Business continuity - 5 key steps to effective business impact analysis
BUSINESS IMPACT ANALYSIS
JUSTIN MORAN, FCA, CISA
• RCU’s observations from on-site engagements in 2014 highlighted incomplete business
continuity plans and failure to implement testing of same.
• RCU highlighted that failure to have a formal BCP in place may result in:
- disruption of member services and a delay in getting services back into operation
- business-critical information to become unavailable
- resilience of critical IT systems not being sufficient
- not having verified the effectiveness of the BCP plan and therefore hitting problems
when trying to implement it in a time of crisis
• Evidence that credit unions are investing considerable time and money developing plans:
- without properly prioritising and analysing business processes;
- without making informed decisions on potential downtimes and consequences; and
- consequently wasting resources on choosing inefficient or costly recovery strategies.
• An efficient and effective business impact analysis (or assessment) is critical the
development of a successful business continuity & IT disaster recovery plan.
TOP 5 KEY STEPS TO BUSINESS IMPACT ANALYSIS
1. Identify and analyse key processes and sub processes.
2. Identify the key resources used to support each process, including:
minimum number of people required
IT systems and data
3. Identify the maximum allowable downtime (including potential cost impact) in the event of
disruption for each of the those processes.
4. Prioritise the restoration of processes and systems based on the maximum allowable
downtime and system risk ranking.
5. Use the business impact analysis to inform the development of the recovery strategy.
SAMPLE CLASSIFICATION SYSTEM
Classification of systems
Critical These functions cannot be performed unless they are replaced by identical
capabilities. Critical applications cannot be replaced by manual methods.
Tolerance to interruption is very low; therefore cost of interruption is very high.
Vital These functions can be performed manually, not only for a brief period of time.
there is a higher tolerance to interruption than with critical systems and,
therefore, somewhat lower costs of interruption, provided the functions are
restored within a certain timeframe (usually 5 days or less).
Sensitive These functions can be performed manually, at a tolerable cost, for an extended
period of time. While they can be performed manually, it usually is a difficult
process and requires additional staff to perform
Non-critical These functions may be interrupted for an extended period of time, at little of no
cost to the organisation, and require little of no resumption time investment when