How to Conduct a Business Impact Analysis and Risk Assessment By Larry Pedrazoli Business Recovery Analyst Miller Brewing Company February 2006 Project Management Institute, La Crosse, WI Chapter
Agenda Contingency Planning Model BIA Risk Assessment Presenting Results to Leadership 2
Contingency Planning Model Crisis Mgt Business Continuity Organization Disaster Recovery Business Technical Crisis Management The overall coordination of response to a crisis in an effective, timely manner to avoid or minimize damage to our profitability, reputation, and ability to operate. [Lead: Legal or Risk Management] Business Continuity Plans and activities designed to ensure continuity of services and support for customers and to maintain its viability BEFORE, DURING and AFTER an event. [Lead: Combined effort, IS, Risk Management and Business] Disaster Recovery Plans and activities designed to recover the technical infrastructure and restore critical business applications to an acceptable condition. [Lead: IS] 3
Business Impact Analysis (BIA) PURPOSE: To provide a factual, understandable, and informative set of findings that leadership can use to provide direction for development of the Business Continuity Program. 4
Business Impact Analysis (BIA) OBJECTIVES: Identify Business functions and their dependence upon technology, infrastructure and applications Potential financial and operational impacts of disruption over time Interdependencies Legal and regulatory requirements Risks and single points of failure Critical records and documentation External resource products and services Departmental recovery requirements Determine Recovery timeframes and acceptable levels of data, operational and financial losses Provide Business case for the operational recovery strategies and recommended business recovery strategies 5
Business Impact Analysis (BIA) ASSUMPTIONS: Executive Leadership will identify and make available division/department representatives qualified to participate in the Business Impact Analysis All information gathered in the interviews is assumed to be accurate no independent audit steps will be taken to verify the data The BIA Report and Presentation will be based on the information gathered from representatives who participated in the BIA process. Recommendations included in the BIA report and presentation will be made in response to the requirements received in the information gathering process 6
Business Impact Analysis (BIA) CRITICAL SUCCESS FACTORS: Promote awareness of the possibility of a disaster Leverage compliance initiatives, industry regulations, recent disaster events Align with strategic and business objectives Perform an informal business impact analysis and risk assessment 7
Business Impact Analysis (BIA) APPROACH: Questionnaires Interviews Workshops Combination of any or all above PARTICIPANTS: Executive Management Managers / Directors 8
Business Impact Analysis (BIA) 7 - STEP PROCESS: 1. Department Profile 2. Business Functions 3. IT Recovery Requirements 4. Business Function Impact 5. Critical Records and Documentation Disaster Recovery 6. External Business Partners, Vendors, and Supplier Products and Services 7. Department Recovery Requirements Business Continuity 9
Risk Assessment PURPOSE: Determine the events & external surroundings that can adversely affect an organization and its resources, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss OBJECTIVE: Provide cost-benefit analysis to justify investment in controls to mitigate risk THREATS: Natural Man-Made (Intentional) Man-Made (Unintentional) Business Risks Information Technology-Specific Other 10
Risk Assessment LIKELIHOOD X THREAT FACTOR X IMPACT = Risk Score Likelihood Threat + 1 Very High: High: Medium: Low: Very Low: More than two incidents per year 1 2 incidents per year 1 2 years between incidents 2 5 years between incidents 5+ years between incidents Speed of Onset Warning Duration Impact High: Service disrupted for more than 3 days. Impacts many business functions Medium: Service disruption between 1-3 days. Impacts one business function Low: Service disruption less than a day. Impacts a number of individuals 11
Risk Assessment RISK REMEDIATION: Identify controls currently in place Identify potential remediation controls and rank them by cost Very High: High: Medium: Low: Very Low: Very high cost to remediate ($50,000.00+) High cost to remediate ($10,001.00 - $50,000.00) : Medium cost to remediate ($1,001.00 - $10,000.00) Small cost to remediate ($100.00 - $1,000.00) No, or very low cost to remediate (under $100.00) Use inverse scoring to get the best bang for your buck 12
Presenting to Leadership BIA RESULTS: Report Minimums Executive Summary Purpose Objectives Scope Approach Assumptions Key Take-Aways Recommendations Action Items Next Steps Possible Core Metrics Lowest RTO for systems Business Loss Matrix High-Level Business Function Recovery Timeline Flowcharts Processing Models Departmental Requirements Timeline Event Calendar 13
Presenting to Leadership RISK ASSESSMENT RESULTS: Executive Summary Key Take-Aways Recommendations Risk Categories Risk Remediation Action Items Next Steps 14
Presenting to Leadership RISK RANKINGS: Red is a high vulnerability Should be addressed immediately Yellow is a medium vulnerability Requires close monitoring for changes and escalation Green is a low vulnerability Requires monitoring Should be addressed as part of organizations strategic vision 15
Presenting to Leadership RISK Classification Recommendation Action Plan / Comments Status Denial of Service Attack Power Outages System Performance Human Error 16
Risk Assessment RISK ASSESSMENT RESULTS: High Risk High Risk High Impact Low Impact High Impact Risk Low Risk Low Impact Impact 17 Low Risk RISK & IMPACT MATRIX
Wrap-Up Questions? Good luck! Feel free to contact me with questions Miller Good Call! Thank you 18