9 juni 2009

Alex van Os de Man

BCI Forum 2009

Business Impact Analysis Process

Why perform a Business Impact Analysis ?

If you don’t know what the impacts are to your

business processes and systems, there is no way to

focus how you are going to recover as well as to

write your Business Continuity Plan

Life Cycle of BCM

Key BIA Objectives

• To enable business areas to determine their critical business

activities

• To increase BCM awareness and identify impacts that business

interruption will cause to the business and customers

• To establish and prioritise timelines for the recovery of critical

business processes, resources, systems and documentation

• To identify inter-dependencies

Determine Critical Business Activities

The key activities during this stage are to:

• Define the business area and its location of business

• At a high level, identify key functional

responsibilities/processes and associated tasks undertaken by

the business area

Positioning the BIA process ?

• Understanding the Business (who we are, what we do)

• Understanding the Organisation (who does what)

• BIA Ownership (what are our priorities)

• Buy-In (managing expectations)

Impact Assessment

The key activities during this stage are to:

• Determine the impact to the business if the business processes

could not be performed, in a worst case scenario

• Apply a financial, reputational & legal/compliance risk criteria

impact against each business process

• Use at a minimum the following time scales – within 1 day,

within 1 week, within 4 weeks, after 1 month

• Use the severity ratings – High, Medium, Low

Recovery Objective Setting

Against each defined business process, identify the Recovery

Time Objective (RTO) & the Recovery Point Objective (RPO)

•RTO – Is the maximum acceptable downtime that the business is

prepared to accept before the process will need to be recovered

(this measurement is independent of the RPO)

•RPO – The point to which you require IT to restore your data to

the backup systems in order to achieve your recovery objectives

Recovery Profile Analysis

The key activities are to identify and prioritise using the defined

timescales the following:

•Applications required to perform the business processes

•Resources required to perform the business processes

•Equipment (IT/Other) required to support the business processes

•Documentation required in the performing of the business

processes

People

Facilities

Information

Equipment

Systems

Data

Identify essential items to recover Business Processes

Dependency Analysis

• Identify key interactions & dependencies between departments,

other locations and business partners (internal & external) that

are part of the business processes

• Identify cross-Business Unit business priorities for Strategic

Business Units that share technology, facility, or staff support

resources that may be constrained in a crisis

BIA Maintenance

• At a minimum, the BIA must be updated once annually

• Or sooner if there are changes in the business composition or

business processes

Next Steps ……..

• Findings from a BIA must be used to make decisions

concerning Business Continuity Management strategies and

solutions

• Business Criticality vs Costs (what the business is prepared to

pay for)