Business Impact Analysis module 3.ppt

Dr. Eng. Ezzedine El Hamzaoui
Phases of Business Continuity
Planning
Business Impact Analysis BIA
1

Phases of Business Continuity Planning
BC Planning typically includes five Phases :
1. BCP Governance
2. Business Impact Analysis (BIA)
3. Documents , Controls , Measures, and Arrangements for BC
4. Readiness activities
5. Assessment process
2

1- BCP Governance
 To establish control
 The governance structure is often in the form of a steering committee
and a list of appropriate committees, working groups and teams to
develop and execute the plan (s) / documents
 Team members should be selected from trained and experienced
personnel who are knowledgeable about their responsibilities.
 The number and scope of the teams will vary depending on
organization's size, function and structure
3

 It may be necessary to be multitask teams and provide cross-
team training.
 The teams data shall be documented in the plans/ Documents
 Consider decentralization as a way to provide better resiliency
4

Examples :
 An alternate site coordination team
 Contracting and procurement team
 Damage assessment team
 Crisis Management team
 Finance and accounting team
 Hazardous materials team
 Insurance team
 Legal issues team
 Telecommunications / alternate communications team
 Equipment team
 Public and media relations team
 Transport coordination team
 Records management team
5

 The duties and responsibilities for each team must be defined,
and include identifying:
1. The team leader
2. The team members
3. Identifying the specific team tasks
4. Member's authority, and responsibilities
5. Identifying possible alternate members.
6. Creation of contact list
6

Business Continuity Planning
1. BCP Governance
5. Assessment
7

2- Business Impact Analysis (BIA)
 Process of analyzing the activities & the effect that the business
disruption might have upon them (Source: ISO 22301:2019)
 BIA is all about data analysis to identify
1) The organization's mandate and critical services or products
2) The priority of services or products for continuous delivery or rapid
recovery
3) The possible Internal and external threats and
4) The impact of the threats:.
8

1. Information of the organization's mandate and critical services or products
can be obtained from the
2. Mission statement of the organization
3. Legal requirements for delivering specific services and products.
4. Contracts and other obligations
5. Critical services or products must be prioritized based on minimum
acceptable delivery levels and the maximum period of time without delivery
6. Identify impacts of disruptions to determine
7. How long the organization could function without the service / product
provision , and
8. How long clients would accept its services or products unavailability.
10

11

BIA Related activities
1) Supply chain analysis
2) Assessment of the most critical business components
3) IT continuity analysis
4) Identify areas of potential revenue loss
5) Identify any additional expenses
6) Identify intangible losses
7) Identify insurance requirements
8) Identify dependencies
9) Analyze current recovery capabilities
12

1- Supply Chain Analysis
13

Conduct supply chain impact analysis to
•The evaluation metrics may include the following :
1)Revenue impact
2)Reputation impact
3)Operational impact
4)Production impact
5)Delivery impact
6)Research and development impact
7)Delay impact
8)Staffing impact
•Find out if these members in the supply chain have BC/DR plans and if you can
review them / share with them.
•Identify & Evaluate each link in terms of business impact to find the high-impact
link(s) 14

2- Assessment of the most critical business components
To create a complete business continuity plan, you need to assess the impact of
interruption on four components:
1)People (Key persons - Key Competencies )
2)Physical Property (Equipment – Storage- Alternate facilities -………)
3)Systems (Hardware, Software, Email, Phone Systems ,Communication
Stations,……..)
4)Data (critical to run your business)
 Both data and systems are IT Systems (IT continuity)
15

3- Conduct IT Continuity Analysis
• Is to decide about which of the organization's IT Functions / Assets are
essential for business continuity.
• Is to decide about how to manage the technology systems in the event of a
major disruption.
• The existence and suitability of IS Policies / Procedures / IT Continuity Plans
• Review computer Data Backups – Cabling – IT Service Providers Capabilities -
………….
16

