6th annual bsi bcm conference business impact analysis
play

6th Annual bsi BCM Conference Business Impact Analysis Steven - PowerPoint PPT Presentation

6th Annual bsi BCM Conference Business Impact Analysis Steven Cockcroft MSc Senior Consultant Ultima Risk Management Business Impact Analysis Overview The BIA is the foundation on which the BCM process is built Used to identify,


  1. 6th Annual bsi BCM Conference Business Impact Analysis Steven Cockcroft MSc Senior Consultant Ultima Risk Management

  2. Business Impact Analysis Overview � The BIA is the foundation on which the BCM process is built � Used to identify, quantify and qualify the business impacts of a loss, interruption or disruption of business activities � Allows management to determine at what point in time an outage becomes intolerable � Maximum Acceptable Outage (MAO). Previously known as MTPD � Provides data from which appropriate continuity requirements and strategies can be determined

  3. Impact Analysis � Qualitative � Quantitative � Minor: � Minor: o Small-scale financial loss o Financial loss of >£1,000 � Moderate: � Moderate: o Medium financial loss o Financial loss of >£10,000 � Major: � Major: o Major financial loss o Financial loss of >£100,000 � Catastrophic: � Catastrophic: o Financial loss threatens o Financial loss of £1,000,000 survival of business or more

  4. Impact Areas � Financial � Reputation � Brand � Contractual obligations � Legal requirements � Regulatory requirements � Customer service � Pipeline/future business � Loss of key suppliers � Loss of goodwill

  5. Collecting Data � Interviews, workshop or questionnaire � Identify graduated periods of disruption: � Relevant to business � How far ahead � Agree impact levels to be used � How to document results

  6. Information Required from BIA � The unit/department’s function and supporting activities � The impact on the organisation if each activity was not done for 1 day, 2 days, etc. � Measure against impact levels � The stage at which the impact becomes high/catastrophic: � What makes the impact so high? � Be prepared to challenge � Ensure the impact affects the organisation � Times of the year when the length of time before reaching high impact differs

  7. Information Required from BIA � Recovery time objective (RTO) � The minimum level of service acceptable for recovery � The resources that are required to deliver this level of service: � People � Premises � Information � Technology � Etc… � Any internal or external supplies or services the activity is dependent upon � Recovery point objective (RPO)

  8. EXERCISE

  9. Example BIA Output

  10. Example Recovery Profile Business As Recovery Point Resource Name 1 Day 2 Days 4 Days 1 Week 4 Weeks 12 Weeks Usual Objective People ������ � ��� � � � � � � ������ �� ��� � � � � �� �� ������ � ��� � � � � � � ������ � ��� � � � � � � Premises United Kingdom ���������� � ��� � � � � � � Suppliers ���������� � ��� � � � � � � ���������� � ��� � � � � � � ���������� � ��� � � � � � � Information ������������� � ��� � � � � � � Technology �� !����"#�� � � � � � � � � �� !����"#�� � � � � � � � � �� !����"#�� � � � � � � � � �� !����"#�� � � � � � � � � �� !����"#�$ � � � � � � � � �� !����"#�% � � � � � � � � �� !����"#�& � � � � � � � � �� !����"#�' � � � � � � � � �� !����"#�� � � � � � � � � �� !����"#�( � � � � � � � �

  11. Key Points � The BIA must be carried out and accurately reflect the business � The whole BCM process relies upon this stage being an accurate reflection of management views � The method of collecting the information must be appropriate to the organisation’s culture � Impacts must be clearly documented and not overstated or understated � Focus on the critical/important but do not lose sight of the less critical/less important

Recommend


More recommend