BUSINESS IMPACT ANALYSIS

FACILITATION GUIDE
PRESENTATION OVERVIEW

Planning for Presenting the

Business Results of the BIA
Interruptions

Business Continuity Methodologies and

Management Defined Approaches to
Conclusion
Conducting the BIA

The Business Impact “Tools” Available to

Analysis (BIA) and Execute a BIA
Common Criticisms

2
BUSINESS CONTINUITY MANAGEMENT (BCM) DEFINED

Business Continuity Management
Business continuity management (BCM) is the development of strategies,
plans and actions, which provide protection or alternative modes of
operation for those activities or business processes which, if they were to
be interrupted, might otherwise bring about a seriously damaging or
potentially fatal loss to the enterprise.

BCM is equivalent to crisis management, business

resumption planning and IT disaster recovery
planning.

3
COMPONENTS OF A BCM PROCESS

Process Governance
Business Continuity Management
Tested, Documented Procedures
Crisis Organizational Structure
Emergency Operations Center
Alternate Processing Facility
Crisis Communications Process
Trained Personnel
Pre-Positioned Resources
Identified Vital Records, Information and Data
Training and Awareness Program
Plan Testing and Exercise Program
Plan Maintenance Process
Process Owner

4
WHY PLAN FOR BUSINESS INTERRUPTION?

Business Continuity Management Customer Service-Level Agreements and Demands

The Odds of an Interruption

The Consequences of an Interruption
The “Lean” Organization that Lacks Redundancy and
Excess Capacity
Regulatory Requirements and Associated
Fines/Penalties

5
BCM-RELATED STATISTICS

Primary Reasons Organizations Have a BCP (20XX)

Business Continuity Management

(CATEGORY NAME) (CATEGORY NAME)

5% 20%
(CATEGORY NAME)
5%
(CATEGORY NAME)
26%
(CATEGORY NAME)
34%

Regulatory Compliance Stakeholder Protection

Past Business Interruption Corporate Image
Other

CPM July/August 20XY

6
METHODOLOGIES AND APPROACHES TO CONDUCTING THE BIA
(1/3)

Business Impact Analysis BIA Defined

• Business impact analysis is the careful study of individual business
processes and support functions, as well as the system of business
processes in its entirety, to better understand objectives regarding the
continuity of operations.
The “Business Continuity Plan (BCP) Blueprint”
• If performed correctly, the BIA is the BCP blueprint. It establishes the
business case for spending finite funding on a process traditionally
viewed as a glorified insurance policy.
The Business Case for BCM

7
METHODOLOGIES AND APPROACHES TO CONDUCTING THE BIA
(2/3)

Business Impact Analysis The relationship between the BIA and the risk assessment
• Now more than ever, the BIA and the risk assessment are tied together.
One can’t be done without the other. Also, the BIA is no longer limited to
the internal workings of an organization but rather to the extended
enterprise, meaning customers and suppliers are now included.
Change in Scope – The Extended Enterprise

8
METHODOLOGIES AND APPROACHES TO CONDUCTING THE BIA
(3/3)

Objectives

Business Impact Analysis • In addition to quantifying impact, the end goal of the BIA is to establish
business process and/or information technology (IT) system recovery
objectives (RTOs), data loss tolerances (recovery point objectives –
RPOs), and even capacity requirements at the RTO (recovery capacity
objectives).
• Quantify the loss potential
• Qualify other types of loss
• Establish RTO
• Establish RPO
• New Term – RCO?
Common Criticisms…

9
COMMON CRITICISMS OF THE BIA

Business Impact Analysis Why do BIAs fail? Mainly, the approach and conclusions fail to meet
management expectations. Here are some of the more common criticisms.
• The results are too high level.
• Those numbers can’t be right.
• You assumed the worst-case scenario.
• Weak approaches are taken.
• “Yeah, but it depends…”
• That part of the business isn’t critical - they’re just trying to justify their
jobs!
• You collected the wrong information from the wrong person.

