Risk assessments, vulnerability management, and penetration tests are often seen as focused on a server or a set of hardware and software in isolation. To fully manage risk, we need to focus on business processes. According to Chris Anderson, the top 10 core business processes include: Marketing, payroll, product/service delivery, and technology management. These processes must also be the targets of risk assessments. What happens if just one of these processes is interrupted? What is the potential business impact? We have to assess the likelihood that one or more components of each process will be compromised by an attack or simply fail.”]
Source: https://www.csoonline.com/article/3099962/its-all-about-critical-processes.html