4- Identify Areas of Potential Revenue Loss
 Determine which processes and functions that support service
or product delivery are involved with the creation of revenue.
 If these processes and functions are not performed, is revenue
lost? How much? and for what length of time?
 If clients cannot access certain services or products would they
then need to go to another provider, resulting in further loss of
revenue?
17

5- Identify additional expenses
If a business function or process is inoperable
1)How long would it take before additional expenses would start to add up?
2)How long could the function be unavailable before extra personnel would have
to be hired?
3)Would penalties from breaches of legal responsibilities, agreements, or
governmental regulations be an issue, and if so,
4) What are the penalties?
18

6- Identify intangible losses
Estimates are required to determine the approximate cost of
 The loss of consumer
 Investor confidence
 Damage to reputation
 Loss of competitiveness
 Reduced market share
 Violation of laws and regulations
 Business relationships with vendors
19

 Increased insurance cost
 Loss of employees
 Loss of financial support and cash flow
 Loss of community support
 Cost of equipment and facilities used during recovery
 Replacement, restoration, recovery costs not adjusted for
inflation
 Increased cost when operations resume
20

7- Identify insurance requirements
 What needs insurance
 The existing insurance
 The level of coverage.
 What aspects may have over or under insurance.
 Is there a policy/ document in place related the insurance
21

8- Identify dependencies
Identify the internal and external dependencies of critical services or
products,
Identify the expected impacts from a disruption to those dependencies.
Internal dependencies include
1.Employee ( availability – competencies)
2.Corporate assets such as Equipment, Facilities, Computer Applications,
Data, Tools, Vehicles.
3.Support services such as Finance, Human Resources, Security ,and IT
Support.
22

 External dependencies include:
1. Suppliers
2. Any external corporate assets such as Equipment, Facilities, Computer
Applications, Data, Tools, and Vehicles.
3. Any external support services such as
 Facility management
 Utilities
 Communications
 Transportation
 Finance institutions
 Insurance providers
 Government services
 Legal services
 Health and safety service.
23

9- Analyze Current Recovery Capabilities
Analyze current recovery capabilities the organization already has in
place, and their continued applicability
Try to answer the following questions
1) Can employees work from home or another location?
2) Do I need a pre-determined alternate facility?
3) Do I have enough spare parts / IT equipment ?
4) Do critical vendors and suppliers have their business
continuity plans/document?
24

1. BCP Governance
5. Assessment
25

3. Documents , Controls , Measures, and Arrangements for
BC
 This step consists of the preparation of the management system documentation
including:
1) Detailed Response Plans / Recovery Plans
2) Policies / objectives
3) Arrangements
 Consider the critical vendors and suppliers business continuity plans.
 Focus on three categories of protection / Safety to help survive a disaster:
1. Human Resources
2. Physical Resources
3. Business Operations.
26

1- Human Resources
 Consider the possible impact a disaster may have on your
employees’ ability to return to work
 Alternate staffing plans (to ensure your business stays functional
when a large percent of your staff is unable to come to work)
 Consider how your customers can reach you or receive your goods /
services
 Create evacuation plans
 Develop and post evacuation routes / assembly locations / Create a
phone-tree / Consider having an employee emergency number
27

2- Physical Resources
 Building (Maintenance - Fire System -……………)
 Interior, exterior components ( Equipment – Hard Ware /Soft
Ware)
 Materials / Spare Parts
 Alternate Facilities (three types)
1- Cold site (the least expensive option)
2- Warm site (more expensive than cold sites)
3- Hot site (the most expensive option)
28

3- Business Operations / Processes
1)Critical Inputs – things needed to do your job
2)Critical Outputs – things you produce that others want or need
to do their job
3)Outsourced processes
29

Examples for resiliency plans / documents and arrangements :
1) An alternate telecommunication provider
2) Emergency backup generator in case of a power outage
3) Agreements with fuel provider
4) Alternate work site and equipment.
5) Annually Meeting with critical vendors to discuss their recovery
operations and locations
6) Develop the relationships with Contractors / Vendors
7) Create manual processes to be used in case of the computers are
unavailable
8) Mitigating the different threats
30

