assessing the impact of a disruption: building an effective business impact analysis (bia) approach...
TRANSCRIPT
1
AssessingtheImpactofaDisruptionBuildinganeffectivebusinessimpactanalysis(BIA)approachusingthenewISO22317BIAstandard
BryanStrawser- @bryanstrawserPrincipalConsultant&CEO,BryghtpathLLC
2
Bryan StrawserPrincipal Consultant & CEO
BryanStrawserisPrincipalConsultant&CEOatBryghtpath LLC,whohasmorethan21yearsofexperience.
.
+1-612-235-6435
www.bryghtpath.com
linkedin.com/in/bryanstrawser
twitter.com/bryanstrawser
Weareastrategicadvisory firmthatspecializesinglobalrisk,businesscontinuity,emergencymanagement, crisiscommunications, andpublicaffairs
• FormerlyBS25999• Adoptedgloballyin2012• IntersectswithotherISO
Standards– Ex:ISO27001
• EstablishandmaintainaBusinessContinuityManagementSystem
• Accreditation• Certification
– Implementer/Lead– Auditor/Lead
5
ISO22301:2012SocietalSecurity– BusinessContinuityManagementSystems
• Scope• Termsanddefinition• OrganizationalContext• Leadership• Planning• Support• Operation• PerformanceEvaluation• Improvement
6
ISO22301ContentStructureandContentofISO22301
BusinessContinuityCapabilityoftheorganizationtocontinuedeliveryofproductsorservicesatacceptablepredefinedlevelsfollowingadisruptiveincident
BusinessImpactAnalysisProcessofanalyzingactivitiesandtheeffectthatabusinessdisruptionmighthaveuponthem
7
ISO22301:Clause3KeyDefinitions
8.2:BusinessImpactAnalysis(BIA)andRiskAssessment
• 8.2.2BusinessImpactAnalysis– Identifyingactivities thatsupporttheprovisionofproductsandservices– Assessing theimpactsovertimeofnotperformingtheseactivities– Settingprioritizedtimeframesforresumingtheseactivities– Identifyingdependencies andsupportingresources
• 8.2.3RiskAssessment– Identifyrisksofdisruptiontotheorganization’sprioritizedactivities– Systematicallyanalyzerisk– Evaluatewhichdisruptionrelatedrisksrequirementtreatment– Identifytreatmentscommensuratewithbusiness continuityobjectives
andinaccordancewiththeorganization’sriskappetite
8
ISO22301:Clause8Operations
9
ISO22301&ISO22317InterconnectedStandards
Copyright©2015byBryghtpathLLC|bryghtpath.com |+1-612-235-6435|[email protected]
ISO22301
ISO22317
• ProvideshighleveldefinitionofBIA• Outlinessomerequireddocumentation
• Establishesthe“How-to”fortheBIA• ProvidesgreaterdetailinBIAplanning,
execution,andrequireddocumentation
• Bethebasisforcontinuallyimprovingtheorganization’sBIA– Ongoingreview– Event-triggeredactivities
• Guidetheorganizationinplanning,conducting,andreportingontheBIA
• AssisttheorganizationinitsBIAinamannerconsistentlyreflectinggoodpractices
• ProvidesforpropercoordinationbetweentheBIAandtheoverarchingbusinesscontinuityprogram(orBCMS)
10
ISO22317TheBasics
• Financial– Lostprofits,diminishedmarketshare,fines,penalties
• Reputational– Damagetothebrand,negativepublicopinion
• Legal&Regulatory– Lossoflicense, litigation, increasedoperationalcosts
• Contractual– Breachofcontractorserviceobligation
• BusinessObjectives– Failingtodeliver onobjectives,unabletotakeadvantageofopportunities
11
ISO22317LookingattheBIA
• EndorsingormodifyingtheoverallscopeofyourBCMS
• Focusing&identifyingyourgoverningobligations
• Settingtimeframesandprioritiesforrestoringthebusinessfollowingadisruptiveincident
• Identifyingandarticulatingtherelationshipsbetweeneverythingthebusinessdoes
• Determiningthepeople,facilities,equipmentneededtodowhatisnecessarytogetthebusinessupandrunning
12
ISO22317The“Outputs”ofyourBIAprocess
13
ISO22317ImpactoverTime
• TheBIAshouldbemonitoredonaperiodicbasis
• TheBIAshouldbereviewedwhentriggeredbyanevent:– Productorservicechange– Regulatorychange– Companyorganizationalchange– Followingadisruptiveeventorexercise
14
ISO22317MonitoringandReviewingtheBIA
• ItiscriticalthatyourBIAprocessandresultsbereviewedandvalidatedregularlybyyourseniormanagementteam.
• AproperBIAwillhaveimpactonfuturecapital,expense,andorganizationaldecisionsthatyourcompanywillneedtomake.
15
ISO22317SeniorLeadershipValidation
16
ISO22317ProcessDiagram
17
ISO22317ProcessDiagram
IndividualMeetings• Individualmeetingstocapture
– Organizationalinformation,technologyusage/dependencies,interconnectednesswithotherteams
– Connectivitytocorporatestrategies,impactofdisruption– Toleranceofdowntime
Analysis• Analysisandtieringofinformationreceivedthroughindividualmeetings
Seniorleadershipvalidation
18
ExampleISO22317BIAProcessSmallbusinesswith15-20departments
InitialAnalysis- Survey• E-mailedsurveyusinginternaltooltomidlevelmanagers
– Organizationalinformation,technologyusage/dependencies,interconnectednesswithotherteams
– Connectivitytocorporatestrategies,impactofdisruption– Toleranceofdowntime
• Analysiscompletedondatareceivedthroughsurveytool• Impactinformationwasusedtocreatetiersforrecovery– businessand
technology
Follow-onAnalysis– In-person/smallgroupmeetings• Smallgroupdiscussionsforvalidationofreceiveddata• Approximately30%ofteamsdefinedas“critical”wereselectedfor
follow-onanalysis
Seniorleadershipvalidation
19
ExampleISO22317BIAProcessFortune50GlobalRetailer
• DevelopwaystoclearlyexplaintheoutputsofyourBIAprocessinamannereasilyunderstandablebyyourbusinessleaders– Recoverytiers– Interdependenceofprocesses,facilities,andtechnologies– Gapsinactualversus“needed”recoverytime
• Operationalmetricsaregoodtoshare,butdonottellthewholestory– #ofinterviewsconducted– #ofcriticalprocessesorteams
• Gapswillindicateareaswhereleadershipattentionshouldbefocused– Ex:Actualrecoverytimeversusrequiredrecoverytime
20
ExampleISO22317BIAProcessMetrics
CrisisManagementasaCompetitiveAdvantage
21
Source:2012HurricaneSandyRILASurvey
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
10/29 10/30 10/31 11/1 11/2 11/3
Target(195) Sears/K-Mart(236) Macy's(200) Walmart(294) BestBuy(125)
Learnmoreaboutusathttp://bryghtpath.com
Joinournewsletterathttp://bryghtpath.com/newsletter
ContactInformation:• +1.612.235.6435• [email protected]
22
Questions&Answers
23
AssessingtheImpactofaDisruptionBuildinganeffectivebusinessimpactanalysis(BIA)approachusingthenewISO22317BIAstandard
BryanStrawser- @bryanstrawserPrincipalConsultant&CEO,BryghtpathLLC
24Issue: Feb 2013 MMCAFRICA - EMS Auditor / Lead Auditor Training Course
?QUESTIONS
THANK YOU
+1-612-235-6435
www.bryghtpath.com
linkedin.com/in/bryanstrawser
twitter.com/bryanstrawser