Business Impact Analysis (BIA)

Transcription

1 Your BCM, Risk & Crisis Management software solution since 1999 Conducting an Effective Business Impact Analysis (BIA) Presented by: Sherri Flynn MBCP, CISM

2 Agenda What is a Business Impact Analysis (BIA)? Why do a BIA? Elements of a BIA Presenting your BIA Results Common Mistakes

3 What is a BIA? A Business Impact Analysis (BIA). is a process that identifies & evaluates the potential effects of events on business operations is a detailed inventory of critical business functions and/or processes is an assessment & prioritization of all business functions & their interdependencies provides an estimation of MOTs, RTOs, RPOs, and recovery procedures

4 What is a BIA? A Business Impact Analysis (BIA). includes the identification of department critical business functions as well as organization-wide products and/or services. Products and Services are created by processes that are made up of activities. Products and Services are prioritized first; this sets the time and service level parameters for process prioritization. - ISO Technical Specification Ref # ISO/TS 22317:2015(E)

5 Why do a BIA? Processes Applications Vital Records People Vendors

6 Why do a BIA? More than because you HAVE to

7 Why do a BIA? Organizes / Prioritizes ALL the Data Provides a Basis for your Recovery Plan Aids in Resource Allocation Aids in Development of Recovery Strategies Provides a Focus for Testing

8 Why do a BIA? Identifies processes that are most critical to the survival of an organization. Activities that an organization performs in support of its primary purpose(s); the production & delivery of goods and/or services.

9 Why do a BIA? Identifies processes that are most critical to the survival of an organization. Processes and systems that your business absolutely needs in order to perform its main functions.

10 Why do a BIA? Identifies processes that are most critical to the survival of an organization. Saving your business from suffering a catastrophic blow that could result in substantial damage to the business, including closing its doors for the last time and shutting down for good.

11 Elements of a BIA Elements of a BIA

12 Elements of a BIA Initiation (Developing the Mindset) Establishing the Process Gathering the Information (Data Collection) Documenting / Organizing the Information Analyzing the Collected Information Presenting the BIA Results to Management

13 Elements of a BIA Initiation (Developing the Mindset) Define objectives, goals and scope Form BIA project team Kick off BIA with an Executive Sponsor with buy-in Establish business importance of the BIA

14 Elements of a BIA Establishing the Process EDUCATE participants and PREPARE in advance! Set Priorities Time commitments for departments / deadlines Consistent Recovery Time Objectives Budget time for interviews allot enough time Set expectations for follow up Establish relevant Impacts Establish RTO / Criticality determination Subjective Objective (Formula based criticality increasing over time)

15 Calculate an RTO

16 3 Customer Impact Critical High Medium Low N/A Scoring Min / Max Customer Impact 0 / Operational Impact 0 / 8.00 Financial Impact 0 / Operational Impact 1 Financial Impact Critical High Medium Low N/A Critical High Medium Low N/A Recovery Time Objectives 0 24 hrs (12/8/4) hrs (12/8/4) 49 7 days (12/8/4) >1 week (12/8/4) (48/32/16) = 96 Overall Criticality Low (>1 wk) 1-24 Medium (49h-7d) High (25-48h) Critical (0-24h) 75-96

17 If the function was unavailable what would be the impact? Customer Impact Operational Impact Financial Impact 3 x 1 = 3 3 x 2 = 6 3 x 3 = 9 3 x 4 = x 0 = 0 2 x 3 = 6 2 x 4 = 8 2 x 4 = x 4 = 4 1 x 4 = 4 1 x 4 = 4 1 x 4 = = 68 Overall Criticality Low 1-24 Medium High Critical Overall Criticality = High Calculated RTO = hrs

18 Threshold RTO

19 If the function was unavailable what would be the impact? Customer Impact Establish RTO Threshold = Critical Operational Impact The earliest RTO where Critical is selected Financial Impact This is your Function RTO 0 24 hrs Overall Criticality = Critical

20 Elements of a BIA Gathering the Information (Data Collection) Create a consistent Questionnaire for everyone Set up BIA Workshops and/or Interviews Quantify as much as possible gather FACTS Quantify responses OVER TIME (Impacts/RTOs) Ask people what they do? Don t assume.

21 Elements of a BIA Documenting / Organizing the Information Prioritize by Criticality Report the facts for discussion do not provide opinion Be careful of adding conversational notes not factual Analyzing the Collected Information Note trends/observations that you have uncovered

22 Elements of a BIA Analyzing Your Data

23 By Department

24 By Criticality

25 Resource Report

26 Elements of a BIA Presenting the BIA Results to Management Create high level / easy on the eye reporting Executive Summary Reports Objectives / Goals / Scope Methodology Participants Summary of Results Most Critical Items Concerns Recommendations

27 Overall Function Count

28 Functions by Criticality Functions by Criticality Functions by Criticality 0

29 Department Functions Accounting Department Functions Accounting Department Functions Critical High Significant Medium Low

30 Resource Summary Count Resource RTO Distribution 3-5 Days 14% 5-10 Days 9% 10+ Days 7% 0-24 Hours 43% 0-24 Hours 2-3 Days 3-5 Days 5-10 Days 2-3 Days 27% 10+ Days

31 Why do a BIA? Organizes / Prioritizes ALL the Data Provides a Basis for your Recovery Plan Aids in Resource Allocation Aids in Development of Recovery Strategies Provides a Focus for Testing

32 Common Mistakes Mistakes to Avoid

33 Common Mistakes Minimal or No Management Support Backing into the BIA Results Lack of Preparation for the Interviews/Meetings Gathering Too Much Data Focus on the Tools/Applications instead of the Processes Doing a Risk Assessment and NOT a BIA (do both) No Timely Follow Up / Result Presentation Unclear Presentation of Results

34 References ISO Standards - ISO Societal security Business continuity management systems - ISO Societal security -- Business continuity management systems -- Guidelines for business impact analysis (BIA) DRII.org Professional Practices NCUA.gov - Letter #: 06-CU-12 - Letter #: 01-CU-21 Ready.gov Gartner IT Library

35 References FFIEC - BCP Examination Booklet - BCP Examiners Checklist (IT Work Program)

36 Thank you! Questions? Sherri Flynn, MBCP, CISM Contact us for an online demo