Professional Documents
Culture Documents
Business Impact Analysis Facilitation Guide
Business Impact Analysis Facilitation Guide
FACILITATION GUIDE
PRESENTATION OVERVIEW
2
BUSINESS CONTINUITY MANAGEMENT (BCM) DEFINED
Business Continuity Management Business continuity management (BCM) is the development of strategies,
plans and actions, which provide protection or alternative modes of
operation for those activities or business processes which, if they were to
be interrupted, might otherwise bring about a seriously damaging or
potentially fatal loss to the enterprise.
3
COMPONENTS OF A BCM PROCESS
Process Governance
Business Continuity Management
Tested, Documented Procedures
Crisis Organizational Structure
Emergency Operations Center
Alternate Processing Facility
Crisis Communications Process
Trained Personnel
Pre-Positioned Resources
Identified Vital Records, Information and Data
Training and Awareness Program
Plan Testing and Exercise Program
Plan Maintenance Process
Process Owner
4
WHY PLAN FOR BUSINESS INTERRUPTION?
5
BCM-RELATED STATISTICS
6
METHODOLOGIES AND APPROACHES TO CONDUCTING THE BIA
(1/3)
7
METHODOLOGIES AND APPROACHES TO CONDUCTING THE BIA
(2/3)
Business Impact Analysis The relationship between the BIA and the risk assessment
• Now more than ever, the BIA and the risk assessment are tied together.
One can’t be done without the other. Also, the BIA is no longer limited to
the internal workings of an organization but rather to the extended
enterprise, meaning customers and suppliers are now included.
Change in Scope – The Extended Enterprise
8
METHODOLOGIES AND APPROACHES TO CONDUCTING THE BIA
(3/3)
Objectives
Business Impact Analysis • In addition to quantifying impact, the end goal of the BIA is to establish
business process and/or information technology (IT) system recovery
objectives (RTOs), data loss tolerances (recovery point objectives –
RPOs), and even capacity requirements at the RTO (recovery capacity
objectives).
• Quantify the loss potential
• Qualify other types of loss
• Establish RTO
• Establish RPO
• New Term – RCO?
Common Criticisms…
9
COMMON CRITICISMS OF THE BIA
Business Impact Analysis Why do BIAs fail? Mainly, the approach and conclusions fail to meet
management expectations. Here are some of the more common criticisms.
• The results are too high level.
• Those numbers can’t be right.
• You assumed the worst-case scenario.
• Weak approaches are taken.
• “Yeah, but it depends…”
• That part of the business isn’t critical - they’re just trying to justify their
jobs!
• You collected the wrong information from the wrong person.
10
METHODOLOGY AND APPROACH TO CONDUCTING THE BIA
11
BIA DATA COLLECTION ISSUES
12
BIA DATA SOURCES (1/3)
Business Impact Analysis • Use existing process flows, policies and procedures.
− Building process flows and discussing interdependencies during a
facilitated session are excellent ways to gather detailed information
regarding business functions and risk and impact data. If a business
process flow is done correctly, single points of failure, supply chain
dependencies, technology dependencies and personnel skill
requirements will be highlighted.
• Use loss prevention reports.
• Use the results from process modeling.
13
BIA DATA SOURCES (2/3)
14
BIA DATA SOURCES (3/3)
15
BIA DATA REQUIREMENTS (1/2)
Business Impact Analysis The BIA is highly data intensive. These slides highlight some of the key
data elements that must be collected prior to conducting the analysis.
• Customers (and service-level agreements (SLA)
• Personnel (to include cost of employment and schedules)
• Resources
• Equipment
• Production schedules and timing (cycle times, peaks, start/stop times,
variance)
• IT requirements
16
BIA DATA REQUIREMENTS (2/2)
17
BCM REGULATORY REQUIREMENTS (1/3)
Business Impact Analysis Regulatory bodies may have a significant impact on the BIA and
business/system recovery objectives. Here are some of the key regulatory
bodies and standards impacting BCM today.
