APPENDIX 3: BIA REPORT

<Organization>

Business impact analysis report

<Version>

<Date of approval and publishing>

Executive summary

The business impact analysis (BIA) process is part of the BCM life cycle where critical aspects (processes and resources) are determined according to their particular impacts. The BIA process follows the guidelines of the BCM policy and the ISO 22301 Standard.

The scope of the BIA process at <organization> is based on the organizational structure and covers all <scope of the BIA process>.

The results of the BIA indicate that <organization> should be starting the recovery process after disasters within <RTO for organization>. <Departments with shortest RTO> will be the first groups to start their recovery.

The number of processes investigated within the BIA came to <overall number of processes> with <number of critical processes> defined as critical, with a ratio of <ratio of critical processes to overall processes>, which lies within the industry norm. To perform such processes, <organization> needs <number of critical staff needed in disasters> people.

The execution of the BIA process suffered from certain difficulties and obstacles which affected the timeline and the resources as well as the quality. The most apparent and difficult were <the most painful obstacles and difficulties>.

Abbreviations and acronyms

  • BCM– Business continuity management
  • BIA– Business impact analysis
  • RTO– Recovery time objective
  • RPO– Recovery point objective

Introduction

The BCM program aims to build the capabilities and necessary arrangements within <organization> to mitigate, respond to, and recover from disasters and major interruptions.

The BCM program follows a life cycle, which is a sequence of recognized activities and processes. The first part of this life cycle is the BIA. The main purpose of the BIA is to identify the critical aspects and resources of <organization> and is considered one of the critical tools that are used to understand the interactions and relationships relating to the internal environment, processes, assets, and people.

Using BIA, <organization> establishes criticality ratings and sets requirements at organization and departmental levels. These ratings are essential to accomplish effective recovery from disasters. Collectively, a typical BIA would have the following objectives:

  • Identify critical functions, systems, applications, data, and relevant assets.
  • Identify RTO for critical functions.
  • Determine the RTO for systems, applications, and technical components.
  • Identify the RPO for functions, applications, and technical components.
  • Establish recovery priorities for departments and processes.
  • Identify resources required to support critical processes in the event of disasters.
  • Provide input for creating the business continuity strategy.

Scope

The BIA scope was based upon the organizational structure of <organization> and covered the following departments:

  • department 1
  • department 2
  • department 3

The following departments were not covered within the scope of this report:

  • department 5
  • department 6
  • department 7

Approach

The BIA process has gone through several stages starting from the old data generated from the previous runs of the BIA process and ending in the final approval and sign-off from the BCM steering committee.

The approach followed in the BIA process is summarized in the following points:

  • An analysis of the existing information was conducted and a set of new requirements to be gathered was identified.
  • A new questionnaire was designed to accommodate new requirements.
  • A workshop was conducted to introduce the questionnaire to the BCM coordinators.
  • Questionnaires were circulated to the BCM coordinators, pre-loaded with old data.
  • A follow-up was done by the BCM team with the BCM coordinators to answer queries and provide help and assistance.
  • BCM coordinators provided the initial drafts of questionnaires.
  • The BCM team reviewed the questionnaires provided and made comments, as required, then sent the questionnaires back for BCM coordinators to review and modify, as appropriate.
  • Modified questionnaires were returned to the BCM team.
  • Once considered acceptable, BCM coordinators and department heads signed off the questionnaires for completeness and accuracy.
  • After being signed off, the analysis was conducted by the BCM team.
  • The final BIA report was generated containing the consolidated BIA results.
  • The BIA results were presented to the BCM steeringcommittee for review and approval.

Assumptions

The following assumptions were made during the BIA phase:

  • The major sources of information are the questionnaires and the related meetings and workshops.
  • The coordinator is an experienced staff member and is highly familiar with the operations of his/her department processes and activities.
  • The disaster could affect any or all of <organization>‘s groups and/or infrastructure.

Another major assumption was the definition of a disaster. At <organization>, disasters are defined as events that have occurred, or are expected to occur, affecting the critical assets causing:

  • severe effects on human lives and well-being, directly or indirectly;
  • severe outage to the critical processes;
  • severe damage to the critical assets of <organization>;
  • severe damage, or loss, to <organization>‘s data and information;
  • severe damage to <organization>‘s IT infrastructure and services;
  • severe damage, or impact, on <organization>‘s reputation, brand, and public perception.

Consolidated results

RTO and impact rating for <organization>

The RTO is defined as the timeframe during which the process/activity, asset, or people should be made available.

Based on the information gathered and analyzed in the BIA phase, the RTO of <organization> and its impact rating of a disaster, as defined above, were derived as shown.

Impact rating

RTO

 

 

RTO and impact ratings for the departments

The following table illustrates the overall impact ratings for the departments covered in the scope. The ratings depended on the impact of disaster on the department’s own processes and <organization>.

Department

RTO

Impact rating (low/medium/high)

Department 1

 

 

Department 2

 

 

Department 3

 

 

Department 4

 

 

Distribution of processes

The processes were classified by three main criticality ratings:

  • Critical: Critical processes are those that are highly sensitive to disruption and could cause severe impacts to the department and <organization> if they were interrupted.
  • Important: Important processes are those that, if interrupted, could cause considerable impacts on the department and <organization>.
  • Non-critical: Non-critical processes cause minimal impacts if they are not performing.

