1 / 48

Business Impact Analysis

Business Impact Analysis. S.V. Sunder Krishnan 29 th November 2007. Disaster. Disaster is an event, often unexpected, that seriously disrupts your usual operations or processes and can have long term impact on your normal way of life or that of your organization

tallis
Download Presentation

Business Impact Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Impact Analysis S.V. Sunder Krishnan 29th November 2007

  2. Disaster • Disaster is an event, often unexpected, that seriously disrupts your usual operations or processes and can have long term impact on your normal way of life or that of your organization • Here is a sample list disasters: Environmental Fire Earthquake Heavy Rains Flooding Lightning Surge Severe Weather Epidemics Tsunami Hurricane Others Legal Problem Vendor Breakdown

  3. The Fatal Impact! Disasters could cause an organisation to suffer: • Inability to maintain critical customer services • Damage to market share, reputation or brand • Failure to protect the company assets including intellectual properties and personnel • Business control failure • Failure to meet legal or regulatory requirements

  4. WHAT IS - BUSINESS CONTINUITY PLANNING? • BCP is about identifying and, where appropriate, reducing your internal and external business risks & exposures and implementing an affective business recovery strategy • BCP ensures that you can provide an acceptable level of service to your clients / customers and other business ‘stakeholders’ regardless of any events or incidents that occur • BCP should be an integral part of your business risk management strategy BCP addresses the whole business continuity management process from risk & business impact analysis through strategy & plan development to implementation, testing and ongoing change control

  5. A Fully Tested Effective Plan INCIDENT B No Plan – Lucky Escape C No Plan – Possible Outcome Why Have a Business Continuity Plan? Recovery or Failure Level of Business Managed Short-term Interruption Time Critical Recovery Point • Ensure that you can provide an acceptable level of service to your clients, customers and other business partners regardless of any events or incidents that occur • BCP is not a ‘box ticking’ exercise to satisfy the regulators it is about ensuring continuity of your business • Effective BCP is in the interest of all staff at all levels. This requires you to take ownership of BCP for your business unit

  6. 1. Analyse your Business 4. Test & Update 2. Analyse the Risks 3. Develop Recovery Strategy WHAT IS - BUSINESS CONTINUITY PLANNING? • Analyse your Business Business Impact Analysis • Analyse the Risks Business Continuity Risk Assessment • Develop Recovery Strategy Business Continuity Plan • Test & Update Periodically test and update BCP BCP is the responsibility of the Business it is not just an IT issue! BCP encompasses a DRP (Disaster Recovery Plan) which is an IT plan

  7. How do you develop a Business Continuity Plan? • Development of a Business Continuity plan is not ‘rocket science’ – it’s really just common sense • Essentially, it consists of: • identifying tasks which your team may need to perform if an incident occurs • documenting those tasks • organizing the tasks logically by phase and activity • compiling team contact info and any other supporting documentation

  8. What assumptions should you make? In developing your business unit’s plan, you should make the following assumptions: • The incident may occur at the worst possible time • The incident may be a ‘worst case’ scenario, or it may be a lesser incident (e.g. loss of computer systems, temporary loss of access to the facility, telecommunications failure) • Some or many of your staff may be unavailable for work following the incident • An alternate location would be available for your critical business unit within 4 hours of an incident, with the number of workstations specified • The alternate location would be within driving distance • The Business Enterprise has a formal Business Continuity Team structure in place, consisting of a Business Continuity Coordinator, a ‘Corporate Crisis Management Team’ (CCMT) and support teams (in addition to the business unit teams) • Only the BCP Coordinator and CCMT can authorize teams to activate their Business Continuity plans

  9. BCP RISK ANALYSIS – BUSINESS IMPACT • Four Variables that affect the Level of Business Exposure and Impact: • Likelihood of risk occurring • Vulnerability to the risk • Severity of risk • Time taken to recover • Time taken to recover relates to the Severity of the Risk: • Short-term impact (up to 1 working day) resulting from denial of access to place of work / data (e.g. due to power failure) • To: • Long-term impact (several weeks / months) resulting from total destruction of place of work / staff / data (e.g. 9/11) • Quantifying Risk - how do we Prioritise the Risk? : • Risk Weighting = Business Impact Assessment x Degree of Vulnerability x Likelihood of each Threat

  10. High Impact War Pandemic Major Fraud Confidentiality Breach Plane Crash Terrorism Major Fire Major IT Failure Epidemic Virus Low Likelihood High Likelihood Supplier Failure Limited IT Failure Minor Fire Water Leak Minor Fraud Theft Power Failure Low Impact BCP RISK ANALYSIS – LIKELIHOOD / IMPACT CHART • Four Variables that affect the Scale of Business Impact: • Likelihood of risk occurring • Vulnerability to the risk • Severity of risk • Time taken to recover