10
METHODOLOGY AND APPROACH TO CONDUCTING THE BIA

Business Impact Analysis • Work through a steering committee.

• Identify what the deliverables should look like and the desired content.
• Develop an initial scope.
• Identify process-level experts in the subject matter.
• Develop data gathering plans.
• Summarize findings.
• Conduct analysis and develop conclusions.
• Validate findings with subject matter experts.
• Present validated findings to executive management for buy-in.
• Transition to strategy development.

11
BIA DATA COLLECTION ISSUES

Business Impact Analysis Experts and some data analysis methodologies

(including Six Sigma) often cite the need to
collect the same or similar information up to three
times to ensure that the data is accurate and
consistent. This is particularly true when asking
for subjective information from employees,
managers and executives.

The following slides address some of the diverse

solutions available to collect data or set up the
data collection plan for business impact analysis
purposes.

12
BIA DATA SOURCES (1/3)

What type of data sources should I use?

Business Impact Analysis • Use existing process flows, policies and procedures.
− Building process flows and discussing interdependencies during a
facilitated session are excellent ways to gather detailed information
regarding business functions and risk and impact data. If a business
process flow is done correctly, single points of failure, supply chain
dependencies, technology dependencies and personnel skill
requirements will be highlighted.
• Use loss prevention reports.
• Use the results from process modeling.

13
BIA DATA SOURCES (2/3)

What type of data sources should I use?

Business Impact Analysis • Use IT system or application logs.

− In addition to using logs for security purposes, system and
application-based logs are a good way to see who is using the
systems. Users of certain applications are more likely to be able to
provide input regarding the risk and impact of downtime.
• Use audit reports.
− The last thing that organizations should do is spend time and money
on analysis that has already been completed. For organizations that
have evaluated the risk environment or business continuity
management processes, audit reports conducted by internal and
external auditors can be valuable input into the risk assessment
process.

14
BIA DATA SOURCES (3/3)

What type of data sources should I use?

Business Impact Analysis • Use financial reports.

• Use departmental budgets.
− The most common method of calculating business impact is utilizing
financial reports and budgets. Lost sales, idle personnel costs and
other opportunity costs are easily obtained using these documents.
• Use production schedules.
− A review of current and historical production schedules provides
input regarding average levels of production, as well as variations.
• How does your organization forecast business and measure results?

15
BIA DATA REQUIREMENTS (1/2)

What type of data should I be looking for?

Business Impact Analysis The BIA is highly data intensive. These slides highlight some of the key
data elements that must be collected prior to conducting the analysis.
• Customers (and service-level agreements (SLA)
• Personnel (to include cost of employment and schedules)
• Resources
• Equipment
• Production schedules and timing (cycle times, peaks, start/stop times,
variance)
• IT requirements

16
BIA DATA REQUIREMENTS (2/2)

What type of data should I be looking for?

Business Impact Analysis • Communications needs

• Vital records and data needs
• Dependencies and interdependencies
• Throughput
• Risk perception
• Regulatory requirements
• Existing data and records backup/management process
• Existing manual workarounds

17
BCM REGULATORY REQUIREMENTS (1/3)

Business Impact Analysis Regulatory bodies may have a significant impact on the BIA and
business/system recovery objectives. Here are some of the key regulatory
bodies and standards impacting BCM today.
• National Fire Protection Association (NFPA)
− NFPA 1600 – Standard on Disaster, Emergency Management and
Business Continuity Programs
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Federal Financial Institutions Examination Council (FFIEC)

18
BCM REGULATORY REQUIREMENTS (2/3)

Business Impact Analysis • Occupational Safety and Health Administration (OSHA)

• Foreign Corrupt Practices Act (FCPA)
• U.S. Securities and Exchange Commission (SEC)
• International Organization for Standardization (ISO)
− ISO 9000 – Standards for Quality Management Systems
− ISO 14000 – Environmental Management Standards
• QS 9000 – Quality Systems Handbook
• State Insurance Departments

19
BCM REGULATORY REQUIREMENTS (3/3)

Critical Infrastructure Protection

Business Impact Analysis • Federal Energy Regulatory Commission (FERC)

− Draft security standards for electric market participants.
• Federal Reserve Board (FRB)
− Draft a whitepaper on sound practices to strengthen the resilience of
the U.S. financial system.

