conducting an effective business impact analysis...
TRANSCRIPT
![Page 1: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/1.jpg)
Presented by:
Sherri Flynn MBCP, CISM
Conducting an Effective
Business Impact Analysis (BIA)
Your BCM, Risk & Crisis Management software solution since 1999
![Page 2: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/2.jpg)
Agenda
• What is a Business Impact Analysis (BIA)? • Why do a BIA? • Elements of a BIA • Presenting your BIA Results • Common Mistakes
![Page 3: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/3.jpg)
A Business Impact Analysis (BIA) ….
… is a process that identifies & evaluates the potential effects of events on business operations
… is a detailed inventory of critical business functions and/or processes
… is an assessment & prioritization of all business functions & their interdependencies
… provides an estimation of MOTs, RTOs, RPOs, and recovery procedures
What is a BIA?
![Page 4: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/4.jpg)
What is a BIA?
A Business Impact Analysis (BIA) ….
… includes the identification of department critical business functions as well as organization-wide products and/or services.
Products and Services are created by processes that are made up of activities. Products and Services are prioritized first; this sets the time and service level parameters for process prioritization. - ISO Technical Specification Ref # ISO/TS 22317:2015(E)
![Page 5: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/5.jpg)
Processes Applications
People Vital Records
Vendors
Why do a BIA?
![Page 6: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/6.jpg)
More than because you HAVE to
Why do a BIA?
![Page 7: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/7.jpg)
Why do a BIA?
• Organizes / Prioritizes ALL the Data • Provides a Basis for your Recovery Plan • Aids in Resource Allocation • Aids in Development of Recovery Strategies • Provides a Focus for Testing
![Page 8: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/8.jpg)
Identifies processes that are most critical to the survival of an organization.
Why do a BIA?
Activities that an organization performs in support of its primary purpose(s); the production & delivery of goods and/or services.
Identifies processes that are most critical to the survival of an organization.
![Page 9: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/9.jpg)
Identifies processes that are most critical to the survival of an organization.
Why do a BIA?
Processes and systems that your business absolutely needs in order to perform its main functions.
![Page 10: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/10.jpg)
Identifies processes that are most critical to the survival of an organization.
Why do a BIA?
Saving your business from suffering a catastrophic blow that could result in substantial damage to the business, including closing its doors for the last time and shutting down for good.
![Page 11: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/11.jpg)
Elements of a BIA
Elements of a BIA
![Page 12: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/12.jpg)
Elements of a BIA
• Initiation (Developing the Mindset) • Establishing the Process • Gathering the Information (Data Collection) • Documenting / Organizing the Information • Analyzing the Collected Information • Presenting the BIA Results to Management
![Page 13: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/13.jpg)
• Initiation (Developing the Mindset)
• Define objectives, goals and scope • Form BIA project team • Kick off BIA with an Executive Sponsor with buy-in • Establish business importance of the BIA
Elements of a BIA
![Page 14: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/14.jpg)
• Establishing the Process
• EDUCATE participants and PREPARE in advance! • Set Priorities
• Time commitments for departments / deadlines • Consistent Recovery Time Objectives
• Budget time for interviews – allot enough time • Set expectations for follow up
• Establish relevant Impacts • Establish RTO / Criticality determination
• Subjective • Objective (Formula based – criticality increasing over time)
Elements of a BIA
![Page 15: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/15.jpg)
Calculate an RTO
![Page 16: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/16.jpg)
Customer Impact
•Critical
•High
•Medium
•Low
•N/A
Operational Impact
•Critical
•High
•Medium
•Low
•N/A
Financial Impact
•Critical
•High
•Medium
•Low
•N/A
3
2
1
Scoring Min / Max Customer Impact 0 / 12.00 Operational Impact 0 / 8.00 Financial Impact 0 / 4.00
Recovery Time Objectives 0 – 24 hrs (12/8/4)
25 – 48 hrs (12/8/4) 49 – 7 days (12/8/4) >1 week (12/8/4)
(48/32/16) = 96
4 3 2 1 0
4 3 2 1 0
4 3 2 1 0
Overall Criticality Low (>1 wk) 1 - 24
Medium (49h-7d) 25 - 49 High (25-48h) 50 - 74 Critical (0-24h) 75 - 96
![Page 17: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/17.jpg)
Operational Impact
Financial Impact
Customer Impact
3 x 1 = 3 3 x 2 = 6 3 x 3 = 9 3 x 4 = 12 30
2 x 0 = 0 2 x 3 = 6 2 x 4 = 8 2 x 4 = 8 22
1 x 4 = 4 1 x 4 = 4 1 x 4 = 4 1 x 4 = 4 16
Overall Criticality Low 1 - 24
Medium 25 - 49
High 50 - 74 Critical 75 - 96
30 + 22 + 16 = 68
Overall Criticality = High
Calculated RTO = 25-48 hrs
If the function was unavailable what would be the impact?