  11. Business Process Criticality Definition • A Company’s revenue generating ability and corporate image are supported by the timely execution of its business processes. However, the degree of criticality that some business processes carry are more than others on account of their importance to the business operations either in terms of their revenue generation capability or their ability to sustain the corporate image. • Provided below are guidelines, which have been considered at the time of assigning criticality to RLIC’s business processes: • Critical (High) Inability to perform this process within the indicated cycle time would significantly affect revenue-generating capability and / or the operating effectiveness of the other business processes. • Important (Medium) Inability to perform this process on a timely basis would affect revenue-generating activities and / or the operating effectiveness of the other business processes. These processes normally support the execution of critical processes, but are not directly part of the critical business process itself. • Minor (Low) Inability to perform this process for a significant period of time in excess of the indicated cycle time would impact the efficiency of other business processes and affect revenue-generating activities.

  12. Factors to be considered for determining the criticality

  13. The generally observed classification

  14. CALL OUT CALL OUT BCP – Invocation Flowchart / Call Tree Recovery Timescales Incident Alert INCIDENT DETECTED (Security Alerted) • EMERGENCY SERVICES CALL OUT • BCP PLAN • RECOVERY SITE • VOICE DIVERT - TO MESSAGE • BCP WEBSITE MESSAGE UPDATE • STAFF MESSAGE LINE UPDATE INCIDENT ALERT to BCP Team INVOKE 0 to 2 hrs BUSINESS RECOVERY CORPORATE COMMUNICATION CRISIS MANAGEMENT TEAM (CMT) IT RECOVERY OTHER LOCATIONS TEAM LEADERS INVOKE INVOKE INVOKE INVOKE INVOKE DEPARTMENT BCP PLAN CLIENT / PUBLIC RELATIONS STRATEGY DEPARTMENT BCP PLAN IMPACT ASSESSMENT CMT BCP PLAN IT BCP PLAN BACKUP TAPE DELIVERY ‘BATTLEBOX’ DELIVERY VOICE DIVERT - TO RECOVERY SITE IMPACT ASSESSMENT LOCAL BCP PLAN IA process - Incident / Damage & Salvage Assessment - Invoke Recovery Site or put on Standby - Call-out the CMT and Confirm Invocation - Invoke Voice Divert & Message Updates (Staff Line & BCP Website) - Call-out Recovery Team Leaders or their Alternates - Manage Invocation and IT / Services Recovery and Support CMT - Liaise with IA teams and Confirm Invocation - Set-up Command Centre / Conference Call - Conduct Business Impact Assessment & Determine Recovery Priorities - Assume Ongoing Crisis Management Responsibility RECOVERY - Team Leaders to Call-out Team Members & Invoke BCP Plan Processes - Conduct Business Impact Assessment & Advise CMT - Recover Business / IT / Service Functions Incident Invocation 2 to 4 hrs 4 to 24 hrs Business Recovery

  15. Recovery Timeframes (RTO) • Recovery timeframes refer to the period by which each business process needs to be recovered / resumed to avoid disruption to business i.e. a business process may not be critical at the time of disaster striking the organization. • However if such process is not recovered within the stipulated period subsequent to the disaster then such process may also become critical at the end of such identified period • For e.g. process for payment of salaries if not resumed / recovered within 15 days would become critical. • There are two factors to be considered • Recovery time: Refers to the time taken to ensure that key business processes are up and running • Currency of data: Refers to the currency of data (i.e how latest the data should be – yesterday’s back up or information keyed in two hours before the disaster or every SECOND! no data lost)

  16. confidential Executive Summary • Introduction  • Essentials of BIA • Incident Management • Impact Analysis • RTO / RPO • Recovery Strategies / Alternatives • Threat Scenarios and assumptions • The teams • Summing up

  17. BCP Process Phases of the business continuity planning process • Creation of a business continuity and disaster recovery policy • Business impact analysis • Classification of operations and criticality analysis • Development of a business continuity plan and disaster recovery procedures • Training and awareness program • Testing and implementation of plan • Monitoring

  18. The Essentials: • Rigorous planning and commitment of resources • Risk assessment to identify critical business processes • Reduction of risk for unexpected disruption to critical functions • Assure continuity of minimum level of service for critical operations • Responsibility of senior management • Address all functions and assets to continue as a viable organization

  19. BIA - Elements • Disasters • Disrupt the operation of critical information processing • Adversely impact business operations • Not all disruptions are disasters • Causes of service disruption • Natural • Expected services no longer supplied • BCP must take into account all types of events impacting IS processing facilities and end users functionality

  20. BCP Incident Management • The management of incidents need be dynamic, proactive and documented • All types of incidents need to be categorized • Negligible: causing no significant damage • Minor: produce no negative material or financial impact • Major: cause negative material impact on business processes • Crisis: serious material impact on the functioning of the business

  21. Business Impact Analysis • Identifying the various events that could impact the continuity of operations and their impact on the organization • Issues to consider for BIA: • Different business processes • Critical information resources related to critical business processes • Critical recovery time period before significant losses are incurred • Systems risk ranking