20
BIA DATA COLLECTION MECHANISMS (1/4)

What are the best ways to collect the data?

Business Impact Analysis • Questionnaires

− To streamline the data collection process, use a structured data
collection tool to consistently ask the same questions of various
business process owners and support personnel. MS Word or
Excel-based questionnaires are adequate, but advanced online
questionnaires that assist in pattern identification and conclusion
analysis are available and easy to manipulate.
− Personnel are more likely to click on a link and answer a
questionnaire than open a file, fill it out, save the results and email it
back. The questionnaire should be the fundamental mechanism to
collect baseline business process, risk and impact data.

21
BIA DATA COLLECTION MECHANISMS (2/4)

What are the best ways to collect the data?

Business Impact Analysis • Facilitated Sessions

− Facilitated sessions are designed to collect data in small groups and
effectively build on the data obtained through the questionnaire.
Keys to success include creating a structured approach to the
meeting, building a nonthreatening environment to share ideas and
setting expectations regarding meeting objectives.
• Data intensive methodologies like six sigma

22
BIA DATA COLLECTION MECHANISMS (3/4)

What are the best ways to collect the data?

Business Impact Analysis • Research third-party data sources.

− Third parties have accumulated a considerable body of research,
emphasizing environmental risk and some manmade risks (crime,
workplace violence, etc.). Third-party data is important given the fact
that it adds independence and objectivity.

www.fema.gov
www4.ncdc.noaa.gov
www.nhc.noaa.gov
whirlwind100.nssl.noaa.gov
www.eei.org

23
BIA DATA COLLECTION MECHANISMS (4/4)

What are the best ways to collect the data?

Business Impact Analysis • The necessity of a thorough collection process is discerned when
reviewing the contents of the above data-gathering solutions. Not all
these data-gathering solutions are required for a single project, but a
mixture will ensure that no potential risks, threats, impact categories,
business processes or applications are overlooked.
• During the data gathering stage, business process owner participation
is essential to ensuring that the analysis conveys the thoughts of the
business as a whole. The business continuity planner will act as a
facilitator during this process. Doing this ensures enterprisewide
business “buy-in.” We also recommend getting multiple viewpoints
regarding business process execution, risk and impact.

24
THE FACILITATED SESSION

Plan to Conduct the Facilitated Session:

Business Impact Analysis • Customers

• Products and Services
• Vendors and Suppliers
• Other Process Inputs
• Technology Usage
• Process-Level Steps
• Revenue or Production Numbers
• Cycle Time
• Personnel Costs
• Facility Costs
• Fixed Equipment Costs
• Brainstorming Risks

Provide discussion topics in advance so participants are

prepared

25
CATEGORIES OF RISK (1/2)

What conclusions should I reach, based on my analysis?

Business Impact Analysis • Even though some organizations (and consultancies) treat the BIA and
risk assessment separately, the two are closely related and should be
addressed as a component of a comprehensive BIA. Likely, risk
scenarios, to which the organization is vulnerable, are often useful to
assess business impact. And a comprehensive look at risk is necessary
to sell management on continuity and recovery strategies. However, the
risk assessment is often limited to obvious scenarios, and little is done
to dig deep into other, less obvious risks.

26
CATEGORIES OF RISK (2/2)

What conclusions should I reach, based on my analysis?

Business Impact Analysis • Environmental Risks

• Manmade Risks (Accidental and Intentional)
• Business Process-Related Risks
− Single Points of Failure
− Personnel
− Supply Chain
• Information Technology Availability Risks

27
POTENTIAL IMPACTS OF AN INTERRUPTION… (1/3)

What conclusions should I reach, based on my analysis?

