Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Business Impact Analysis - The Most Important Step during BCMS Implementation

1,387 views

Published on

This topic covered an overview of ISO 22301:2012 requirements regarding Business Impact Analysis, the importance of BIA, and how to avoid most common mistakes.

Main points covered:
• Overview of ISO 22301:2012 requirements regarding Business Impact Analysis
• How to avoid most common mistakes and obtain reliable data from the BIA?
• The significance of the BIA

Presenter:
Renata Davidson works in the Business Continuity Management area since 1998. She was the first professional in Central and Eastern Europe to be certified by Disaster Recovery Institute International. During the course of her career, she's lead tens of projects for "Blue Chip” companies in Poland, in all sectors of the economy. She is the founder and CEO of Davidson Consulting &Partners LLC, a partnership of experts specializing in business continuity, operational risk management and process management.

Link of the recorded session published on YouTube: https://youtu.be/3rVhrGQk8cE

Published in: Education
  • Be the first to comment

Business Impact Analysis - The Most Important Step during BCMS Implementation

  1. 1. 1
  2. 2. Renata Davidson Owner & President- Davidson Consulting LLP She works in the Business Continuity Management area since 1998. She was the first professional in Central and Eastern Europe to be certified by Disaster Recovery Institute International. She is the founder and CEO of Davidson Consulting &Partners LLC, a partnership of experts specializing in business continuity, operational risk management and process management. Contact Information +48 506 055 412 renatad@davidson.pl www.davidson.pl https://pl.linkedin.com/in/renatadavidson
  3. 3. Webinar agenda • Overview of ISO 22301:2012 requirements regarding Business Impact Analysis • How to avoid the most common mistakes and obtain reliable data from the BIA? • The significance of the BIA.
  4. 4. Who we are? • The expert company, • 18 years of experience, • More than 150 BCM projects conducted in all industry sectors, • Proven methodology - compliant with all BCM standards, • Competences in related fields of risk management and business process modelling.
  5. 5. Business Continuity Management Source: ISO 22301:2012 CLAUSE 3.4. Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities
  6. 6. BIA - Overview of ISO 22301:2012 requirements (clause 8.2.2) Source: ISO 22301:2012 clause 8.2.2. • Identification of activities that support the provision of products and services; • Assessing the impacts over time of not performing these activities; • Setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and • Identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.
  7. 7. Context of an organisation • Community • Environment • Shareholders • Creditors • Employees • Customers, • Business partners • Regulators, • Public administration • Supervisory bodies Legal req. Contractual req. SLA, KPI Social req. Business object. Financial stability
  8. 8. Context of an organisation – sample requirements •Major employer in the city or region, •Citizens wellbeing, •Protection of an environment •Obligations towards shareholders •Loans instalments’ maturity dates • SLAs, KPIs, •Payment terms in agreements with contractors & suppliers, •Agreed schedules. •Specific terms required by Law – i.e. Tax declaration submission dates – according to the Accounting Acts in particular countries. •Obligatory reporting. Legal req. Contractual req. SLA, KPI Social req. Business object. Financial stability
  9. 9. BIA – defining the scope Product, service, legal req. Operational processes IT Settlements Administration Reporting Audit
  10. 10. BIA impact assessment – recommended approach 1/2 • Assessment per process, • Using the worst-case scenario: • The worst possible time for the interruption to occur (month, week, day, time), • Interruption affecting the key customers, responsible for the majority of turnover (if relevant to the process), • Assume that none of the controls works, • Interruption is your company fault – neglect, human error, etc. (you can’t apply the force-majeure clause)
  11. 11. BIA impact assessment – recommended approach 2/2 • Calculating financial & non-financial losses in the same several timeframes (1h, 4hrs, 24hrs, 48hrs, 72hrs, 5 days): • Incremental, • Based on the actual financial data from the last 12 months, • Using peak values (number of transaction, value of transaction), • Using maximum penalties values, • Using non-financial impact scale with discrete values.
  12. 12. BIA – distribution of losses 0 1 2 3 4 5 6 7 8 4h 24h 48h 1 week Lossvalue Process 1 (recurring) Proces 2 (contractual req.) Proces 3 (legal req.)
  13. 13. BIA – setting RTO 0 1 2 3 4 5 6 7 8 4h 24h 48h 1 week Lossvalue Process 1 (recurring) Proces 2 (contractual req.) Proces 3 (legal req.) RTO
  14. 14. BIA – defining BCM requirements Recovery timeframes (RTO) defined in accordance with the loss estimation Minimum level of process resumption: description, percentage (i.e. % of production output), priorities Maximum time after which business process needs to go back to normal. BCM requirements
  15. 15. BIA – results summary Business Process Owner Process name Worst-case scenario Financial losses Non-financial impact (1-5) RTO Min. level of resumption Max. Time for „back-to- normal” Production Energy & heat production Energy consumption peak, winter holiday season, 1,000,000 EU R 4 0h Protecting infrastructure (incl. the distribution network) 8h HR Salary payment Two days before the payment term 10,000 EUR 4 24h Repeating transfers from the last month 5 days Finance Obligatory reporting Reporting deadlines 20,000 EUR 2 4h Submiting report based on available data & correction within 2 days 48h
  16. 16. How to avoid the most common mistakes? • Avoid the following mistakes: • Too wide or too narrow scope of the analysis • Lack of objectivity, expert methods, descriptive methods, where it is not possible to compare results, • Using average values, • Assessing residual risk instead of inherent risk, • Including opportunity costs into the financial losses, • Vague descriptions in the non-financial scale (i.e. “significant number”, “media interest”, etc.), • Inconsistencies between the loss level and the worst-case scenario, • Inconsistencies between the loss level and the BCM requirements, • Unnecessarily repeating the same loss in multiple processes.
  17. 17. BIA significance • Defines: • scope of the Business Continuity Management System, • level of acceptable risk, • BCM requirements, • causes of losses, • Reference point for risk assessment and BCM Strategy.
  18. 18. THANK YOU ? +48 506 055 412 renatad@davidson.pl www.davidson.pl https://pl.linkedin.com/in/renatadavidson

×