BCP quantitative vs qualitative result according to Sybex 2015

Seab

Hi,


I study for the CISSP with the 2015 Sybex book, and there is something quite confusing...
In my comprehension; BCP are quantitative and qualitative, and normally a mix of both as a final result.
In the book, it is said that the result should be quantitative, only. - This is confusing to me.

The results of the BIA provide you
with quantitative measures that can help you prioritize the commitment of business continuity
resources to the various local, regional, and global risk exposures facing your organization.

Then

It’s important to realize that there are two different types of analyses that business
planners use when facing a decision:
Quantitative Decision Making
Qualitative Decision Making

Page 101, from Sybex 2015


Thanks for any insight!

ScottFiesta

It's not correct that a BCP, the COOP or DRPs should be based only on quantitative assessments. I was part of a large BCP team for over a year and during the BIA process we tackled several complex several elements that went into deciding which functions our business carried out were most critical. Several of these elements were things that you can not easily place a readily measured numerical metric against such as reputation. In those cases, a severity scale similar to something you'd find in ISO31000 documentation was used. For things like monetary loss, impacts are necessarily assigned in dollar values and then categorised on whatever scale you choose to use but there will always be parts of a properly executed BIA process that are simply not quantifiable like that.

A lot of thought can be put into a BIA impact matrix so as to make rough comparisons between elements measured qualitatively (via subjective expert opinion) and quantitatively ($), and it's normally on this basis that decisions about the relative importance, and therefore recovery priority, of business functions can take place.