8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
Business Impact Analysis module 3.ppt
1. Dr. Eng. Ezzedine El Hamzaoui
Phases of Business Continuity
Planning
Business Impact Analysis BIA
1
2. Dr. Eng. Ezzedine El Hamzaoui
Phases of Business Continuity Planning
BC Planning typically includes five Phases :
1. BCP Governance
2. Business Impact Analysis (BIA)
3. Documents , Controls , Measures, and Arrangements for BC
4. Readiness activities
5. Assessment process
2
3. Dr. Eng. Ezzedine El Hamzaoui
1- BCP Governance
To establish control
The governance structure is often in the form of a steering committee
and a list of appropriate committees, working groups and teams to
develop and execute the plan (s) / documents
Team members should be selected from trained and experienced
personnel who are knowledgeable about their responsibilities.
The number and scope of the teams will vary depending on
organization's size, function and structure
3
4. Dr. Eng. Ezzedine El Hamzaoui
It may be necessary to be multitask teams and provide cross-
team training.
The teams data shall be documented in the plans/ Documents
Consider decentralization as a way to provide better resiliency
4
5. Dr. Eng. Ezzedine El Hamzaoui
Examples :
An alternate site coordination team
Contracting and procurement team
Damage assessment team
Crisis Management team
Finance and accounting team
Hazardous materials team
Insurance team
Legal issues team
Telecommunications / alternate communications team
Equipment team
Public and media relations team
Transport coordination team
Records management team
5
6. Dr. Eng. Ezzedine El Hamzaoui
The duties and responsibilities for each team must be defined,
and include identifying:
1. The team leader
2. The team members
3. Identifying the specific team tasks
4. Member's authority, and responsibilities
5. Identifying possible alternate members.
6. Creation of contact list
6
7. Dr. Eng. Ezzedine El Hamzaoui
Business Continuity Planning
1. BCP Governance
2. Business Impact Analysis (BIA)
3. Documents , Controls , Measures, and Arrangements for BC
4. Readiness activities
5. Assessment
7
8. Dr. Eng. Ezzedine El Hamzaoui
2- Business Impact Analysis (BIA)
Process of analyzing the activities & the effect that the business
disruption might have upon them (Source: ISO 22301:2019)
BIA is all about data analysis to identify
1) The organization's mandate and critical services or products
2) The priority of services or products for continuous delivery or rapid
recovery
3) The possible Internal and external threats and
4) The impact of the threats:.
8
10. Dr. Eng. Ezzedine El Hamzaoui
1. Information of the organization's mandate and critical services or products
can be obtained from the
2. Mission statement of the organization
3. Legal requirements for delivering specific services and products.
4. Contracts and other obligations
5. Critical services or products must be prioritized based on minimum
acceptable delivery levels and the maximum period of time without delivery
6. Identify impacts of disruptions to determine
7. How long the organization could function without the service / product
provision , and
8. How long clients would accept its services or products unavailability.
10
12. Dr. Eng. Ezzedine El Hamzaoui
BIA Related activities
1) Supply chain analysis
2) Assessment of the most critical business components
3) IT continuity analysis
4) Identify areas of potential revenue loss
5) Identify any additional expenses
6) Identify intangible losses
7) Identify insurance requirements
8) Identify dependencies
9) Analyze current recovery capabilities
12
14. Dr. Eng. Ezzedine El Hamzaoui
Conduct supply chain impact analysis to
•The evaluation metrics may include the following :
1)Revenue impact
2)Reputation impact
3)Operational impact
4)Production impact
5)Delivery impact
6)Research and development impact
7)Delay impact
8)Staffing impact
•Find out if these members in the supply chain have BC/DR plans and if you can
review them / share with them.
•Identify & Evaluate each link in terms of business impact to find the high-impact
link(s) 14
15. Dr. Eng. Ezzedine El Hamzaoui
2- Assessment of the most critical business components
To create a complete business continuity plan, you need to assess the impact of
interruption on four components:
1)People (Key persons - Key Competencies )
2)Physical Property (Equipment – Storage- Alternate facilities -………)
3)Systems (Hardware, Software, Email, Phone Systems ,Communication
Stations,……..)
4)Data (critical to run your business)
Both data and systems are IT Systems (IT continuity)
15
16. Dr. Eng. Ezzedine El Hamzaoui
3- Conduct IT Continuity Analysis
• Is to decide about which of the organization's IT Functions / Assets are
essential for business continuity.
• Is to decide about how to manage the technology systems in the event of a
major disruption.
• The existence and suitability of IS Policies / Procedures / IT Continuity Plans
• Review computer Data Backups – Cabling – IT Service Providers Capabilities -
………….
