Business Continuity Management and Business Impact Analysis (BIA)

Transcription

1 Presented by Richard A. Harris, CBCP, MPMP Absolute Continuity Solutions Consultants, LLC Absolute solutions for all your enterprise s consulting needs Business Continuity Management and Business Impact Analysis (BIA) Scope, Comprehension, and Expectations

2 Overview Scope, Comprehension, Expectations SCOPE Often, senior leaders in the enterprise are reluctant to engage in the BIA, a most critical portion of BCM. An epidemic of geocentric thinking can be the downfall of numerous BCM Planning efforts.

3 Overview Scope, Comprehension, Expectations COMPREHENSION Many enterprises continue to view BCM as a Business Recovery Genie that cures all ills when there is a fault in the business while condemning BCM as a concept that doesn t work. In very many cases, BCM is used synonymously with Continuity of Operations (COOP). This is apples and oranges! (See NIST ).

4 Overview Scope, Comprehension, Expectations EXPECTATIONS Expectations can obscure what BCM is designed to do, leading to a lack of confidence. This session will discuss what BCM really is and how these efforts are most effective when initiated with clear scope, comprehension and expectations.

5 Business Impact Analysis (BIA)... Is the foundation of an enterprise's business continuity plan. Includes an exploratory component to uncover any risks and vulnerabilities, and a planning component to develop strategies for minimizing risk. Identifies the possibilities of failures. Usually assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance. Where possible, impact is expressed monetarily for purposes of comparison. For example, a business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence.

6 What is a Business Impact Analysis The BIA will: help identify which major business functions, operations and processes are essential to the survival of the business. will facilitate the identification of how soon essential business functions and/or processes have to return to full operation following a disaster, incident, or situation that cause interruptions for a significant time. help your enterprise determine what would be classified as a significant time of interruption and assign a monetary value of the affects of interruptions to the enterprises bottom line.

7 What is a Business Impact Analysis (continued) allow you to place a cost of the interruption on an hourly, daily, weekly, and/or monthly basis (if that interruption were to last that long), and cost the impact on the organization s ability to deliver products and/or support mission-critical services. facilitate the identification of the resources required to resume operations to a survival level. identify impacts based on a worst-case scenario. Assuming that the physical infrastructure supporting each respective business function has been severely interrupted and is not accessible within 30 days.

8 Why Do Business Impact Analysis SCOPE A thorough BIA will enable the enterprise to : identify costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, loss of profits, etc.. quantify the importance of business components and suggests appropriate fund allocation for measures to protect them. identify and prioritize the business Mission Essential Functions (MEF), to act as a triage method in an event or interruption. identify all the dependencies, controls, inputs, resources, and outputs associated with each business function.

9 Business Impact Analysis SCOPE Customer/Stakeholder Requirements Federal/State/Local Mandates Ethical Issues Policies/Statutes Legal Requirements Controls/Mandates Dependencies Utilities Support Services Supplies/Equipment Vital Records Communications Mission Essential Business Function Vital Resources Human Capital Contract/Vendor Support Software/Hardware/Telecommunications Venue/Location Stakeholders Outputs Products Services Information

10 Why Do Business Impact Analysis The main objectives of the BIA are to: EXPECTATIONS Estimate the financial and operational impacts for each major business function, assuming a worst-case scenario. Define the estimated number of personnel and other resources required for recovery operations. Identify the organization s business functions and processes and the estimated Recovery Time* and Recovery Point* for each major business function. *NOTE: Recovery Time Objectives (RTO) are the predetermined timeframes that the enterprise believes they can regain functionality from the time the incident or event occurred. Recovery Point Objectives (RPO) are the desired points (most critical) at which the enterprise will resume business in relation to the point at which business was being conducted at the time the incident or event

11 Business Continuity Management COMPREHENSION Signs of not fully understanding Business Continuity Management (BCM) are : Designing BCM around what-if incidents rather than interruptions of business functions. Designing BCM recovery activities around people or positions of affluence in the enterprise. - Single Points of Failure (SPOF) Failure to integrate BCM into Strategic and Operational Planning, as well other business/organizational development initiatives.

12 Business Continuity Management COMPREHENSION (continued) Lack of processes for incident probability (before) and early detection (after and incident), event severity determination procedures when the event occurs, and plan escalation procedures. Lack of enterprise-wide notification procedures and testing of those procedures. Inefficient and inadequate succession planning and proliferation of succession plans throughout the enterprise. Inadequate or nonexistent coordination with internal and external dependencies.

13 Business Continuity Management COMPREHENSION (continued) Ambiguous recovery goals and objectives (see Recovery Time/Point Objectives above) that are not data-driven nor support the mission and enterprise s customers. Inadequate, outdated, or nonexistent policies, standards, and governance by which the enterprise can follow for direction and clarity. Inadequate documentation, proliferation, and articulation of policies, standards, and governance throughout the enterprise for all employees to comprehend. Inadequate, outdated, or nonexistent procedures by which the enterprise can follow for direction and to take appropriate actions (at all levels of the enterprise).

14 Business Continuity Management COMPREHENSION (continued) Failure to adequately test existing plans - compounded by having outdated plans, procedures, and policies in place when testing is done. Inappropriate combination of testing approaches. Meaning, testing is quite often done using live exercises and drills. These testing processes are effective, however, they should only be done after their have been a series of tabletop exercises first to identify major gaps in the plan before committing resources to a live exercise. Infrequent, inappropriate*, and/or nonexistent testing procedures for recovery goals and objectives.

15 Business Continuity Management COMPREHENSION (Continued) Live exercises are necessary but are very taxing on financial resources due to downtime and commitment of Human Capital. Quite often, only the upper echelons of the organization have any knowledge of the enterprise s business continuity plans and their contents. In most instances, the operations-level of the business don t even understand what Business Continuity Management really is!

16 Business Continuity Management SOLUTIONS Thoroughly assessing, documenting, and testing your enterprises: Business Impact Analysis before starting the planning process. Policies, Standards, and Governance Incident Probability and Early Detection Assessment, Event Impact Severity Determination, and Plan Activation and Escalation Activities Incident Assessment, Event Severity Determination, and Plan Escalation Enterprise Notification Procedures Succession Planning Alternate Location Readiness (cold, warm, hot site preparedness) Command Center/Emergency Operations Management Coordination with Internal and External Dependencies and Stakeholders Recovery Time and Point Objectives Set Realistic Goals

17 Business Continuity Management QUESTIONS and ANSWERS