• National Fire Protection Association (NFPA)
− NFPA 1600 – Standard on Disaster, Emergency Management and
Business Continuity Programs
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Federal Financial Institutions Examination Council (FFIEC)
18
BCM REGULATORY REQUIREMENTS (2/3)
19
BCM REGULATORY REQUIREMENTS (3/3)
20
BIA DATA COLLECTION MECHANISMS (1/4)
21
BIA DATA COLLECTION MECHANISMS (2/4)
22
BIA DATA COLLECTION MECHANISMS (3/4)
www.fema.gov
www4.ncdc.noaa.gov
www.nhc.noaa.gov
whirlwind100.nssl.noaa.gov
www.eei.org
23
BIA DATA COLLECTION MECHANISMS (4/4)
Business Impact Analysis • The necessity of a thorough collection process is discerned when
reviewing the contents of the above data-gathering solutions. Not all
these data-gathering solutions are required for a single project, but a
mixture will ensure that no potential risks, threats, impact categories,
business processes or applications are overlooked.
• During the data gathering stage, business process owner participation
is essential to ensuring that the analysis conveys the thoughts of the
business as a whole. The business continuity planner will act as a
facilitator during this process. Doing this ensures enterprisewide
business “buy-in.” We also recommend getting multiple viewpoints
regarding business process execution, risk and impact.
24
THE FACILITATED SESSION
25
CATEGORIES OF RISK (1/2)
Business Impact Analysis • Even though some organizations (and consultancies) treat the BIA and
risk assessment separately, the two are closely related and should be
addressed as a component of a comprehensive BIA. Likely, risk
scenarios, to which the organization is vulnerable, are often useful to
assess business impact. And a comprehensive look at risk is necessary
to sell management on continuity and recovery strategies. However, the
risk assessment is often limited to obvious scenarios, and little is done
to dig deep into other, less obvious risks.
26
CATEGORIES OF RISK (2/2)
27
POTENTIAL IMPACTS OF AN INTERRUPTION… (1/3)
Business Impact Analysis • Considering the key functions, personnel, resources, technology,
regulations, SLAs, internal dependencies and third-party
interdependencies, a rigorous BIA calculates the quantifiable loss
potential and attempts to measure the less tangible impacts using
scientific measurement techniques that minimize assumptions and
guesswork. The following slides highlight some of the more common
areas the BIA addresses.
28
POTENTIAL IMPACTS OF AN INTERRUPTION… (2/3)
29
POTENTIAL IMPACTS OF AN INTERRUPTION… (3/3)
30
PRESENTING THE RESULTS OF THE BIA (1/3)
What are the best ways to summarize the data I’ve collected
and the conclusions I reached?
Business Impact Analysis • Not only is strengthening the scope, approach, and content of a BIA
important, but the deliverable is equally critical. One of the first
questions a planner should ask prior to the execution of the BIA phase
is: “What type of deliverable is executive management looking for?”
Often, executives are unsure of what they want because they aren’t
sure of the options available.
31
PRESENTING THE RESULTS OF THE BIA (2/3)
What are the best ways to summarize the data I’ve collected
and the conclusions I reached?
Business Impact Analysis • Discuss the type of information and data that is required, how specific
the data needs to be and when in the business cycle the measurement
should take place.
• Discuss business impacts that can be measured or estimated. Use this
list to facilitate the discussion regarding the project scope.
• Discuss ways to collect the data and generate conclusions. Then ask if
a worst-case scenario should be used to calculate impact (when the
biggest client normally takes delivery of its biggest order annually, year-
end closing, etc.) or if all types of variance from a “normal” impact
should be reported (e.g., seasonal variation, special reporting
requirements, etc.).
32
PRESENTING THE RESULTS OF THE BIA (3/3)
What are the best ways to summarize the data I’ve collected
and the conclusions I reached?
Business Impact Analysis • Discuss the format of the report. If the planner can provide executive
management with some samples beforehand, much of the frustration
during the revision process of a BIA summary report can be eliminated.