16
17. Dr. Eng. Ezzedine El Hamzaoui
4- Identify Areas of Potential Revenue Loss
Determine which processes and functions that support service
or product delivery are involved with the creation of revenue.
If these processes and functions are not performed, is revenue
lost? How much? and for what length of time?
If clients cannot access certain services or products would they
then need to go to another provider, resulting in further loss of
revenue?
17
18. Dr. Eng. Ezzedine El Hamzaoui
5- Identify additional expenses
If a business function or process is inoperable
1)How long would it take before additional expenses would start to add up?
2)How long could the function be unavailable before extra personnel would have
to be hired?
3)Would penalties from breaches of legal responsibilities, agreements, or
governmental regulations be an issue, and if so,
4) What are the penalties?
18
19. Dr. Eng. Ezzedine El Hamzaoui
6- Identify intangible losses
Estimates are required to determine the approximate cost of
The loss of consumer
Investor confidence
Damage to reputation
Loss of competitiveness
Reduced market share
Violation of laws and regulations
Business relationships with vendors
19
20. Dr. Eng. Ezzedine El Hamzaoui
Increased insurance cost
Loss of employees
Loss of financial support and cash flow
Loss of community support
Cost of equipment and facilities used during recovery
Replacement, restoration, recovery costs not adjusted for
inflation
Increased cost when operations resume
20
21. Dr. Eng. Ezzedine El Hamzaoui
7- Identify insurance requirements
What needs insurance
The existing insurance
The level of coverage.
What aspects may have over or under insurance.
Is there a policy/ document in place related the insurance
21
22. Dr. Eng. Ezzedine El Hamzaoui
8- Identify dependencies
Identify the internal and external dependencies of critical services or
products,
Identify the expected impacts from a disruption to those dependencies.
Internal dependencies include
1.Employee ( availability – competencies)
2.Corporate assets such as Equipment, Facilities, Computer Applications,
Data, Tools, Vehicles.
3.Support services such as Finance, Human Resources, Security ,and IT
Support.
22
23. Dr. Eng. Ezzedine El Hamzaoui
External dependencies include:
1. Suppliers
2. Any external corporate assets such as Equipment, Facilities, Computer
Applications, Data, Tools, and Vehicles.
3. Any external support services such as
Facility management
Utilities
Communications
Transportation
Finance institutions
Insurance providers
Government services
Legal services
Health and safety service.
23
24. Dr. Eng. Ezzedine El Hamzaoui
9- Analyze Current Recovery Capabilities
Analyze current recovery capabilities the organization already has in
place, and their continued applicability
Try to answer the following questions
1) Can employees work from home or another location?
2) Do I need a pre-determined alternate facility?
3) Do I have enough spare parts / IT equipment ?
4) Do critical vendors and suppliers have their business
continuity plans/document?
24
25. Dr. Eng. Ezzedine El Hamzaoui
Business Continuity Planning
1. BCP Governance
2. Business Impact Analysis (BIA)
3. Documents , Controls , Measures, and Arrangements for BC
4. Readiness activities
5. Assessment
25
26. Dr. Eng. Ezzedine El Hamzaoui
3. Documents , Controls , Measures, and Arrangements for
BC
This step consists of the preparation of the management system documentation
including:
1) Detailed Response Plans / Recovery Plans
2) Policies / objectives
3) Arrangements
Consider the critical vendors and suppliers business continuity plans.
Focus on three categories of protection / Safety to help survive a disaster:
1. Human Resources
2. Physical Resources
3. Business Operations.
26
27. Dr. Eng. Ezzedine El Hamzaoui
1- Human Resources
Consider the possible impact a disaster may have on your
employees’ ability to return to work
Alternate staffing plans (to ensure your business stays functional
when a large percent of your staff is unable to come to work)
Consider how your customers can reach you or receive your goods /
services
Create evacuation plans
Develop and post evacuation routes / assembly locations / Create a
phone-tree / Consider having an employee emergency number
27
28. Dr. Eng. Ezzedine El Hamzaoui
2- Physical Resources
Building (Maintenance - Fire System -……………)
Interior, exterior components ( Equipment – Hard Ware /Soft
Ware)
Materials / Spare Parts
Alternate Facilities (three types)
1- Cold site (the least expensive option)
2- Warm site (more expensive than cold sites)
3- Hot site (the most expensive option)
28
29. Dr. Eng. Ezzedine El Hamzaoui
3- Business Operations / Processes
1)Critical Inputs – things needed to do your job
2)Critical Outputs – things you produce that others want or need
to do their job
3)Outsourced processes
29
30. Dr. Eng. Ezzedine El Hamzaoui
Examples for resiliency plans / documents and arrangements :
1) An alternate telecommunication provider
2) Emergency backup generator in case of a power outage
3) Agreements with fuel provider
4) Alternate work site and equipment.
