Many organizations have adopted the ISO 22301 standard for their business continuity management systems. Recently, ISO has released the new ISO 22317 Standard for Business Impact Analysis. In this webinar, learn about several different strategies to build an effective BIA that will help you advance your business continuity strategies. Presenter: This webinar was presented by Bryan Strawser, Principal Consultant & CEO at Bryghtpath LLC, who has more than 21 years of experience. Link of the recorded webinar published on YouTube: https://youtu.be/19r2u3zJp1o

1. 1
Assessing the Impact of a Disruption
Building an effective business impact analysis (BIA) approach using the new ISO 22317 BIA standard
Bryan Strawser - @bryanstrawser
Principal Consultant & CEO, Bryghtpath LLC

2. 2
Bryan Strawser
Principal Consultant & CEO
Bryan Strawser is Principal Consultant & CEO at Bryghtpath LLC, who has more than 21
years of experience.
.
+1-612-235-6435
bryan.strawser@bryghtpath.com
www.bryghtpath.com
linkedin.com/in/bryanstrawser
twitter.com/bryanstrawser

4. We are a strategic advisory firm that specializes in global risk, business continuity,
emergency management, crisis communications, and public affairs

5. • Formerly BS25999
• Adopted globally in 2012
• Intersects with other ISO
Standards
– Ex: ISO 27001
• Establish and maintain a
Business Continuity
Management System
• Accreditation
• Certification
– Implementer / Lead
– Auditor / Lead
5
ISO 22301:2012
Societal Security – Business Continuity Management Systems

6. • Scope
• Terms and definition
• Organizational Context
• Leadership
• Planning
• Support
• Operation
• Performance Evaluation
• Improvement
6
ISO 22301 Content
Structure and Content of ISO 22301

7. Business Continuity
Capability of the organization to continue delivery of
products or services at acceptable predefined levels
following a disruptive incident
Business Impact Analysis
Process of analyzing activities and the effect that a
business disruption might have upon them
7
ISO 22301: Clause 3
Key Definitions

8. 8.2: Business Impact Analysis (BIA) and Risk Assessment
• 8.2.2 Business Impact Analysis
– Identifying activities that support the provision of products and services
– Assessing the impacts over time of not performing these activities
– Setting prioritized timeframes for resuming these activities
– Identifying dependencies and supporting resources
• 8.2.3 Risk Assessment
– Identify risks of disruption to the organization’s prioritized activities
– Systematically analyze risk
– Evaluate which disruption related risks requirement treatment
– Identify treatments commensurate with business continuity objectives
and in accordance with the organization’s risk appetite
8
ISO 22301: Clause 8
Operations

9. 9
ISO 22301 & ISO 22317
Interconnected Standards
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | bryan@bryghtpath.com
ISO 22301
ISO 22317
• Provides high level definition of BIA
• Outlines some required documentation
• Establishes the “How-to” for the BIA
• Provides greater detail in BIA planning,
execution, and required documentation

10. • Be the basis for continually improving the organization’s BIA
– Ongoing review
– Event-triggered activities
• Guide the organization in planning, conducting, and reporting on the BIA
• Assist the organization in its BIA in a manner consistently reflecting good
practices
• Provides for proper coordination between the BIA and the overarching
business continuity program (or BCMS)
10
ISO 22317
The Basics

11. • Financial
– Lost profits, diminished market share, fines, penalties
• Reputational
– Damage to the brand, negative public opinion
• Legal & Regulatory
– Loss of license, litigation, increased operational costs
• Contractual
– Breach of contract or service obligation
• Business Objectives
– Failing to deliver on objectives, unable to take advantage of opportunities
11
ISO 22317
Looking at the BIA

12. • Endorsing or modifying the overall scope of your BCMS
• Focusing & identifying your governing obligations
• Setting timeframes and priorities for restoring the business
following a disruptive incident
• Identifying and articulating the relationships between everything
the business does
• Determining the people, facilities, equipment needed to do what is
necessary to get the business up and running
12
ISO 22317
The “Outputs” of your BIA process

13. 13
ISO 22317
Impact over Time

14. • The BIA should be monitored on a periodic basis
• The BIA should be reviewed when triggered by an event:
– Product or service change
– Regulatory change
– Company organizational change
– Following a disruptive event or exercise
14
ISO 22317
Monitoring and Reviewing the BIA

15. • It is critical that your BIA process and results be reviewed and
validated regularly by your senior management team.
• A proper BIA will have impact on future capital, expense, and
organizational decisions that your company will need to
make.
15
ISO 22317
Senior Leadership Validation

16. 16
ISO 22317
Process Diagram

17. 17
ISO 22317
Process Diagram

18. Individual Meetings
• Individual meetings to capture
– Organizational information, technology usage/dependencies,
interconnectedness with other teams
– Connectivity to corporate strategies, impact of disruption
– Tolerance of downtime
Analysis
• Analysis and tiering of information received through individual meetings
Senior leadership validation
18
Example ISO 22317 BIA Process
Small business with 15-20 departments

19. Initial Analysis - Survey
• E-mailed survey using internal tool to midlevel managers
– Organizational information, technology usage/dependencies,
interconnectedness with other teams
– Connectivity to corporate strategies, impact of disruption
– Tolerance of downtime
• Analysis completed on data received through survey tool
• Impact information was used to create tiers for recovery – business and
technology
Follow-on Analysis – In-person / small group meetings
• Small group discussions for validation of received data
• Approximately 30% of teams defined as “critical” were selected for
follow-on analysis
Senior leadership validation
19
Example ISO 22317 BIA Process
Fortune 50 Global Retailer

20. • Develop ways to clearly explain the outputs of your BIA process in a
manner easily understandable by your business leaders
– Recovery tiers
– Interdependence of processes, facilities, and technologies
– Gaps in actual versus “needed” recovery time
• Operational metrics are good to share, but do not tell the whole story
– # of interviews conducted
– # of critical processes or teams
• Gaps will indicate areas where leadership attention should be focused
– Ex: Actual recovery time versus required recovery time
20
Example ISO 22317 BIA Process
Metrics

21. Crisis Management as a Competitive Advantage
21
Source: 2012 Hurricane Sandy RILA Survey
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
10/29 10/30 10/31 11/1 11/2 11/3
Target (195) Sears/K-Mart (236) Macy's (200) Walmart (294) Best Buy (125)

22. Learn more about us at http://bryghtpath.com
Join our newsletter at http://bryghtpath.com/newsletter
Contact Information:
• +1.612.235.6435
• Bryan.Strawser@bryghtpath.com
22
Questions & Answers

23. 23
Assessing the Impact of a Disruption
Building an effective business impact analysis (BIA) approach using the new ISO 22317 BIA standard
Bryan Strawser - @bryanstrawser
Principal Consultant & CEO, Bryghtpath LLC

24. 24
Issue: Feb 2013 MMCAFRICA - EMS Auditor / Lead Auditor Training Course
?
QUESTIONS
THANK YOU
+1-612-235-6435
bryan.strawser@bryghtpath.com
www.bryghtpath.com
linkedin.com/in/bryanstrawser
twitter.com/bryanstrawser