The Response preparation procedures to answer
1) “What to do before a disruption occurs?” (Proactive Activities)
2) “What to do when a disruption occurs?” (Response – Recovery –
Continuity)
3) “What to do after a disruption occurs?” (Learned Lessons /
Change Management)
31

32

1. BCP Governance
5. Assessment
33

4- Readiness Activities
Awareness
Individual and team – Task Training
Procedures Exercises – Testing
Post-Exercise evaluation
34

Goals of Procedures Exercises – Testing
1. Test all components of the plan, including hardware, software, personnel,
data and voice communications, etc.
2. Ensure the understanding and workability of documented recovery
procedures.
3. Adapt and update existing plans to encompass new requirements.
4. Train team leaders and members in the procedures of executing the
continuity plan.
5. Obtain information about recovery strategy implementation.
6. Verify that recovery strategies are viable.
7. Demonstrate that output performance of the backup systems and networks
are consistent with production systems and networks.
35

1. BCP Governance
5. Assessment
36

5- Assessment
• How to assess the plan's accuracy, and effectiveness
• How to conduct the Internal or external audit (BC Readiness
Audit)
• Identify needed improvement
37

How to Perform BC Readiness Audit
1. Check for the existence of the following documents /
information :
• Emergency Procedures
• Evacuation Plan
• Fire Protection Plan
• Environmental Policies
• Safety and Health Program
• Security Procedures
• Finance / Purchasing Procedures
• Facility Closing Policy
• Process Safety Assessment
• Risk Management Plan
• Records and information Management 38

• Mutual Aid Agreements
• Hot / cold site Agreements
• Capital Improvement Program
• Hazard Materials / Waste Disposal
• Alternative or Manual Procedures
• Disaster Recovery Plans for Information Resources
39

Based on the review, ask the following questions How would your
organization resume operations after
 loss of access to your facility
 loss of access to your information resources (IR), or
 loss of key personnel?
Have any audit findings been reported from internal or external auditors?
Would most individuals know how to report or respond to an event?
If policies relative to recovery efforts are in place, who knows about them?
Do people know if they have recovery responsibilities? Are program
managers aware of their owner and user security responsibilities?
40

Has testing been done to see how people would react during a
recovery effort in the following areas:
• Senior Management
• Management Information Systems/ Security Information
Technology
• Risk Management
• Internal Departments
• Auditing
• Vendors
• Telecommunications 41

12. Check to see if
 Computer backups (PC, LAN, mainframe) are being taken off-site according
to policy
 Alternate work locations are available;
 Items required to be off-site are really there;
 Security measures are being followed;
 Emergency equipment (generally UPS, batteries, etc.) is working correctly;
 Emergency lighting is in good working order and in the correct places.
42

8.2.3 Risk Assessment
The organization shall establish, implement, and
maintain a formal documented risk assessment process
that systematically identifies, analyses, and evaluates
the risk of disruptive incidents to the organization.
NOTE This process could be made in accordance with ISO 31000.
43

The Organization Shall
a) Identify risks of disruption to the organization’s
prioritized activities and the processes, systems,
information, people, assets, outsource partners and
other resources that support them,
b) Systematically analyse risk,
c) Evaluate which disruption related risks require
treatment, and;
d) Identify treatments commensurate (
‫مناسبة‬
) with
business continuity objectives and in accordance with
the organization’s risk appetite.
44

45

Risk Criteria
 Reference against which the significance of a risk is evaluated to determine the level of risk
 Risk criteria can be derived from
1) Standards
2) Laws
3) Policies
4) Any other requirements (interested parties).
 Risk criteria are based on organizational objectives, and context
 Level of risk is the magnitude of a risk or combination of risks, expressed in terms of the
combination of consequences and their likelihood
46

