View
1.985
Download
3
Category
Preview:
Citation preview
1 July 2011Singapore
Practical Strategies of Conducting a Business Impact
Analysis
2
PRACTICAL STRATEGIES OF CONDUCTING A BUSINESS IMPACT
ANALYSIS
Dr Goh Moh Heng PhD BCCE DRCE BCCLA
President
Dr Goh Moh Heng
• President– Business Continuity Management
(BCM) Institute– www.bcm-institute.org
• Managing Director– GMH Continuity Architects– Asia Pacific BCM Consulting Firm– www.GMHasia.com
• Professional BCM Appointments– Technical Advisor for TR19:2005 &
SS540:2008 BCM Standard (Management Council and Technical Committee) www.ss540.org
– Project Director, Technical Working Group for SS507:2004 • ISO/IEC 24762 Guidelines for BC-DR
Serviceshttp://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng
Dr Goh Moh Heng
Prior Appointments• Government of Singapore Investment
Corporation (GIC)• Standard Chartered Bank
– Global Head for BCM
• PriceWaterhouse (Coopers)
• Past Certification Broad Member for DRI International’s Certification Board
• Past Executive Director for DRI Asia• Senior Technical Advisor, China
Business Continuity Management Forum
http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng
BCM Institute
• Started in January 2005.• Provide competency based BC-DR training
to all levels.• Certify BC-DR professionals globally.• Started Certification programme in April
2007.• More than 1500 professionals from 850
organizations and 40 countries.
Professional Certification
Business Continuity
IT Disaster Recovery
BCM Audit
Membership
Agenda
• What Exactly is BIA?– Key concepts
• Strategic, tactical and operational BIA
• Walkthrough of BIA Template
Source: Goh, Moh Heng (2008): Managing Your Business Continuity Planning Project 2nd Edition ISBN: 978-981-05-9767-2
Business Impact Analysis
How-to Do It?
9
Business Continuity Management Body of Knowledge 3
• Implement business impact analysis (BIA) process. – Understand the principles and scope of the BIA process. – Apply the BIA implementation process. – Understand the available BIA data collection mechanisms. – Determine and apply the appropriate BIA data collection mechanism. – Design a custom tailored BIA questionnaire.
• Gather BIA Information. – Identify activities that support Critical Business Functions (CBF) and identify owners. – Determine impacts of a disruption to each activity/process across the organization that may damage
organization's reputation, assets or financial position. – Quantify timescales where interruption becomes unacceptable to organization. – Determine key requirement for organization-wide tolerable downtime. – Determine Inter-dependencies and intra-dependencies. – Identify vital records needed for recovery. – Identify and document CBFs, critical processes and critical application.
• Determine continuity resources. – Provide the resource information to determine or recommend recovery strategies. – Identify internal and external resource requirements to support activities. – Quantify the people, technology and telephony resources required over time to maintain business activities
at an acceptable level and within the maximum tolerable period of disruption.
• Seek Executive Management Approval. – Seek sign off of requirements by process owners. – Present requirements to executive management and seek approval to adopt the findings as the basis for
determining a BC strategy.
http://www.bcmpedia.org/wiki/BCMBoK_3:_Business_Impact_Analysis
Mandatory Understanding of BIA Terminology
• Minimum Business Continuity Objective (MBCO)
• Business Impact Analysis (BIA)• Critical Business Function (CBF)• Recovery Time Objective (RTO)• Recovery Point Objective (RPO)• Impact – Quantitative– Qualitative
Business Impact Analysis Steps
• Determine information to gather• Tailor questionnaires to internal
requirements• Conduct training on completion of
questionnaire• Collate and review questionnaires• Conduct selective interviews• Consolidate and analyze data• Summarize and present findings
Recovery Time Objective
Resumption of Critical Functions
Time-SensitiveSystems are Operational
with Current &Accurate Data
Time
Point ofDisruption
The maximum tolerable time within which Critical Business Functions must be
restored to its MBCO
Time-Sensitive
Systems are Operational
Recovery Time Objective
RTO versus RPO
SecsMinsHrsDays Wks Secs Mins Hrs Days Wks
Recovery Point Recovery Time
BCMpedia
www.bcmpedia.org
Minimum Business Continuity Objective (MBCO)
• is the minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during an incident, emergency or disaster.
• is set by the Executive Management of the organization and can be influenced, dictated and/or changed by current regulatory requirements or industry practices.
• The definition provided here rephrases the operational perspective into an objective - the mission objective for BCM
16
MBCO
Strategic
• Corporate MBCO
Tactical
• BU MBCO
Operational
• Individual BU BIA Submission
BCM Policy • Impact over time at corporate level• Approved by Executive Management
Recovery Strategy
• Confirm BU-level impact over a timescale due to loss of CBFs• Summary of resource requirement
BU BC Plan •Activity-based RTO
1 July 2011Singapore
Walkthrough of a BIA Questionnaires Workbook
Minimum Business Continuity Objective
No. Minimum Business Continuity Objective
P1: Identify BU and Business Functions
Business Unit
Business Unit Code
Business Function
Business Function
CodeDescription
(a) (b) (c) (d) (e)
Workbook
P2: Identification of Impact
Business Function
CodeImpact Area
Monetary Loss
Calculation of Monetary
LossRemarks
(b) (c) (d) (e) (f)
Workbook
P3: Impact Over Time
Business Function
CodeImpact Area
Impact Over Time
RTO MTPD
4 hrs
1 day
2 days
3 days
5 days
7 days
10 days
14 days
20 days
30 days
60 days
90 days
(a) (b) (c) (d) (e)
Workbook
P4: Vulnerable Periods of Critical Business Functions
Business Function
Code
Recovery Time
Objective (RTO)
Recovery Point
Objective (RPO)
Vulnerable Periods
(a) (b) (c) (d)
Workbook
P5: Resources Required for Critical Business Functions during a Crisis
Business Function
Code
No of Staff (Min Qty)
Tel (Min Qty)
No of PCs (Qty)
Commercial Software on PCs (Name of
Software)
Application/ Systems(Name of
Application/ System)
External Info System or
Service
Other Resources or Special
Equipment (State Name and Qty)
(a) (b) (c) (d) (e) (f) (g) (h)
TOTAL*
Workbook
P6: Inter-dependencies
Business Function
Code
Type of Dependency
Target Dept/ Vendor
Description on Nature of
Dependency
(a) (b) (c) (d)
Workbook
P7: Vital Records
Business Function
Code
Description of Vital Records
Media Type
Location (Onsite/ Backup
Storage)
In Whose Care
(a) (b) (c) (d) (e)
Workbook
BCM Institute ForumBuilding a Community
bcmi.groupsite.com
80% Asian and Middle Eastern BCM
and DR Professionals
Summary
• Provide a key understanding on the fundamentals of BIA
• Understand the strategic, tactical and operational aspects of BIA
• Experienced a walkthrough of BIA process using template
• Be aware of tools and guides
THANK YOU
Dr Goh Moh HengPresident
Mobile: +65 96711022Tel: +65 63231500Fax: +65 63230933
Email: moh_heng@bcm-institute.org
Recommended