<Organization>
Business impact analysis report
<Version>
<Date of approval and publishing>
The business impact analysis (BIA) process is part of the BCM life cycle where critical aspects (processes and resources) are determined according to their particular impacts. The BIA process follows the guidelines of the BCM policy and the ISO 22301 Standard.
The scope of the BIA process at <organization> is based on the organizational structure and covers all <scope of the BIA process>.
The results of the BIA indicate that <organization> should be starting the recovery process after disasters within <RTO for organization>. <Departments with shortest RTO> will be the first groups to start their recovery.
The number of processes investigated within the BIA came to <overall number of processes> with <number of critical processes> defined as critical, with a ratio of <ratio of critical processes to overall processes>, which lies within the industry norm. To perform such processes, <organization> needs <number of critical staff needed in disasters> people.
The execution of the BIA process suffered from certain difficulties and obstacles which affected the timeline and the resources as well as the quality. The most apparent and difficult were <the most painful obstacles and difficulties>.
The BCM program aims to build the capabilities and necessary arrangements within <organization> to mitigate, respond to, and recover from disasters and major interruptions.
The BCM program follows a life cycle, which is a sequence of recognized activities and processes. The first part of this life cycle is the BIA. The main purpose of the BIA is to identify the critical aspects and resources of <organization> and is considered one of the critical tools that are used to understand the interactions and relationships relating to the internal environment, processes, assets, and people.
Using BIA, <organization> establishes criticality ratings and sets requirements at organization and departmental levels. These ratings are essential to accomplish effective recovery from disasters. Collectively, a typical BIA would have the following objectives:
The BIA scope was based upon the organizational structure of <organization> and covered the following departments:
The following departments were not covered within the scope of this report:
The BIA process has gone through several stages starting from the old data generated from the previous runs of the BIA process and ending in the final approval and sign-off from the BCM steering committee.
The approach followed in the BIA process is summarized in the following points:
The following assumptions were made during the BIA phase:
Another major assumption was the definition of a disaster. At <organization>, disasters are defined as events that have occurred, or are expected to occur, affecting the critical assets causing:
RTO and impact rating for <organization>
The RTO is defined as the timeframe during which the process/activity, asset, or people should be made available.
Based on the information gathered and analyzed in the BIA phase, the RTO of <organization> and its impact rating of a disaster, as defined above, were derived as shown.
Impact rating |
RTO |
|
|
The following table illustrates the overall impact ratings for the departments covered in the scope. The ratings depended on the impact of disaster on the department’s own processes and <organization>.
Department |
RTO |
Impact rating (low/medium/high) |
Department 1 |
|
|
Department 2 |
|
|
Department 3 |
|
|
Department 4 |
|
|
The processes were classified by three main criticality ratings:
A process criticality rating depends on the impacts in five major areas:
The impacts were rated qualitatively (using N/A, low, medium, and high). When rating the impacts, consideration was given to local effects on the departments and global effects on the other relevant departments and <organization> as a whole.
The following table illustrates the overall process distribution according to criticality ratings.
Department |
Critical |
Important |
Non-critical |
Total |
Department 1 |
|
|
|
|
Department 2 |
|
|
|
|
Department 3 |
|
|
|
|
Department 4 |
|
|
|
|
Total |
|
|
|
|
The following table lists the critical processes distributed over departments, and then collected in groups. A critical process is a process that if not performed within an acceptable time could result in severe impacts on the department, group, and <organization>. A process is also critical if another critical process depends on it.
The following table details the continuity specifications (RTO/RPO) for the critical processes.
The RTO is the time required to recover the process to operational status. The RPO defines the maximum data loss acceptable or the required backup intervals, or points, for the data. The RPO is measured in time.
Department |
Process name |
Criticality rating |
RTO |
RPO |
Department 1 |
Process 1 |
|
|
|
Process 2 |
|
|
|
|
Department 2 |
Process 1 |
|
|
|
Process 2 |
|
|
|
|
Department 3 |
Process 1 |
|
|
|
Process 2 |
|
|
|
|
Department 4 |
Process 1 |
|
|
|
Process 2 |
|
|
|
Department |
Process name |
Criticality rating |
Human resources |
Skills required |
Department 1 |
Process 1 |
|
|
|
Process 2 |
|
|
|
|
Department 2 |
Process 1 |
|
|
|
Process 2 |
|
|
|
|
Department 3 |
Process 1 |
|
|
|
Process 2 |
|
|
|
|
Department 4 |
Process 1 |
|
|
|
Process 2 |
|
|
|
Department |
Process name |
Criticality rating |
Processes dependent on |
Processes depending on |
Department 1 |
Process 1 |
|
|
|
Process 2 |
|
|
|
|
Department 2 |
Process 1 |
|
|
|
Process 2 |
|
|
|
|
Department 3 |
Process 1 |
|
|
|
Process 2 |
|
|
|
|
Department 4 |
Process 1 |
|
|
|
Process 2 |
|
|
|
Reporting is considered an important aspect of <organization>‘s operations and activities especially if addressed to external parties like regulators and government entities. The reporting capabilities of the organization should continue to function even in times of disasters.
Department |
Report name |
Importance |
Department 1 |
|
|
Department 2 |
|
|
Department 3 |
|
|
Department 4 |
|
|
Department 5 |
|
|
Department 6 |
|
|
Department 7 |
|
|
Department 8 |
|
|
Department 9 |
|
|
Department 10 |
|
|
In order to achieve effective recovery, <organization>‘s departments need human resources as a workforce to perform the recovery tasks and initiate and operate the critical processes. The tables below demonstrate the departments’ requirements for human resources over a timeline that extends from 1 day to 60 days. The tables are arranged on three levels: department, group, and organization.
Similar to the human resources and workforce requirements, there are physical requirements and resources that should be made available for success in the recovery process. These resources are generic office environment aspects that are needed by the human resources to perform the recovery tasks. Similar to the human resources, the tables are organized on department, group, and organization levels.
The BIA process is usually considered an exhaustive process that utilizes considerable resources from all the stakeholders. During the various activities of the BIA process, there were several observations from the BCM team. Below are the major ones:
Based on the contents of the report, we recommend the following:
3.144.172.220