Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Business continuity - 5 key steps to effective business impact analysis

839 views

Published on

Business Continuity - How to perform business impact analysis

Published in: Services
  • Be the first to comment

  • Be the first to like this

Business continuity - 5 key steps to effective business impact analysis

  1. 1. BUSINESS CONTINUITY BUSINESS IMPACT ANALYSIS JUSTIN MORAN, FCA, CISA June 2015
  2. 2. OVERALL CONTEXT • RCU’s observations from on-site engagements in 2014 highlighted incomplete business continuity plans and failure to implement testing of same. • RCU highlighted that failure to have a formal BCP in place may result in: - disruption of member services and a delay in getting services back into operation - business-critical information to become unavailable - resilience of critical IT systems not being sufficient - not having verified the effectiveness of the BCP plan and therefore hitting problems when trying to implement it in a time of crisis • Evidence that credit unions are investing considerable time and money developing plans: - without properly prioritising and analysing business processes; - without making informed decisions on potential downtimes and consequences; and - consequently wasting resources on choosing inefficient or costly recovery strategies. • An efficient and effective business impact analysis (or assessment) is critical the development of a successful business continuity & IT disaster recovery plan. 2
  3. 3. TOP 5 KEY STEPS TO BUSINESS IMPACT ANALYSIS 1. Identify and analyse key processes and sub processes. 2. Identify the key resources used to support each process, including: minimum number of people required IT systems and data physical records physical locations 3. Identify the maximum allowable downtime (including potential cost impact) in the event of disruption for each of the those processes. 4. Prioritise the restoration of processes and systems based on the maximum allowable downtime and system risk ranking. 5. Use the business impact analysis to inform the development of the recovery strategy. 3
  4. 4. SAMPLE CLASSIFICATION SYSTEM 4 Classification of systems Classification Description Critical These functions cannot be performed unless they are replaced by identical capabilities. Critical applications cannot be replaced by manual methods. Tolerance to interruption is very low; therefore cost of interruption is very high. Vital These functions can be performed manually, not only for a brief period of time. there is a higher tolerance to interruption than with critical systems and, therefore, somewhat lower costs of interruption, provided the functions are restored within a certain timeframe (usually 5 days or less). Sensitive These functions can be performed manually, at a tolerable cost, for an extended period of time. While they can be performed manually, it usually is a difficult process and requires additional staff to perform Non-critical These functions may be interrupted for an extended period of time, at little of no cost to the organisation, and require little of no resumption time investment when restored.

×