Chapter 15 (Lesson 11)

Question 1

Why is it important to include legal representatives on your BCP team?

Answer 1

Many federal, state, and local laws or regulations require businesses to implement BCP provisions. Including legal representation on your BCP team helps ensure that you remain compliant with laws, regulations, and contractual obligations.

Question 2

What is wrong with the “seat-of-the-pants” approach to BCP?

Answer 2

The “seat-of-the-pants” approach is an excuse used by individuals who do not want to invest time and money in the proper creation of a BCP. This can lead to catastrophe when a firmly laid plan isn’t in place to guide the response during a stressful emergency situation.

Question 3

What is the difference between quantitative and qualitative risk assessment?

Answer 3

Quantitative risk assessment involves using numbers and formulas to make a decision. Qualitative risk assessment includes nonnumeric factors, such as emotions, investor/consumer confidence, and workforce stability.

Question 4

What critical components should be included in your BCP training plan?

Answer 4

The BCP training plan should include a

plan overview briefing for all employees

and specific training for individuals with direct or indirect involvement.

In addition, backup personnel should be trained for each key BCP role.

Question 5

What are the four main steps of the BCP process?

Answer 5

The four steps of the BCP process are

1. project scope and planning,
2. business impact assessment,
3. continuity planning,
4. approval/implementation.

Question 6

What is the first step that individuals responsible for the development of a business continuity plan should perform?

A. BCP team selection

B. Business organization analysis

C. Resource requirements analysis

D. Legal and regulatory assessment

Answer 6

B. The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.

Question 7

Once the BCP team is selected, what should be the first item placed on the team’s agenda?

A. Business impact assessment

B. Business organization analysis

C. Resource requirements analysis

D. Legal and regulatory assessment

Answer 7

B. The first task of the BCP team should be the review and validation of the business organization analysis initially performed by those individuals responsible for spearheading the BCP effort. This ensures that the initial effort, undertaken by a small group of individuals, reflects the beliefs of the entire BCP team.

Question 8

What is the term used to describe the responsibility of a firm’s officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization’s continued viability?

A. Corporate responsibility

B. Disaster requirement

C. Due diligence

D. Going concern responsibility

Answer 8

C. A firm’s officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place.

Question 9

What will be the major resource consumed by the BCP process during the BCP phase?

A. Hardware

B. Software

C. Processing time

D. Personnel

Answer 9

D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process itself. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

Question 10

What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment?

A. Monetary

B. Utility

C. Importance

D. Time

Answer 10

A. The quantitative portion of the priority identification should assign asset values in monetary units.

Question 11

Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year?

A. ARO

B. SLE

C. ALE

D. EF

Answer 11

C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

Question 12

What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization?

A. SLE

B. EF

C. MTD

D. ARO

Answer 12

C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.

Question 13

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?

A. $3,000,000

B. $2,700,000

C. $270,000

D. $135,000

Answer 13

B. The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

Question 14

Referring to the scenario in question 8, what is the annualized loss expectancy?

A. $3,000,000

B. $2,700,000

C. $270,000

D. $135,000

(8. ou are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?)

Answer 14

D. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an SLE of $135,000.

Question 15

You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?

A. $750,000

B. $1.5 million

C. $7.5 million

D. $15 million

Answer 15

A. This problem requires you to compute the ALE, which is the product of the SLE and ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an SLE of $750,000.

Question 16

Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases?

A. Resource prioritization

B. Likelihood assessment

C. Strategy development

D. Provisions and processes

Answer 16

C. The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.

Question 17

Which resource should you protect first when designing continuity plan provisions and processes?

A. Physical plant

B. Infrastructure

C. Financial

D. People

Answer 17

D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization’s employees!

Question 18

Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment?

A. Loss of a plant

B. Damage to a vehicle

C. Negative publicity

D. Power outage

Answer 18

C. It is very difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis.

Question 19

Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?

A. 0.01

B. $10,000,000

C. $100,000

D. 0.10

Answer 19

B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

Question 20

15. Referring to the scenario in question 14, what is the annualized loss expectancy?

A. 0.01

B. $10,000,000

C. $100,000

D. 0.10

Answer 20

C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.

Question 21

In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

A. Strategy development

B. Business impact assessment

C. Provisions and processes

D. Resource prioritization

Answer 21

C. In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

Question 22

What type of mitigation provision is utilized when redundant communications links are installed?

A. Hardening systems

B. Defining systems

C. Reducing systems

D. Alternative systems

Answer 22

D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.

Question 23

What type of plan outlines the procedures to follow when a disaster interrupts the normal operations of a business?

A. Business continuity plan

B. Business impact assessment

C. Disaster recovery plan

D. Vulnerability assessment

Answer 23

C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.

Question 24

What is the formula used to compute the single loss expectancy for a risk scenario?

A. SLE = AV × EF

B. SLE = RO × EF

C. SLE = AV × ARO

D. SLE = EF × ARO

Answer 24

A. The single loss expectancy (SLE) is computed as the product of the asset value (AV) and the exposure factor (EF). The other formulas displayed here do not accurately reflect this calculation.

Question 25

Of the individuals listed, who would provide the best endorsement for a business continuity plan’s statement of importance?

A. Vice president of business operations

B. Chief information officer

C. Chief executive officer

D. Business continuity manager

Answer 25

C. You should strive to have the highest-ranking person possible sign the BCP’s statement of importance. Of the choices given, the chief executive officer is the highest ranking.