Business Impact Analysis • Considering the key functions, personnel, resources, technology,
regulations, SLAs, internal dependencies and third-party
interdependencies, a rigorous BIA calculates the quantifiable loss
potential and attempts to measure the less tangible impacts using
scientific measurement techniques that minimize assumptions and
guesswork. The following slides highlight some of the more common
areas the BIA addresses.

28
POTENTIAL IMPACTS OF AN INTERRUPTION… (2/3)

Business Impact Analysis • Work Stoppage

• Opportunity Costs
• Idle Workforce and Resources
• Regulatory Noncompliance
• Financial Loss
• Loss of Investor Confidence
• Reputation Impairment
• EHS Impairment (OSHA)
• Loss of Market Share

29
POTENTIAL IMPACTS OF AN INTERRUPTION… (3/3)

Business Impact Analysis Lost Sales

Cash Flow Interruption
Financial Control/Reporting
Customer Service
Vendor Relations
Employee Morale/Retention
Market Reaction
Contractual Default
Lost Discounts

30
PRESENTING THE RESULTS OF THE BIA (1/3)

What are the best ways to summarize the data I’ve collected
and the conclusions I reached?

Business Impact Analysis • Not only is strengthening the scope, approach, and content of a BIA
important, but the deliverable is equally critical. One of the first
questions a planner should ask prior to the execution of the BIA phase
is: “What type of deliverable is executive management looking for?”
Often, executives are unsure of what they want because they aren’t
sure of the options available.

31
PRESENTING THE RESULTS OF THE BIA (2/3)

What are the best ways to summarize the data I’ve collected
and the conclusions I reached?

Business Impact Analysis • Discuss the type of information and data that is required, how specific
the data needs to be and when in the business cycle the measurement
should take place.
• Discuss business impacts that can be measured or estimated. Use this
list to facilitate the discussion regarding the project scope.
• Discuss ways to collect the data and generate conclusions. Then ask if
a worst-case scenario should be used to calculate impact (when the
biggest client normally takes delivery of its biggest order annually, year-
end closing, etc.) or if all types of variance from a “normal” impact
should be reported (e.g., seasonal variation, special reporting
requirements, etc.).

32
PRESENTING THE RESULTS OF THE BIA (3/3)

What are the best ways to summarize the data I’ve collected
and the conclusions I reached?

Business Impact Analysis • Discuss the format of the report. If the planner can provide executive
management with some samples beforehand, much of the frustration
during the revision process of a BIA summary report can be eliminated.
• It depends on the culture of the organization and its management. “A
picture is worth a thousand words.” Consider some of the following
examples:

33
SAMPLE BIA DELIVERABLES (1/6)

System/ Recovery
Cust. E- Corporate
Application/ Shipping Inventory Business Process Time
Service Commerce Payroll
Connectivity Objective
Corporate Payroll XX XX XX XX XX Payroll XX This spreadsheet
E-Commerce Cust. Service E-Commerce captures the recovery
XX XX XX XX XX XX
System Shipping time objective (RTO),
EDI XX XX XX XX XX Cust. Service Inventory XX also known as
ERP XX XX XX XX XX Shipping XX downtime tolerance, for
Fax Router XX XX XX XX XX Cust. Service XX all systems (both critical
Financial System XX XX XX XX XX Cust. Service XX and noncritical) for
Forecasting/ Company X. It shows
XX XX XX XX XX Inventory XX
Budgeting the relationship
FTP XX XX XX XX XX Payroll XX between the system
Intranet XX XX XX XX XX Cust. Service XX and associated
Cust. Service E-Commerce business processes and
Inventory System XX XX XX XX XX XX
Inventory indicates the business
ISDN XX XX XX XX XX Payroll XX processes with the
Lotus Notes XX XX XX XX XX Cust. Service Payroll XX lowest RTO. This chart
Network Server XX XX XX XX XX Shipping Payroll XX can also be modified for
PBX System XX XX XX XX XX Cust. Service XX business process
Sales Order System XX XX XX XX XX Cust. Service Inventory XX interdependency
Scanners XX XX XX XX XX Shipping XX analysis.
VAN XX XX XX XX XX Cust. Service XX
WAN XX XX XX XX XX E-Commerce XX

