Upload
paulina-andrews
View
223
Download
9
Tags:
Embed Size (px)
Citation preview
9 juni 2009
Alex van Os de Man
BCI Forum 2009
Business Impact Analysis Process
Why perform a Business Impact Analysis ?
If you don’t know what the impacts are to your
business processes and systems, there is no way to
focus how you are going to recover as well as to
write your Business Continuity Plan
Life Cycle of BCM
Key BIA Objectives
• To enable business areas to determine their critical business
activities
• To increase BCM awareness and identify impacts that business
interruption will cause to the business and customers
• To establish and prioritise timelines for the recovery of critical
business processes, resources, systems and documentation
• To identify inter-dependencies
Determine Critical Business Activities
The key activities during this stage are to:
• Define the business area and its location of business
• At a high level, identify key functional
responsibilities/processes and associated tasks undertaken by
the business area
Positioning the BIA process ?
• Understanding the Business (who we are, what we do)
• Understanding the Organisation (who does what)
• BIA Ownership (what are our priorities)
• Buy-In (managing expectations)
Impact Assessment
The key activities during this stage are to:
• Determine the impact to the business if the business processes
could not be performed, in a worst case scenario
• Apply a financial, reputational & legal/compliance risk criteria
impact against each business process
• Use at a minimum the following time scales – within 1 day,
within 1 week, within 4 weeks, after 1 month
• Use the severity ratings – High, Medium, Low
Recovery Objective Setting
Against each defined business process, identify the Recovery
Time Objective (RTO) & the Recovery Point Objective (RPO)
•RTO – Is the maximum acceptable downtime that the business is
prepared to accept before the process will need to be recovered
(this measurement is independent of the RPO)
•RPO – The point to which you require IT to restore your data to
the backup systems in order to achieve your recovery objectives
Recovery Profile Analysis
The key activities are to identify and prioritise using the defined
timescales the following:
•Applications required to perform the business processes
•Resources required to perform the business processes
•Equipment (IT/Other) required to support the business processes
•Documentation required in the performing of the business
processes
People
Facilities
Information
Equipment
Systems
Data
Identify essential items to recover Business Processes
Dependency Analysis
• Identify key interactions & dependencies between departments,
other locations and business partners (internal & external) that
are part of the business processes
• Identify cross-Business Unit business priorities for Strategic
Business Units that share technology, facility, or staff support
resources that may be constrained in a crisis
BIA Maintenance
• At a minimum, the BIA must be updated once annually
• Or sooner if there are changes in the business composition or
business processes
Next Steps ……..
• Findings from a BIA must be used to make decisions
concerning Business Continuity Management strategies and
solutions
• Business Criticality vs Costs (what the business is prepared to
pay for)