Dr. Wolfgang H. Mahr, M.Sc.

, BBA, MBCI,
CISA

governance & continuuuity gmbh

CH-8408 Winterthur, Switzerland
www.continuuuity.ch
LinkedIn, XING, Twitter, YouTube
wolfgang.mahr@continuuuity.ch

© 2015 IT-SeCX 2015-11-06

Page1
 Why a BIA?
 BIA in the BCM Lifecycle
 Outcomes of the BIA
 BIA supporting BCM Goals
 ISO 22317 on the BIA
 BIA Approaches
 Challenges when doing a BIA
 Sokrates Maps –what’s this?
 Sokrates Maps Benefits and Applications
 Sokrates Maps for the BIA
 BIA Critical Success Factors

© 2015 IT-SeCX 2015-11-06

Page2
This contribution underlines the fundamental importance of the one of the most important
phases in the BCM lifecycle – the BIA.

Other - subsequent - phases such as selecting one or more business continuity strategies
or the formulation of a BC plan, exhibit a much smaller space of choices than the BIA,
which is primarily an information gathering stage, charged with understanding the
business.

Critically important information needs to be unearthed and, ideally, not one important
aspect must be omitted or forgotten. This is the reason why ISO TC 292 (formerly 223),
after developing ISO 22301 and ISO 22313, has embarked on developing a standard on
the BIA: ISO 22317.

This paper focuses on a visualization and presentation method newly applied to the BIA
process, in order to better understand a company’s processes, resources and their
interdependencies.

© 2015 IT-SeCX 2015-11-06

Page3
 BCM is a cyclic process
 BCM is based on continuous improvement
 BIA makes you know your processes better
 BIA is the base for the subsequent development of one or more
Business Continuity Strategies
 …

© 2015 IT-SeCX 2015-11-06

Page4
 Increasing the efficiency of the organisation
 Evaluate alternative strategic planning options
 Assist in long-term strategy decision making
 Assist in developing a risk analysis
 …

© 2015 IT-SeCX 2015-11-06

Page5
BIA in the BCM lifecycle

Reference: The Business Continuity Institute

© 2015 IT-SeCX 2015-11-06

Page6
BIA in the BCM lifecycle

Reference: ISO 22301:2012

© 2015 IT-SeCX 2015-11-06

Page7
 Major outcomes include:
◦ Validation of the organisation’s BC programme scope
◦ Identification of requirements the organisation
◦ Determination of impacts, over time (of disruptions)
◦ Identification of relationships between
 Products/services
 Processes
 Activities
 Resources
◦ Resources needed to perform prioritised activities
 Such as facilities, people, assets, supplies, financial resources
◦ Dependencies and interrelationships
◦ …

© 2015 IT-SeCX 2015-11-06

Page8
BIA supporting BCM Goals
 Protecting company value and reputation
 Safeguards the reputation and future of the company in an
emergency
 Increase shareholder value and demonstrates commitment by
management
 Assures the survival of the company in the case of a serious incident
 Minimize financial losses in case of an incident or emergency

© 2015 IT-SeCX 2015-11-06

Page9
ISO/TS 22317 on BIA
 Developed by ISO TC292 (“Security and Resilience”)
 Currently as DTS (Draft Technical Specification)
 Published in September 2015
 Based on ISO 22301, ISO 22313 and ISO 22300
 Focus on Performing the BIA:
◦ Project Planning and Management
◦ Product and Service Prioritisation
◦ Process Prioritisation
◦ Activity Prioritisation
◦ Analysis and Consolidation
◦ Top Management Endorsement of BIA Results
 Annexes on
◦ Terminology Mapping
◦ Information Collection Methods

© 2015 IT-SeCX 2015-11-06

Page10
BIA Approaches

 Gold, Silver, Bronze

 Strategic / Tactical
 Iterations
 Questionnaires
 Workshops
 Interviews
◦ Middle Management
◦ Process Owners

© 2015 IT-SeCX 2015-11-06

Page11
Challenges when doing a BIA
 Commitment
 Level of effort
 “Right” effort
 Correctness /Completeness
 No excessive overlap / no white spots

© 2015 IT-SeCX 2015-11-06

Page12
Sokrates Maps – what’s this?

© 2015 IT-SeCX 2015-11-06

Page13
Sokrates Maps – what’s this?

© 2015 IT-SeCX 2015-11-06

Page14
Sokrates Maps – what’s this?

© 2015 IT-SeCX 2015-11-06

Page15
Sokrates Maps – Benefits
 Benefits
◦ Foundation of method
◦ Psychological background
◦ Common view across hierarchies and disciplines
◦ Discover new:
 Ideas
 Facts
 Relationships
 Dependencies
 Communicate & visualize
 Hierarchical view on complex situations
 Electronic representation, communication and archiving

© 2015 IT-SeCX 2015-11-06

Page16
Sokrates Maps - Applications

© 2015 IT-SeCX 2015-11-06

Page17
 Sokrates Maps - Applications
 Board Level view of a
hospital:
 Get the big picture
◦ Based on details

© 2015 IT-SeCX 2015-11-06

Page18
Sokrates Maps - Applications

© 2015 IT-SeCX 2015-11-06

Page19
Sokrates Maps for BIA
 Visualisation of the standards (psychological foundation)
◦ ISO 22301, ISO 22317 (maturity model)
 Assessment tool, BIA support tool
◦ Presentation of BIA findings (electronic representation,
communication and archiving)
◦ Usage as questionnaire (maturity model, psychological foundation)
 Single person or in workshops
◦ Visualisation (hierarchical, common view across disciplines)
 Overlaps (discover ideas, facts, relationships, dependencies)
 Gaps (discover ideas, facts, relationships, dependencies)
 Redundancies (discover ideas, facts, relationships, dependencies)
◦  Enhanced BIA quality and maturity

© 2015 IT-SeCX 2015-11-06

Page20
BIA Critical Success Factors
 Follow best practices such as
◦ BCI’s Good Practice Guidelines and/or
◦ ISO Standards such a ISO 22301, ISO 22313 and ISO/TS 22317
 Obtain top management commitment
 Apply project management methodologies
 Follow a BIA approach fit for the selected type of BIA
 Use an approach compatible with the company’s structure
 Deploy tools helping to obtain a “true and fair” representation of
products, services, priorities, dependencies and requirements
 Develop a hierarchical view on complex situations
 Use electronic representation, communication and archiving

© 2015 IT-SeCX 2015-11-06

Page21
 Thank you

© 2015 IT-SeCX 2015-11-06

Page22