5) Annually Meeting with critical vendors to discuss their recovery
operations and locations
6) Develop the relationships with Contractors / Vendors
7) Create manual processes to be used in case of the computers are
unavailable
8) Mitigating the different threats
30
31. Dr. Eng. Ezzedine El Hamzaoui
The Response preparation procedures to answer
1) “What to do before a disruption occurs?” (Proactive Activities)
2) “What to do when a disruption occurs?” (Response – Recovery –
Continuity)
3) “What to do after a disruption occurs?” (Learned Lessons /
Change Management)
31
33. Dr. Eng. Ezzedine El Hamzaoui
Business Continuity Planning
1. BCP Governance
2. Business Impact Analysis (BIA)
3. Documents , Controls , Measures, and Arrangements for BC
4. Readiness activities
5. Assessment
33
34. Dr. Eng. Ezzedine El Hamzaoui
4- Readiness Activities
Awareness
Individual and team – Task Training
Procedures Exercises – Testing
Post-Exercise evaluation
34
35. Dr. Eng. Ezzedine El Hamzaoui
Goals of Procedures Exercises – Testing
1. Test all components of the plan, including hardware, software, personnel,
data and voice communications, etc.
2. Ensure the understanding and workability of documented recovery
procedures.
3. Adapt and update existing plans to encompass new requirements.
4. Train team leaders and members in the procedures of executing the
continuity plan.
5. Obtain information about recovery strategy implementation.
6. Verify that recovery strategies are viable.
7. Demonstrate that output performance of the backup systems and networks
are consistent with production systems and networks.
35
36. Dr. Eng. Ezzedine El Hamzaoui
Business Continuity Planning
1. BCP Governance
2. Business Impact Analysis (BIA)
3. Documents , Controls , Measures, and Arrangements for BC
4. Readiness activities
5. Assessment
36
37. Dr. Eng. Ezzedine El Hamzaoui
5- Assessment
• How to assess the plan's accuracy, and effectiveness
• How to conduct the Internal or external audit (BC Readiness
Audit)
• Identify needed improvement
37
38. Dr. Eng. Ezzedine El Hamzaoui
How to Perform BC Readiness Audit
1. Check for the existence of the following documents /
information :
• Emergency Procedures
• Evacuation Plan
• Fire Protection Plan
• Environmental Policies
• Safety and Health Program
• Security Procedures
• Finance / Purchasing Procedures
• Facility Closing Policy
• Process Safety Assessment
• Risk Management Plan
• Records and information Management 38
39. Dr. Eng. Ezzedine El Hamzaoui
• Mutual Aid Agreements
• Hot / cold site Agreements
• Capital Improvement Program
• Hazard Materials / Waste Disposal
• Alternative or Manual Procedures
• Disaster Recovery Plans for Information Resources
39
40. Dr. Eng. Ezzedine El Hamzaoui
Based on the review, ask the following questions How would your
organization resume operations after
loss of access to your facility
loss of access to your information resources (IR), or
loss of key personnel?
Have any audit findings been reported from internal or external auditors?
Would most individuals know how to report or respond to an event?
If policies relative to recovery efforts are in place, who knows about them?
Do people know if they have recovery responsibilities? Are program
managers aware of their owner and user security responsibilities?
40
41. Dr. Eng. Ezzedine El Hamzaoui
Has testing been done to see how people would react during a
recovery effort in the following areas:
• Senior Management
• Management Information Systems/ Security Information
Technology
• Risk Management
• Internal Departments
• Auditing
• Vendors
• Telecommunications 41
42. Dr. Eng. Ezzedine El Hamzaoui
12. Check to see if
Computer backups (PC, LAN, mainframe) are being taken off-site according
to policy
Alternate work locations are available;
Items required to be off-site are really there;
Security measures are being followed;
Emergency equipment (generally UPS, batteries, etc.) is working correctly;
Emergency lighting is in good working order and in the correct places.
42
43. Dr. Eng. Ezzedine El Hamzaoui
8.2.3 Risk Assessment
The organization shall establish, implement, and
maintain a formal documented risk assessment process
that systematically identifies, analyses, and evaluates
the risk of disruptive incidents to the organization.
NOTE This process could be made in accordance with ISO 31000.
43
44. Dr. Eng. Ezzedine El Hamzaoui
The Organization Shall
a) Identify risks of disruption to the organization’s
prioritized activities and the processes, systems,
information, people, assets, outsource partners and
other resources that support them,
b) Systematically analyse risk,
c) Evaluate which disruption related risks require
treatment, and;
d) Identify treatments commensurate (
مناسبة
) with
business continuity objectives and in accordance with
the organization’s risk appetite.
