Monday, March 24, 2014

Tackling the Business Impact Analysis

A new business continuity analyst will need to create and/or update the organization's Business Impact Analysis (BIA). If this is a task that is new to the organization, then the analyst will need to scope the document and set out the definitions that will be used. Ideally the entire organization will be represented in one or more BIAs. The analyst should present to the sponsoring executive the plan for accomplishing the BIAs. The analyst will need to:


a) describe the objectives of the BIA,

b) show that the focus will be on the business processes,

c) introduce the concepts and terminology such as (RTO), and

d) identify the planned sources of information and validation.

It is important to focus on processes rather than procedures. There should be relatively few processes, however each process can have many procedures. To use an example common to many organizations, the Human Resources Department may have four processes: hiring/termination, benefits, periodic reviews, and payroll. The procedures for each of these processes may change repeatedly due new software, regulations or vendor requirements. Therefore the analyst should not try to capture details of the procedures but reference their location within the department. Depending on the organization, BIAs may be reviewed and updated on a periodic basis. In addition to periodic updates, any significant changes to business process(es) should prompt a BIA review.

Given resource or budget constraints, if BIAs can not be done for the entire organization, then the analyst needs to work with the sponsoring executive to determine which departments and processes are to be considered core to the organization’s mission.

For each process the BIA will identify the needed resources. These include people (do not forget any on premise long-term consultants), facilities, equipment, and supporting information technology. The analyst will need to note any unique features of the facility that the process uses (e.g. loading dock, clean rooms, vaults). A roster of staff and roles is important to understanding the scale of the process and the relative impact should members of the staff become unable to work. Regarding the IT resources needed, be sure to include required reference databases with applications. Also query the business for any specialized communications gear or production equipment such as check printers. Remember any handheld devices which are needed to generate sales or manage logistics. While business moves relentlessly to electronic formats, an inventory of required paper-based documents and supplies needs to be inventoried.

Once the who, what, and where have been established, the next step is determining the impact to the organization if the process can not be done. Various metrics and units of measure can be used; the analyst needs to assimilate what has been learned so far and determine the outage time frames to be used in the discussion and analysis.

What are the time frames of a business or transaction cycle? Are tasks and deliverables accomplished in weeks, days, hours, minutes, or seconds? Depending on what the business timeframes are, construct an appropriate scale for determining impacts over time. Impacts can have various dimensions: financial, reputational, legal, regulatory plus any dimension that may be important to the organization. Again, need to determine the scales for each dimension you use. The disaster may also involve the loss of data. The analyst must determine with management how little data can be lost and the associated time frame(s).

The result will be a series of RTO values that need to be coupled with RPO values.

As an analyst, you will now have a wealth of data. It is up to you to turn this data into Information that can be used in the subsequent steps towards the goal of a robust business continuity program. You will need to clearly identify the processes that are necessary for the business to carry out its mission and provide management with an understanding as to the impact should a given process stops. This will provide the inputs to the risk assessment and the basis for the business continuity plans to follow.
Tom Ryan has worked as the global business continuity manager for RBS Sempra Commodities, starting their program from a scratch to cover six trading locations with two recovery sites with data centers.  He has done business impact analysis and emergency management consulting work with Datalink, Inc.  Previous to his roles in business continuity, Tom managed a software QA testing department and was an auditor for major investment banks.
______________________________________________________

0 Comments:

Post a Comment