Với phụ thuộc vào hai mạng, bạn sẽ phải xem xét các rủi ro cho cả hai. Một trong những nguy cơ có thể được trích dẫn thậm chí có thể là quá trình ghi danh người dùng là phụ thuộc vào hai mạng. Nếu các cơ sở Houston bị tràn ngập bởi một cơn bão và bị mất nguồn, | 230 Chapter 14 Performing the Business Risk Assessment With dependencies on two networks you ll have to look at the risks for both. One risk that could be cited might even be that the user enrollment process is dependent on two networks. If the Houston facility gets flooded by a hurricane and loses power then the user enrollment process will stop working even if the New York site remains operational. Clearly one way to mitigate this risk would be to migrate the functionality of the user enrollment process entirely to the New York site. However that may not be possible for all kinds of different reasons. Instead it may be easier to build a failover system in Washington . that automatically picks up the user enrollment functionality provided by Houston if there is an outage in Houston. When developing a Business Risk Assessment you have to take into consideration various different scenarios that could affect the business are of course other risks aside from natural disasters. In taking into consideration the different scenarios you need to construct risk statements. Construct Risk Statements Risk statements are assertions that connect a possible circumstance to a forecasted impact. A common format for a risk statement is If this threat circumstance occurs then this will be the impact . Once risk statements have been developed the impact can be forecasted and the potential likelihood of the threat can be determined. Risk statements state the presumed threat and the impact in the form of damage that could potential impact can then be factored with the probability of its occurrence to find out just how great the risk exposure is in actuality. Some threats will create a more severe impact to the business process than others. When you are creating risk statements for business risks knowing the technical details of the IT infrastructure is not really necessary. Save that for the System Risk Assessment. It shouldn t matter whether the firewall is