Presented by:
Sherri Flynn MBCP, CISM
Conducting an Effective
Business Impact Analysis (BIA)
Your BCM, Risk & Crisis Management software solution since 1999
Agenda
• What is a Business Impact Analysis (BIA)? • Why do a BIA? • Elements of a BIA • Presenting your BIA Results • Common Mistakes
A Business Impact Analysis (BIA) ….
… is a process that identifies & evaluates the potential effects of events on business operations
… is a detailed inventory of critical business functions and/or processes
… is an assessment & prioritization of all business functions & their interdependencies
… provides an estimation of MOTs, RTOs, RPOs, and recovery procedures
What is a BIA?
What is a BIA?
A Business Impact Analysis (BIA) ….
… includes the identification of department critical business functions as well as organization-wide products and/or services.
Products and Services are created by processes that are made up of activities. Products and Services are prioritized first; this sets the time and service level parameters for process prioritization. - ISO Technical Specification Ref # ISO/TS 22317:2015(E)
Processes Applications
People Vital Records
Vendors
Why do a BIA?
More than because you HAVE to
Why do a BIA?
Why do a BIA?
• Organizes / Prioritizes ALL the Data • Provides a Basis for your Recovery Plan • Aids in Resource Allocation • Aids in Development of Recovery Strategies • Provides a Focus for Testing
Identifies processes that are most critical to the survival of an organization.
Why do a BIA?
Activities that an organization performs in support of its primary purpose(s); the production & delivery of goods and/or services.
Identifies processes that are most critical to the survival of an organization.
Identifies processes that are most critical to the survival of an organization.
Why do a BIA?
Processes and systems that your business absolutely needs in order to perform its main functions.
Identifies processes that are most critical to the survival of an organization.
Why do a BIA?
Saving your business from suffering a catastrophic blow that could result in substantial damage to the business, including closing its doors for the last time and shutting down for good.
Elements of a BIA
Elements of a BIA
Elements of a BIA
• Initiation (Developing the Mindset) • Establishing the Process • Gathering the Information (Data Collection) • Documenting / Organizing the Information • Analyzing the Collected Information • Presenting the BIA Results to Management
• Initiation (Developing the Mindset)
• Define objectives, goals and scope • Form BIA project team • Kick off BIA with an Executive Sponsor with buy-in • Establish business importance of the BIA
Elements of a BIA
• Establishing the Process
• EDUCATE participants and PREPARE in advance! • Set Priorities
• Time commitments for departments / deadlines • Consistent Recovery Time Objectives
• Budget time for interviews – allot enough time • Set expectations for follow up
• Establish relevant Impacts • Establish RTO / Criticality determination
• Subjective • Objective (Formula based – criticality increasing over time)
Elements of a BIA
Calculate an RTO
Customer Impact
•Critical
•High
•Medium
•Low
•N/A
Operational Impact
•Critical
•High
•Medium
•Low
•N/A
Financial Impact
•Critical
•High
•Medium
•Low
•N/A
3
2
1
Scoring Min / Max Customer Impact 0 / 12.00 Operational Impact 0 / 8.00 Financial Impact 0 / 4.00
Recovery Time Objectives 0 – 24 hrs (12/8/4)
25 – 48 hrs (12/8/4) 49 – 7 days (12/8/4) >1 week (12/8/4)
(48/32/16) = 96
4 3 2 1 0
4 3 2 1 0
4 3 2 1 0
Overall Criticality Low (>1 wk) 1 - 24
Medium (49h-7d) 25 - 49 High (25-48h) 50 - 74 Critical (0-24h) 75 - 96
Operational Impact
Financial Impact
Customer Impact
3 x 1 = 3 3 x 2 = 6 3 x 3 = 9 3 x 4 = 12 30
2 x 0 = 0 2 x 3 = 6 2 x 4 = 8 2 x 4 = 8 22
1 x 4 = 4 1 x 4 = 4 1 x 4 = 4 1 x 4 = 4 16
Overall Criticality Low 1 - 24
Medium 25 - 49
High 50 - 74 Critical 75 - 96
30 + 22 + 16 = 68
Overall Criticality = High
Calculated RTO = 25-48 hrs
If the function was unavailable what would be the impact?
Threshold RTO
Operational Impact
Financial Impact
Customer Impact
Establish RTO Threshold = Critical
The earliest RTO where Critical is selected
This is your Function RTO 0 – 24 hrs
Overall Criticality = Critical
If the function was unavailable what would be the impact?
• Gathering the Information (Data Collection)
• Create a consistent Questionnaire for everyone • Set up BIA Workshops and/or Interviews • Quantify as much as possible – gather FACTS • Quantify responses OVER TIME (Impacts/RTOs) • Ask people what they do? Don’t assume.
Elements of a BIA
• Documenting / Organizing the Information • Prioritize by Criticality • Report the facts for discussion – do not provide opinion • Be careful of adding “conversational” notes not factual
• Analyzing the Collected Information • Note trends/observations that you have uncovered
Elements of a BIA
Analyzing Your Data
Elements of a BIA
By Department
By Criticality
Resource Report
• Presenting the BIA Results to Management • Create high level / “easy on the eye” reporting
• Executive Summary Reports • Objectives / Goals / Scope • Methodology • Participants • Summary of Results
• Most Critical Items • Concerns • Recommendations
Elements of a BIA
Overall Function Count
Functions by Criticality
0
10
20
30
40
50
21 17
26
15
45
Functions by Criticality
Functions by Criticality
0
0.5
1
1.5
2
2.5
3
Critical High Significant Medium Low
Accounting Department Functions
Accounting Department Functions
Department Functions
0-24 Hours 43%
2-3 Days 27%
3-5 Days 14%
5-10 Days 9%
10+ Days 7%
Resource RTO Distribution
0-24 Hours
2-3 Days
3-5 Days
5-10 Days
10+ Days
Resource Summary Count
Why do a BIA?
• Organizes / Prioritizes ALL the Data • Provides a Basis for your Recovery Plan • Aids in Resource Allocation • Aids in Development of Recovery Strategies • Provides a Focus for Testing
Common Mistakes
Mistakes to Avoid
Common Mistakes
• Minimal or No Management Support • Backing into the BIA Results • Lack of Preparation for the Interviews/Meetings • Gathering Too Much Data • Focus on the Tools/Applications instead of the Processes • Doing a Risk Assessment and NOT a BIA (do both) • No Timely Follow Up / Result Presentation • Unclear Presentation of Results
References
ISO Standards - ISO 22301 2012 Societal security – Business continuity management systems - ISO 22317 2015 Societal security -- Business continuity management systems -- Guidelines for business impact analysis (BIA) DRII.org Professional Practices NCUA.gov - Letter #: 06-CU-12 - Letter #: 01-CU-21 Ready.gov https://www.ready.gov/business/implementation/IT Gartner – IT Library https://www.gartner.com/it-glossary/library
References
FFIEC https://ithandbook.ffiec.gov/ - BCP Examination Booklet - BCP Examiners Checklist (IT Work Program)
Thank you!
Questions?
Sherri Flynn, MBCP, CISM
Contact us for an online demo
www.RecoveryPlanner.com
877.455.9990