A process criticality rating depends on the impacts in five major areas:

  • Financial impacts: These are impacts affecting cash flows, revenues, financial losses, and the overall financial performance of <organization>.
  • Customer service: These impacts affect the ability and capability of the department and <organization> to provide customers and clients with acceptable-quality services.
  • Regulatory adherence: These impacts relate to the adherence to laws and regulations governing <organization>‘s operations and activities.
  • Image and reputation: These are impacts related to effects on <organization>‘s image, brand, and reputation in internal and external environments.
  • Health and safety: These impacts relate to <organization>‘s occupational health and safety preparations, policies, and procedures.

The impacts were rated qualitatively (using N/A, low, medium, and high). When rating the impacts, consideration was given to local effects on the departments and global effects on the other relevant departments and <organization> as a whole.

The following table illustrates the overall process distribution according to criticality ratings.

Department

Critical

Important

Non-critical

Total

Department 1

 

 

 

 

Department 2

 

 

 

 

Department 3

 

 

 

 

Department 4

 

 

 

 

Total

 

 

 

 

Image

Critical processes – impacts

The following table lists the critical processes distributed over departments, and then collected in groups. A critical process is a process that if not performed within an acceptable time could result in severe impacts on the department, group, and <organization>. A process is also critical if another critical process depends on it.

Image

Image

Critical processes – RTO, and RPO specifications

The following table details the continuity specifications (RTO/RPO) for the critical processes.

The RTO is the time required to recover the process to operational status. The RPO defines the maximum data loss acceptable or the required backup intervals, or points, for the data. The RPO is measured in time.

Department

Process name

Criticality rating

RTO

RPO

Department 1

Process 1

 

 

 

Process 2

 

 

 

Department 2

Process 1

 

 

 

Process 2

 

 

 

Department 3

Process 1

 

 

 

Process 2

 

 

 

Department 4

Process 1

 

 

 

Process 2

 

 

 

Critical processes – human resources and skills required

Department

Process name

Criticality rating

Human resources

Skills required

Department 1

Process 1

 

 

 

Process 2

 

 

 

Department 2

Process 1

 

 

 

Process 2

 

 

 

Department 3

Process 1

 

 

 

Process 2

 

 

 

Department 4

Process 1

 

 

 

Process 2

 

 

 

Critical processes – dependencies

Department

Process name

Criticality rating

Processes dependent on

Processes depending on

Department 1

Process 1

 

 

 

Process 2

 

 

 

Department 2

Process 1

 

 

 

Process 2

 

 

 

Department 3

Process 1

 

 

 

Process 2

 

 

 

Department 4

Process 1

 

 

 

Process 2

 

 

 

High-importance reports

Reporting is considered an important aspect of <organization>‘s operations and activities especially if addressed to external parties like regulators and government entities. The reporting capabilities of the organization should continue to function even in times of disasters.

Department

Report name

Importance

Department 1

 

 

Department 2

 

 

Department 3

 

 

Department 4

 

 

Department 5

 

 

Department 6

 

 

Department 7

 

 

Department 8

 

 

Department 9

 

 

Department 10

 

 

Recovery resources – human resources

In order to achieve effective recovery, <organization>‘s departments need human resources as a workforce to perform the recovery tasks and initiate and operate the critical processes. The tables below demonstrate the departments’ requirements for human resources over a timeline that extends from 1 day to 60 days. The tables are arranged on three levels: department, group, and organization.

Image

Image

Recovery resources – physical resources

Similar to the human resources and workforce requirements, there are physical requirements and resources that should be made available for success in the recovery process. These resources are generic office environment aspects that are needed by the human resources to perform the recovery tasks. Similar to the human resources, the tables are organized on department, group, and organization levels.

Image

Image

Image

Image

Image

Observations

The BIA process is usually considered an exhaustive process that utilizes considerable resources from all the stakeholders. During the various activities of the BIA process, there were several observations from the BCM team. Below are the major ones:

  • The deadlines were not respected by some groups although they were agreed with them in advance. Cumulative delays resulted in a major delay for the results to be ready for analysis and reporting.
  • The data quality was poor. This resulted in additional efforts for review and checking up on the questionnaires provided. This issue contributed to the delays mentioned earlier.
  • Criticality ratings were not rationally assigned. There was considerable over-rating for the processes and the impacts.
  • The concept of ownership was not implemented. Data provided through the BIA process are owned by the various groups. The BCM team’s role is to coordinate and report on the results. This concept was not reflected in the groups’ actions for collecting and analyzing the BIA.

Recommendations

Based on the contents of the report, we recommend the following:

  • Review and rationalize the critical processes. If there are no major modifications, approve the results of the BIA as listed within this report and the relevant BIA questionnaires.
  • Communicate, at the highest levels, the importance of the BIA and adhering to the agreed timelines and data quality levels to streamline the process in future implementations.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.172.220