44
46. Dr. Eng. Ezzedine El Hamzaoui
Risk Criteria
Reference against which the significance of a risk is evaluated to determine the level of risk
Risk criteria can be derived from
1) Standards
2) Laws
3) Policies
4) Any other requirements (interested parties).
Risk criteria are based on organizational objectives, and context
Level of risk is the magnitude of a risk or combination of risks, expressed in terms of the
combination of consequences and their likelihood
46
47. Dr. Eng. Ezzedine El Hamzaoui
The risk criteria includes :
1) Risk Evaluation Criteria
2) Risk Impact Criteria
3) Risk Acceptance Criteria.
47
48. Dr. Eng. Ezzedine El Hamzaoui
Consequences
Moderate
UNIMPORTANT
RISK
ACCEPTABLE
RISK
UNCONTROLLED
RISK
UNCONTROLLED
RISK
IMPORTANT
RISK
UNACCEPTA
RISK
Likelihood
Slightly High
Low Unimportant Uncontrolled
Risk
Medium Acceptable
Risk
High Important Risk
Unacceptable
Risk
Acceptable
Risk
Uncontrolled
Risk
Uncontrolled
Risk
Important
Risk
48
49. Dr. Eng. Ezzedine El Hamzaoui
Risk Matrix Control Plan
Risk Level Action and Timescale
Unimportant No action is required and no documented records needed to be kept.
Acceptable
risk
No additional controls are required. Consideration may be given to a more
cost-effective solution or improvement that imposes no additional cost
burden. Monitoring is required to ensure that the controls are maintained.
Uncontrolled
risk
Efforts should be made to reduce the risk, but the costs of prevention
should be carefully measured and limited. Risk reduction measures should
be implemented within a defined time period.
Where the moderate risk is associated with extremely harmful
consequences, further assessment may be necessary to establish more
precisely the likelihood of harm as a basis for determining the need for
improved control measures.
Important risk Work should not be started until the risk has been reduced. Considerable
resources may have to be allocated to reduce the risk. Where the risk
involves work in progress, urgent action should be taken.
Unacceptable
risk
Work should not be started or continued until the risk has been reduced. If
it is not possible to reduce risk even with unlimited resources, work has
to remain prohibited.
49
50. Dr. Eng. Ezzedine El Hamzaoui
P
r
o
b
a
b
i
l
i
t
y
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
1 2 3 4 5
Consequence
Legend
≥20 E:
Extreme risk - immediate action
required
>10& <20 H: High risk - urgent management attention needed
>5 & ≤10 M:
Medium risk - management attention as soon as
possible
< 5 L: Low Risk – periodical evaluation 50
51. Dr. Eng. Ezzedine El Hamzaoui
Impact / Consequences
Rank
Financial
loss
Strategic
directions and
objectives
Customer Legal OHS Env. InfSec.
5
Very
High
>1M
Negative
Impact on
strategic
directions
execution
Contract
termination
Closure
Fatality /
Catastroph
e / Fatal
Occupatio
nal Illness
Permanent
damage
Permanent
loss of the
service
4
High
250K to
1M
Negative
Impact on
execution 2
objectives
Major
product
/Service
recall
Non-
renewal of
one of
legal
document
s
Partial /
Complete
Incapacity
Long time
damage
Long time
non-
availability
of the
service
3
Moderat
e
50K to
250K
Negative
Impact on
execution 1
objective
Minor
Product /
Service
recall
Formal
Violations
Lost
Working
Days /
Work
Related
Illness
Limited
damage /
Kills fauna ,
flora,
Concerns
global
issues,
Temporary
non-
availability
of the
service
2
Slight negative Complaint
Notice /
Medical
Treatment
Case /
Restricted
Aspect
causes slight
impact on
fauna or
Slight
impact on
the service
51
52. Dr. Eng. Ezzedine El Hamzaoui
Impact Reputation (Corporat
e)
Financial
(Site)
Legal
Custo
mer
Very High
Regional media
coverage over
multiple days Or
Global media
coverage
More than
$100 M
More than
$10 M
closure
notice
Ending the
contract
High
National media
coverage over
multiple days Or
Single regional
media coverage
$10 - $100M $1 - $10M
no renewal
of operating
permit
Major
product
recall
Moderate
Local media
coverage over
multiple days Or
Single national
media coverage
$1 - $10M $100K - $1M
violation
notice
payment
partial
product
recall
Low
Single local media
coverage
$100K - $1M $10K - $100K
violation
notice
explanation
product
price
concession
Verbal
52