• It depends on the culture of the organization and its management. “A
picture is worth a thousand words.” Consider some of the following
examples:
33
SAMPLE BIA DELIVERABLES (1/6)
System/ Recovery
Cust. E- Corporate
Application/ Shipping Inventory Business Process Time
Service Commerce Payroll
Connectivity Objective
Corporate Payroll XX XX XX XX XX Payroll XX This spreadsheet
E-Commerce Cust. Service E-Commerce captures the recovery
XX XX XX XX XX XX
System Shipping time objective (RTO),
EDI XX XX XX XX XX Cust. Service Inventory XX also known as
ERP XX XX XX XX XX Shipping XX downtime tolerance, for
Fax Router XX XX XX XX XX Cust. Service XX all systems (both critical
Financial System XX XX XX XX XX Cust. Service XX and noncritical) for
Forecasting/ Company X. It shows
XX XX XX XX XX Inventory XX
Budgeting the relationship
FTP XX XX XX XX XX Payroll XX between the system
Intranet XX XX XX XX XX Cust. Service XX and associated
Cust. Service E-Commerce business processes and
Inventory System XX XX XX XX XX XX
Inventory indicates the business
ISDN XX XX XX XX XX Payroll XX processes with the
Lotus Notes XX XX XX XX XX Cust. Service Payroll XX lowest RTO. This chart
Network Server XX XX XX XX XX Shipping Payroll XX can also be modified for
PBX System XX XX XX XX XX Cust. Service XX business process
Sales Order System XX XX XX XX XX Cust. Service Inventory XX interdependency
Scanners XX XX XX XX XX Shipping XX analysis.
VAN XX XX XX XX XX Cust. Service XX
WAN XX XX XX XX XX E-Commerce XX
34
SAMPLE BIA DELIVERABLES (2/6)
Business
Recovery Recovery Business Lowest
Process(es)
Application Time Point Process(es) within Recovery Time
within RTO This graph captures the
Objective Objective RPO Timeframe Objective
Timeframe recovery objective for critical
Shipping systems used by Company X.
Customer Service It shows the relationship
ERP 0-24 hours Customer 0-24 hours Customer Service
Shipping Inventory
Service between the critical system
and associated business
Customer processes. It also indicates
E-Commerce 0-24 hours Service Shipping 0-24 hours Shipping Customer Service each business process's
E-Commerce
recovery time objective (RTO)
and recovery point objective
Customer Service
Inventory 0-24 hours E-Commerce 0-24 hours Customer Service (RPO). The last column
Shipping
shows the business process
Inventory with the lowest RTO.
Sales Order Inventory Customer
0-24 hours Customer 25-72 hours Customer Service
System Service
Service
Payroll Customer
Corporate Payroll 0-24 hours 0-24 hours Payroll Payroll
Service Recovery Timeframe Legend
35
SAMPLE BIA DELIVERABLES (3/6)
120,000,000
100,000,000
80,000,000
This chart shows the
Millions
Max No of
XX XX XX XX XX XX XX
Operations
Min No of
XX XX XX XX XX XX XX
Operations
Min Manual
XX XX XX XX XX XX XX
Operations
36
SAMPLE BIA DELIVERABLES (4/6)
Terrorism Flooding
Consequence
Severity
Workplace
Crime
Violence
Very Low
37
SAMPLE BIA DELIVERABLES (5/6)
This is an excellent way to depict business process or system-specific recovery time objectives on a timeline while at the same time
showing available continuity/recovery solutions available below.
38
SAMPLE BIA DELIVERABLES (6/6)
This high-level process flow chart could be matched to a narrative/summary of the business process based on client interviews,
facilitated sessions and questionnaire results. Flow charts are helpful because the business continuity planner can easily see single
points of failure, dependencies, interdependencies, and other business risks. Additionally, risk scenarios identified in the risk
assessment can be overlaid on the flow chart to show where they could occur, hence where the risk could interrupt the process.
39