6th Annual bsi BCM Conference Business Impact Analysis Steven Cockcroft MSc Senior Consultant Ultima Risk Management
Business Impact Analysis Overview � The BIA is the foundation on which the BCM process is built � Used to identify, quantify and qualify the business impacts of a loss, interruption or disruption of business activities � Allows management to determine at what point in time an outage becomes intolerable � Maximum Acceptable Outage (MAO). Previously known as MTPD � Provides data from which appropriate continuity requirements and strategies can be determined
Impact Analysis � Qualitative � Quantitative � Minor: � Minor: o Small-scale financial loss o Financial loss of >£1,000 � Moderate: � Moderate: o Medium financial loss o Financial loss of >£10,000 � Major: � Major: o Major financial loss o Financial loss of >£100,000 � Catastrophic: � Catastrophic: o Financial loss threatens o Financial loss of £1,000,000 survival of business or more
Impact Areas � Financial � Reputation � Brand � Contractual obligations � Legal requirements � Regulatory requirements � Customer service � Pipeline/future business � Loss of key suppliers � Loss of goodwill
Collecting Data � Interviews, workshop or questionnaire � Identify graduated periods of disruption: � Relevant to business � How far ahead � Agree impact levels to be used � How to document results
Information Required from BIA � The unit/department’s function and supporting activities � The impact on the organisation if each activity was not done for 1 day, 2 days, etc. � Measure against impact levels � The stage at which the impact becomes high/catastrophic: � What makes the impact so high? � Be prepared to challenge � Ensure the impact affects the organisation � Times of the year when the length of time before reaching high impact differs
Information Required from BIA � Recovery time objective (RTO) � The minimum level of service acceptable for recovery � The resources that are required to deliver this level of service: � People � Premises � Information � Technology � Etc… � Any internal or external supplies or services the activity is dependent upon � Recovery point objective (RPO)
EXERCISE
Example BIA Output
Example Recovery Profile Business As Recovery Point Resource Name 1 Day 2 Days 4 Days 1 Week 4 Weeks 12 Weeks Usual Objective People ������ � ��� � � � � � � ������ �� ��� � � � � �� �� ������ � ��� � � � � � � ������ � ��� � � � � � � Premises United Kingdom ���������� � ��� � � � � � � Suppliers ���������� � ��� � � � � � � ���������� � ��� � � � � � � ���������� � ��� � � � � � � Information ������������� � ��� � � � � � � Technology �� !����"#�� � � � � � � � � �� !����"#�� � � � � � � � � �� !����"#�� � � � � � � � � �� !����"#�� � � � � � � � � �� !����"#�$ � � � � � � � � �� !����"#�% � � � � � � � � �� !����"#�& � � � � � � � � �� !����"#�' � � � � � � � � �� !����"#�� � � � � � � � � �� !����"#�( � � � � � � � �
Key Points � The BIA must be carried out and accurately reflect the business � The whole BCM process relies upon this stage being an accurate reflection of management views � The method of collecting the information must be appropriate to the organisation’s culture � Impacts must be clearly documented and not overstated or understated � Focus on the critical/important but do not lose sight of the less critical/less important
Recommend
More recommend
