Business Impact Management Moving Beyond the Traditional BIA THINK DIFFERENT. THINK SUCCESS.

Transcription

1 Business Impact Management Moving Beyond the Traditional BIA 1

2 Change can be challenging! 2

3 Discussion Topics Impact Assessment Concepts Effective Data Gathering Creating Actionable Information Impact Management Driving Success 3

4 Business Impact Management is Detailed Knowledge of the Organization & Impacts Understand how it works so you understand how it breaks Command & Control of processes and systems Deliver desired outcomes regardless of disruptions Business Impact & Resilience Data used in all aspect of Decision making Decisions based on current and accurate data Ability to use Business Continuity data in Operational Management Reduce risk & improve efficiency of daily operations Information Management is a Key Success Factor 4

5 What is an Impact Assessment? A Business Continuity Management process that is used to determine and manage the outage impacts and exposures of mission-critical processes, applications or facilities over time is used to establish priorities for resilience, availability and/or recovery can be used to determine the value of a missioncritical process can also be used to support the business case for investments in IT, Facility and process resilience 5

6 Types of Impact Assessments Business Impact Assessment (BIA) (Process, Function, Department, Functional Area) System/Technology Impact Assessment (SIA/TIA) (Application, IT System, IT Service) Facility/Site Impact Assessment Vendor Risk Assessment 6

7 Why Perform a Business (Process) Impact Assessment? To identify the most critical business processes to the organization To quantify, measure and report on the resilience of each process To determine appropriate strategies for continuity of critical processes To prioritize efforts for improving business continuity overall within the organization To determine the resilience and recovery requirements (IT, Facilities, Suppliers) to support each process To identify the most critical IT (Systems and Applications) and determine recovery priorities To support the business case for investments in IT and business operations resiliency To identify the most critical Facilities To identify the most critical Suppliers/Vendors 7

8 How to Define Your Processes? Process A fundamental building block of the organization A Service provided to the organization for the benefit of its constituents: (Customers, Members, Employees, Shareholders, Students, Patients) A collection of business activities that can be outsourced Aligned with Business Process Optimization or Re-engineering 8

9 Process Types Process Management processes, the processes that govern the operation. Typical management processes include strategic planning, corporate governance, and financial reporting. Operational processes, processes that constitute the core business and create the primary value stream. For example, taking orders from customers, and opening an account. Supporting processes support the core processes. Examples include Health & Safety training, payroll, billing, recruitment, providing help desk support, and configuring PCs. 9

10 Effective Impact Data Gathering A Business Process creates the greatest level of exposure to an organization when: If disrupted, it has a significant financial, operational, reputational or compliance impact (Impacts) on the organization within a defined period of time (Velocity) Its loss (or disruption) cannot be tolerated for any length of time (Maximum Tolerable Outage Duration) It is determined to be critical to the mission and core values of the organization (Criticality Profile) No measures have been implemented to mitigate the impact on the organization if it is disrupted (Mitigating Factors) 10

11 Gathering Data Traditional Impact Profile Impact Categories Financial Operational Legal, Regulatory, Compliance Brand, Image, Reputational Patient/Customer Care Member Services Impact Velocity 6 Impact Categories X 9 Points in Time = 54 Questions 11

12 Gathering Data Simplified Impact Profile Impact Categories Financial Operational Legal, Regulatory, Compliance Brand, Image, Reputational Patient/Customer Care Member Services Impact Velocity 6 Impact Categories X (1 Point in Time + 1 Impact Level) = 12 Questions 12

13 Gathering Data Alternative Impact Profile Catastrophic MTOD (Process RTO) Significant Material Minimal 6 Impact Categories X 1 Point in Time = 6 Questions 13

14 Gathering Data Impact Profile Inherent Impact v. Residual Impact Inherent Impact = Sum of the Impacts Mitigating Factors = the Effectiveness (typically represented as a percentage) of measures implemented to reduce the Inherent Impact Residual Impact = Remaining Impact after considering the effectiveness of the mitigation measures Sum of the Impacts X (1 - Sum of the Mitigating Factors) 14

15 Gathering Data Mitigation Measures Full or Partial Resilience, where the process is conducted across multiple locations Designated and possibly tested Alternate Capabilities/Capacities (e.g. suppliers, locations, processes, staff, etc.) Documented, Tested and Proven Strategies and Plans Insurance to limit the impact Contractual Terms & Conditions to limit the impact 15

16 Gathering Data Criticality Profile What Determines Business Process Criticality? Relative Criticality Maximum Tolerable Downtime Key Business Performance Indicators Process Role Systemic Impact Sells Products / Services Ensures Safety / Compliance Services Customers/Members Supports Life/Safety 16 Ensures Product/Service Quality

17 Creating Actionable Information from Your Data Low Medium High Criticality Low Medium High 17 Residual Impact

18 Delivering Value - Avaya Max Lacobara Senior Regional Corporate Security & Global Business Continuity Manager at Avaya 20 years of experience in the areas of Crisis and Incident Management Owns Avaya s Global BCP program, leading the effort of the program re-design

19 Delivering Value - Avaya Background FUSION is our standard tool for documenting the Business Continuity and the Incident Management Plans, serving our both Business Continuity and Crisis Management Programs. Reasons for Change Our Program Structure was too granular. This generated the need of too many plans. Our BIA was too complicated, making the initial part of the planning effort unattractive and tedious. Business Group success limited to those with constant supervision.

20 Delivering Value - Avaya The Change Strategy: Reduce the universe of plans by implementing a revised breakdown and consolidating plans. Revitalize the program by making it more user friendly and less complicated and demanding. Re-designing the BIA to be more qualitative than quantitative, and more streamlined from a user perspective (easier to complete and review) The Results so far: Based on a FUSION proposal for a simpler BIA, we were able to design together a new format aligned with our concepts: o Simpler. o More representative. o More streamlined. The FUSION team provided an amazing design and implementation experience. Business Groups (end user) format testing provided very positive feedback.

21 Delivering Value - Metrics Relative Performance Comparative Analysis Measured Against a Standard Compliance Historical Trends 21

22 Impact Management Best Practices 1. Focus on information that extends beyond a typical BIA. 2. Use a data model that reflects a. How your organization works, b. How it might break, c. How you can prevent breaks, and d. How you can put it back together again. 22

23 An Organization is a Puzzle Dependency Mapping is how we tell the Impact story of how we are all connected and dependent on each other to execute and ensure the success of the organizational strategy/mission. 23

24 Driving Engagement; Driving Outcomes Information forms the foundation for all material advances Effectiveness, Efficiency & Economic value can be delivered with new thinking and new approaches Command & Control can become your brand to advance your program Driving Engagement Command & Control Strategy & Preparation Information Driving Outcomes 24

25 Driving Engagement; Driving Outcomes Driving Engagement starts on the foundation of facts Collect data to report information by Areas of Relevance (Organizational Unit, Function, Site, Owner, etc.) Use dashboard elements to Drive Engagement Utilize real-time dashboards to Drive Action and Outcomes (decision-making) 25

26 Making it work for you Minor adjustments; Major results Make yourself invaluable Build your information foundation Know more than anyone else but don t be a hoarder Anticipate questions and frame the answers Engage in context, on their terms, in their words Drive Engagement and Outcomes 26 Go deep. Go wide. Unravel complexities. Leverage information. Prioritize knowing over planning. Prepare to act. Prove it.

27 Questions & Answers 27