Witte, R. K. Gardner


    While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong). The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for the Enterprise Risk Management (ERM)/Cybersecurity Risk Management (CSRM) integration process, as described in the NIST Interagency Report (IR) 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.

    Read the original announcement.


    The primary audience for this publication includes public- and private-sector cybersecurity professionals at all levels who understand cybersecurity but may be unfamiliar with the details of enterprise risk management (ERM). The secondary audience includes both federal and non-Federal Government corporate officers, high-level executives, ERM officers and staff members, and others who understand ERM but may be unfamiliar with the details of cybersecurity. All readers are expected to gain an improved understanding of how CSRM and ERM complement and relate to each other as well as the benefits of integrating their use

    Introduction (Extract)

    Risk is measured, at least in part, in terms of impact on the enterprise mission and the likelihood of events, so it is vital to understand the various information and communications technology (ICT) assets whose functions enable that mission, as well as any potential uncertainties that jeopardize those assets. Each asset has a value to the enterprise. For government enterprises, many of those ICT assets are key components for supporting critical services provided to citizens. For corporations, ICT assets directly influence enterprise capital and valuation, and ICT risks can directly impact the balance sheet or budget. For each type of enterprise, it can be challenging to determine what conditions will truly impact the mission. Today’s government agencies continue to provide critical services, yet they must also adhere to priority directives from senior leaders. In the commercial world, mission priority is often driven by long-term goals as well as impacts on the next quarter’s earnings call. Therefore, it is important to continually analyze and understand the enterprise resources that enable enterprise objectives and that can be jeopardized by cybersecurity risks.

    The NIST Interagency Report (IR) 8286 series has coalesced around the risk register as a construct for storing and a process for communicating risk data [NISTIR8286]. The series of publications demonstrates how to better integrate cybersecurity with ERM. The series helps entities effectively quantify, finance, and drive their cybersecurity programs commensurate with enterprise risk exposure, as well as shareholder and stakeholder value. It highlights the need for ongoing bidirectional communication between ERM and risk programs, recognizing that risk disciplines both inform and receive direction from ERM. Specifically, the communication of risk appetite statements from the ERM portfolio is a way for risk programs to better identify and monitor risks using a variety of related methods, such as risk tolerance statements, key performance indicators, key risk indicators, and controls. The NIST IR 8286 series also formalizes the use of risk registers to communicate risks and risk responses between program and portfolio levels. It highlights industry best practices for coordination by elevating risks within an organization for oversight and escalating risks within an organization for higher-level ownership.

    Read the Complete Report: NIST Interagency Report – Using Business Impact Analysis to Inform Risk Prioritization and Response (PDF) – Mouseover to Scroll

    NIST.IR.8286D - Business Impact Analysis

    Read the original publication.

    *Shared with permission.

    Reference: Quinn, S., Ivy, N., Chua, J., Barrett, M., Witte, G., Feldman, L., Topper, D. and Gardner, R. (2022), Using Business Impact Analysis to Inform Risk Prioritization and Response, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed December 6, 2022)

    Additional Reading

    Source: ComplexDiscovery


    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.