![Page 18: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/18.jpg)
Threshold RTO
![Page 19: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/19.jpg)
Operational Impact
Financial Impact
Customer Impact
Establish RTO Threshold = Critical
The earliest RTO where Critical is selected
This is your Function RTO 0 – 24 hrs
Overall Criticality = Critical
If the function was unavailable what would be the impact?
![Page 20: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/20.jpg)
• Gathering the Information (Data Collection)
• Create a consistent Questionnaire for everyone • Set up BIA Workshops and/or Interviews • Quantify as much as possible – gather FACTS • Quantify responses OVER TIME (Impacts/RTOs) • Ask people what they do? Don’t assume.
Elements of a BIA
![Page 21: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/21.jpg)
• Documenting / Organizing the Information • Prioritize by Criticality • Report the facts for discussion – do not provide opinion • Be careful of adding “conversational” notes not factual
• Analyzing the Collected Information • Note trends/observations that you have uncovered
Elements of a BIA
![Page 22: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/22.jpg)
Analyzing Your Data
Elements of a BIA
![Page 23: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/23.jpg)
By Department
![Page 24: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/24.jpg)
By Criticality
![Page 25: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/25.jpg)
Resource Report
![Page 26: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/26.jpg)
• Presenting the BIA Results to Management • Create high level / “easy on the eye” reporting
• Executive Summary Reports • Objectives / Goals / Scope • Methodology • Participants • Summary of Results
• Most Critical Items • Concerns • Recommendations
Elements of a BIA
![Page 27: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/27.jpg)
Overall Function Count
![Page 28: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/28.jpg)
Functions by Criticality
0
10
20
30
40
50
21 17
26
15
45
Functions by Criticality
Functions by Criticality
![Page 29: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/29.jpg)
0
0.5
1
1.5
2
2.5
3
Critical High Significant Medium Low
Accounting Department Functions
Accounting Department Functions
Department Functions
![Page 30: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/30.jpg)
0-24 Hours 43%
2-3 Days 27%
3-5 Days 14%
5-10 Days 9%
10+ Days 7%
Resource RTO Distribution
0-24 Hours
2-3 Days
3-5 Days
5-10 Days
10+ Days
Resource Summary Count
![Page 31: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/31.jpg)
Why do a BIA?
• Organizes / Prioritizes ALL the Data • Provides a Basis for your Recovery Plan • Aids in Resource Allocation • Aids in Development of Recovery Strategies • Provides a Focus for Testing
![Page 32: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/32.jpg)
Common Mistakes
Mistakes to Avoid
![Page 33: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/33.jpg)
Common Mistakes
• Minimal or No Management Support • Backing into the BIA Results • Lack of Preparation for the Interviews/Meetings • Gathering Too Much Data • Focus on the Tools/Applications instead of the Processes • Doing a Risk Assessment and NOT a BIA (do both) • No Timely Follow Up / Result Presentation • Unclear Presentation of Results
![Page 34: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/34.jpg)
References
ISO Standards - ISO 22301 2012 Societal security – Business continuity management systems - ISO 22317 2015 Societal security -- Business continuity management systems -- Guidelines for business impact analysis (BIA) DRII.org Professional Practices NCUA.gov - Letter #: 06-CU-12 - Letter #: 01-CU-21 Ready.gov https://www.ready.gov/business/implementation/IT Gartner – IT Library https://www.gartner.com/it-glossary/library
![Page 35: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/35.jpg)
References
FFIEC https://ithandbook.ffiec.gov/ - BCP Examination Booklet - BCP Examiners Checklist (IT Work Program)
![Page 36: Conducting an Effective Business Impact Analysis (BIA)kisi.deu.edu.tr/mete.eminagaoglu/Effective-BIA.pdf · A Business Impact Analysis (BIA) …. … is a process that identifies](https://reader033.vdocuments.net/reader033/viewer/2022053015/5f167f336063ac148c275645/html5/thumbnails/36.jpg)
Thank you!
Questions?
Sherri Flynn, MBCP, CISM
Contact us for an online demo
www.RecoveryPlanner.com
877.455.9990