 The risk criteria includes :
1) Risk Evaluation Criteria
2) Risk Impact Criteria
3) Risk Acceptance Criteria.
47

Consequences
Moderate
UNIMPORTANT
RISK
ACCEPTABLE
RISK
UNCONTROLLED
RISK
UNCONTROLLED
RISK
IMPORTANT
RISK
UNACCEPTA
RISK
Likelihood
Slightly High
Low Unimportant Uncontrolled
Risk
Medium Acceptable
Risk
High Important Risk
Unacceptable
Risk
Acceptable
Risk
Uncontrolled
Risk
Uncontrolled
Risk
Important
Risk
48

Risk Matrix Control Plan
Risk Level Action and Timescale
Unimportant No action is required and no documented records needed to be kept.
Acceptable
risk
No additional controls are required. Consideration may be given to a more
cost-effective solution or improvement that imposes no additional cost
burden. Monitoring is required to ensure that the controls are maintained.
Uncontrolled
risk
Efforts should be made to reduce the risk, but the costs of prevention
should be carefully measured and limited. Risk reduction measures should
be implemented within a defined time period.
Where the moderate risk is associated with extremely harmful
consequences, further assessment may be necessary to establish more
precisely the likelihood of harm as a basis for determining the need for
improved control measures.
Important risk Work should not be started until the risk has been reduced. Considerable
resources may have to be allocated to reduce the risk. Where the risk
involves work in progress, urgent action should be taken.
Unacceptable
risk
Work should not be started or continued until the risk has been reduced. If
it is not possible to reduce risk even with unlimited resources, work has
to remain prohibited.
49

P
r
o
b
a
b
i
l
i
t
y
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
1 2 3 4 5
Consequence
Legend
≥20 E:
Extreme risk - immediate action
required
>10& <20 H: High risk - urgent management attention needed
>5 & ≤10 M:
Medium risk - management attention as soon as
possible
< 5 L: Low Risk – periodical evaluation 50

Impact / Consequences
Rank
Financial
loss
Strategic
directions and
objectives
Customer Legal OHS Env. InfSec.
5
Very
High
>1M
Negative
Impact on
strategic
directions
execution
Contract
termination
Closure
Fatality /
Catastroph
e / Fatal
Occupatio
nal Illness
Permanent
damage
Permanent
loss of the
service
4
High
250K to
1M
Negative
Impact on
execution 2
objectives
Major
product
/Service
recall
Non-
renewal of
one of
legal
document
s
Partial /
Complete
Incapacity
Long time
damage
Long time
non-
availability
of the
service
3
Moderat
e
50K to
250K
Negative
Impact on
execution 1
objective
Minor
Product /
Service
recall
Formal
Violations
Lost
Working
Days /
Work
Related
Illness
Limited
damage /
Kills fauna ,
flora,
Concerns
global
issues,
Temporary
non-
availability
of the
service
2
Slight negative Complaint
Notice /
Medical
Treatment
Case /
Restricted
Aspect
causes slight
impact on
fauna or
Slight
impact on
the service
51

Impact Reputation (Corporat
e)
Financial
(Site)
Legal
Custo
mer
Very High
Regional media
coverage over
multiple days Or
Global media
coverage
More than
$100 M
More than
$10 M
closure
notice
Ending the
contract
High
National media
coverage over
multiple days Or
Single regional
media coverage
$10 - $100M $1 - $10M
no renewal
of operating
permit
Major
product
recall
Moderate
Local media
coverage over
multiple days Or
Single national
media coverage
$1 - $10M $100K - $1M
violation
notice
payment
partial
product
recall
Low
Single local media
coverage
$100K - $1M $10K - $100K
violation
notice
explanation
product
price
concession
Verbal
52

Business Impact Analysis module 3.ppt

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Business Impact Analysis module 3.ppt

Similar to Business Impact Analysis module 3.ppt (20)

Recently uploaded

Recently uploaded (20)

Business Impact Analysis module 3.ppt