34
SAMPLE BIA DELIVERABLES (2/6)

Business
Recovery Recovery Business Lowest
Process(es)
Application Time Point Process(es) within Recovery Time
within RTO This graph captures the
Objective Objective RPO Timeframe Objective
Timeframe recovery objective for critical
Shipping systems used by Company X.
Customer Service It shows the relationship
ERP 0-24 hours Customer 0-24 hours Customer Service
Shipping Inventory
Service between the critical system
and associated business
Customer processes. It also indicates
E-Commerce 0-24 hours Service Shipping 0-24 hours Shipping Customer Service each business process's
E-Commerce
recovery time objective (RTO)
and recovery point objective
Customer Service
Inventory 0-24 hours E-Commerce 0-24 hours Customer Service (RPO). The last column
Shipping
shows the business process
Inventory with the lowest RTO.
Sales Order Inventory Customer
0-24 hours Customer 25-72 hours Customer Service
System Service
Service

Payroll Customer
Corporate Payroll 0-24 hours 0-24 hours Payroll Payroll
Service Recovery Timeframe Legend

Forecasting/ 0-24 hours

25-72 hours Inventory 0-24 hours Inventory Inventory
Budgeting 25-72 hours
Financial 1-3 weeks
Customer
1-3 weeks Customer Service Customer Service
Greater Than 72
Service hours

35
SAMPLE BIA DELIVERABLES (3/6)

120,000,000

100,000,000

80,000,000
This chart shows the
Millions

60,000,000 potential financial impact of

an interruption of
40,000,000 operations over two
weeks. The financial
20,000,000
impact includes revenues
0 lost and additional costs
0-12 12-24 Day 2 Day 3 Day 4 Day 5 Week 2 (payroll, fines, etc.) that
hours hours Company X would incur
during an interruption.
0-12 hours 12-24 hours Day 2 Day 3 Day 4 Day 5 Week 2

Max No of
XX XX XX XX XX XX XX
Operations
Min No of
XX XX XX XX XX XX XX
Operations
Min Manual
XX XX XX XX XX XX XX
Operations

36
SAMPLE BIA DELIVERABLES (4/6)

Very High Supplier

Failure
Prioritize Risks
Likelihood x Severity x Detectability
High

Terrorism Flooding
Consequence
Severity

This “typical” graph shows severity vs.

Medium

Fire likelihood, which visually assists with

prioritization of risk mitigation.
Low

Workplace
Crime
Violence
Very Low

Very Low Low Medium High Very High

Risk Probability

37
SAMPLE BIA DELIVERABLES (5/6)

This is an excellent way to depict business process or system-specific recovery time objectives on a timeline while at the same time
showing available continuity/recovery solutions available below.

38
SAMPLE BIA DELIVERABLES (6/6)

Customer Printer Warehouse QA Carrier AR

Service Rep Personnel

Customer Orders print Orders are Shipment

Packages are The credit
service at the manually pickup is by a The process
Order audited and card payment
processes shipping picked and third-party ends.
staged. is processed.
order. facility. packed. carrier.

ERP Credit Card Authorization

This high-level process flow chart could be matched to a narrative/summary of the business process based on client interviews,
facilitated sessions and questionnaire results. Flow charts are helpful because the business continuity planner can easily see single
points of failure, dependencies, interdependencies, and other business risks. Additionally, risk scenarios identified in the risk
assessment can be overlaid on the flow chart to show where they could occur, hence where the risk could interrupt the process.

39