1 July 2011Singapore

Practical Strategies of Conducting a Business Impact

Analysis

2

PRACTICAL STRATEGIES OF CONDUCTING A BUSINESS IMPACT

ANALYSIS

Dr Goh Moh Heng PhD BCCE DRCE BCCLA

President

Dr Goh Moh Heng

• President– Business Continuity Management

(BCM) Institute– www.bcm-institute.org

• Managing Director– GMH Continuity Architects– Asia Pacific BCM Consulting Firm– www.GMHasia.com

• Professional BCM Appointments– Technical Advisor for TR19:2005 &

SS540:2008 BCM Standard (Management Council and Technical Committee) www.ss540.org

– Project Director, Technical Working Group for SS507:2004 • ISO/IEC 24762 Guidelines for BC-DR

Serviceshttp://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng

Dr Goh Moh Heng

Prior Appointments• Government of Singapore Investment

Corporation (GIC)• Standard Chartered Bank

– Global Head for BCM

• PriceWaterhouse (Coopers)

• Past Certification Broad Member for DRI International’s Certification Board

• Past Executive Director for DRI Asia• Senior Technical Advisor, China

Business Continuity Management Forum

http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng

BCM Institute

• Started in January 2005.• Provide competency based BC-DR training

to all levels.• Certify BC-DR professionals globally.• Started Certification programme in April

2007.• More than 1500 professionals from 850

organizations and 40 countries.

Professional Certification

Business Continuity

IT Disaster Recovery

BCM Audit

Membership

Agenda

• What Exactly is BIA?– Key concepts

• Strategic, tactical and operational BIA

• Walkthrough of BIA Template

Source: Goh, Moh Heng (2008): Managing Your Business Continuity Planning Project 2nd Edition ISBN: 978-981-05-9767-2

Business Impact Analysis

How-to Do It?

9

Business Continuity Management Body of Knowledge 3

• Implement business impact analysis (BIA) process. – Understand the principles and scope of the BIA process. – Apply the BIA implementation process. – Understand the available BIA data collection mechanisms. – Determine and apply the appropriate BIA data collection mechanism. – Design a custom tailored BIA questionnaire.

• Gather BIA Information. – Identify activities that support Critical Business Functions (CBF) and identify owners. – Determine impacts of a disruption to each activity/process across the organization that may damage

organization's reputation, assets or financial position. – Quantify timescales where interruption becomes unacceptable to organization. – Determine key requirement for organization-wide tolerable downtime. – Determine Inter-dependencies and intra-dependencies. – Identify vital records needed for recovery. – Identify and document CBFs, critical processes and critical application.

• Determine continuity resources. – Provide the resource information to determine or recommend recovery strategies. – Identify internal and external resource requirements to support activities. – Quantify the people, technology and telephony resources required over time to maintain business activities

at an acceptable level and within the maximum tolerable period of disruption.

• Seek Executive Management Approval. – Seek sign off of requirements by process owners. – Present requirements to executive management and seek approval to adopt the findings as the basis for

determining a BC strategy.

http://www.bcmpedia.org/wiki/BCMBoK_3:_Business_Impact_Analysis

Mandatory Understanding of BIA Terminology

• Minimum Business Continuity Objective (MBCO)

• Business Impact Analysis (BIA)• Critical Business Function (CBF)• Recovery Time Objective (RTO)• Recovery Point Objective (RPO)• Impact – Quantitative– Qualitative

Business Impact Analysis Steps

• Determine information to gather• Tailor questionnaires to internal

requirements• Conduct training on completion of

questionnaire• Collate and review questionnaires• Conduct selective interviews• Consolidate and analyze data• Summarize and present findings

Recovery Time Objective

Resumption of Critical Functions

Time-SensitiveSystems are Operational

with Current &Accurate Data

Time

Point ofDisruption

The maximum tolerable time within which Critical Business Functions must be

restored to its MBCO

Time-Sensitive

Systems are Operational

Recovery Time Objective

RTO versus RPO

SecsMinsHrsDays Wks Secs Mins Hrs Days Wks

Recovery Point Recovery Time

BCMpedia

www.bcmpedia.org

Minimum Business Continuity Objective (MBCO)

• is the minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during an incident, emergency or disaster.

• is set by the Executive Management of the organization and can be influenced, dictated and/or changed by current regulatory requirements or industry practices.

• The definition provided here rephrases the operational perspective into an objective - the mission objective for BCM

16

MBCO

Strategic

• Corporate MBCO

Tactical

• BU MBCO

Operational

• Individual BU BIA Submission

BCM Policy • Impact over time at corporate level• Approved by Executive Management

Recovery Strategy

• Confirm BU-level impact over a timescale due to loss of CBFs• Summary of resource requirement

BU BC Plan •Activity-based RTO

1 July 2011Singapore

Walkthrough of a BIA Questionnaires Workbook

Minimum Business Continuity Objective

No. Minimum Business Continuity Objective

P1: Identify BU and Business Functions

Business Unit

Business Unit Code

Business Function

Business Function

CodeDescription

(a) (b) (c) (d) (e)

Workbook

P2: Identification of Impact

Business Function

CodeImpact Area

Monetary Loss

Calculation of Monetary

LossRemarks

(b) (c) (d) (e) (f)

Workbook

P3: Impact Over Time

Business Function

CodeImpact Area

Impact Over Time

RTO MTPD

4 hrs

1 day

2 days

3 days

5 days

7 days

10 days

14 days

20 days

30 days

60 days

90 days

(a) (b) (c) (d) (e)

Workbook

P4: Vulnerable Periods of Critical Business Functions

Business Function

Code

Recovery Time

Objective (RTO)

Recovery Point

Objective (RPO)

Vulnerable Periods

(a) (b) (c) (d)

Workbook

P5: Resources Required for Critical Business Functions during a Crisis

Business Function

Code

No of Staff (Min Qty)

Tel (Min Qty)

No of PCs (Qty)

Commercial Software on PCs (Name of

Software)

Application/ Systems(Name of

Application/ System)

External Info System or

Service

Other Resources or Special

Equipment (State Name and Qty)

(a) (b) (c) (d) (e) (f) (g) (h)

TOTAL*

Workbook

P6: Inter-dependencies

Business Function

Code

Type of Dependency

Target Dept/ Vendor

Description on Nature of

Dependency

(a) (b) (c) (d)

Workbook

P7: Vital Records

Business Function

Code

Description of Vital Records

Media Type

Location (Onsite/ Backup

Storage)

In Whose Care

(a) (b) (c) (d) (e)

Workbook

BCM Institute ForumBuilding a Community

bcmi.groupsite.com

80% Asian and Middle Eastern BCM

and DR Professionals

Summary

• Provide a key understanding on the fundamentals of BIA

• Understand the strategic, tactical and operational aspects of BIA

• Experienced a walkthrough of BIA process using template

• Be aware of tools and guides

THANK YOU

Dr Goh Moh HengPresident

Mobile: +65 96711022Tel: +65 63231500Fax: +65 63230933

Email: moh_heng@bcm-institute.org