  22. Recovery Point Objective and Recovery Time Objective • Recovery Point Objective (RPO) • Based on acceptable data loss • Indicates earliest point in time in which it is acceptable to recover the data • Recovery Time Objective (RTO) • Based on acceptable downtime • Indicates earliest point in time at which the business operations must resume after a disaster

  23. Recovery Point Objective and Recovery Time Objective (continued) • RPO and RTO are based on time parameters • The lower the time requirements, the higher the cost of recovery strategies • Parameters to consider when defining recovery strategies: • Interruption window • Service delivery objective (SDO) • Maximum tolerable outages

  24. Recovery Strategies • Like all threats, the most effective action would be: • To remove the threat altogether • To minimize the likelihood and effect of occurrence • A recovery strategy is a combination of preventive, detective and corrective measures. • The selection of a recovery strategy would depend upon: • The criticality of the business process and the applications supporting the processes • Cost • Time required to recover • Security

  25. Recovery Strategies (continued) Recovery strategies based on the risk level identified for recovery would include developing: • Hot sites • Warm sites • Cold sites • Duplicate information processing facilities • Mobile sites • Reciprocal arrangements with other organizations

  26. Recovery Alternatives Types of offsite backup facilities • Hot sites - Fully equipped facility • Warm sites - Partially equipped butlacking processing power • Cold sites - Basic environment • Duplicate information processing facility • Mobile sites • Reciprocal agreement • Contract with hot, warm or cold site • Procuring alternative hardware facilities

  27. Recovery Alternatives (continued) Procuring alternative hardware facilities • Vendor or third-party • Off-the-shelf • Credit agreement or emergency credit cards

  28. What is a Potentially Disastrous incident? A potentially disastrous incident (hereafter referred to as an ‘incident’) is any internal or external incident which may cause an unacceptable interruption in the company’s critical and important business processes.

  29. Threat scenarios

  30. What assumptions should you make? • In developing your business unit’s plan, you should make the following assumptions: • The incident may occur at the worst possible time • The incident may be a ‘worst case’ scenario, or it may be a lesser incident (e.g. loss of computer systems, temporary loss of access to the facility, telecommunications failure) • Some or many of your staff may be unavailable for work following the incident

  31. What assumptions should you make? • You can also make the following assumptions: • An alternate location would be available for your critical business unit within 4 hours of an incident, with the number of workstations specified • The alternate location would be within driving distance • The Company has a formal Business Continuity Team structure in place, consisting of a Business Continuity Coordinator, a ‘Corporate Crisis Management Team’ (CCMT) and support teams (in addition to the business unit teams) • Only the the BCP Coordinator and CCMT can authorize teams to activate their Business Continuity plans

  32. What is aBusiness Continuity Team?

  33. What is a Business Continuity Team? • A Business Continuity Team is a designated group of individuals responsible, at time of incident, for: • determining which tasks need to be performed • coordinating the execution of those tasks • communicating and coordinating with other Business Continuity Teams • Each team must have a team leader and alternate(s), and an appropriate number of members

  34. Corporate Crisis Management Team Support Team Critical Process 2 IT Team Critical Process 1 Typical Business Continuity Team Structure Business Continuity Coordinator Support Team Business Resumption Teams Critical Process 3 Local Incident Management Teams

  35. The Specific BCP Teams for Reliance Life Insurance Company Limited

  36. What is a Crisis Management Team? • A Corporate Crisis Management Team (CCMT) is a designated group of senior individuals responsible for overall management of a potentially disastrous incident • Typical responsibilities include: • Activation of Business Continuity and support teams • Coordination of all communication between teams • High level decision making (including ‘incident declaration’) • Prioritization of activities • De-activation of Business Continuity and support teams

  37. What are Support Teams? • Support Teams are specialized groups that may be activated by the CCMT to help manage the incident • Typical support teams include: • Information Technology team - Systems and Application Support Members and Communications and Infrastructure Support Members • Support Team (including Facilities, Services, Finance, Functional representatives (SPOCs), Corporate Communications and so on)

  38. What is the role of Information Technology Teams? • Typically, Information Technology Support Teams would handle all of the ‘technology issues’ associated with a potentially disastrous incident • Responsibilities could include: • Recovering mainframe, mid-range, and server-based systems at the alternate location(s) • Restoring data from latest off-site backups • Re-establishing voice and data communications • Commissioning employees’ desktop systems • Restoring technology at the original location • Activating connections from Alternate Operations Center

  39. What is the role of the Support Team? • Typically, the support team provides the damage assessment following an event, and assists with the site restoration process. • Responsibilities would include: • Coordinating preparation of detailed damage assessments • Facility • Business Process and • Systems • Overseeing damage assessment and control activities • Coordinating site cleanup and salvage activities • The Support Team will provide the CCMT and the BCP Coordinator with a comprehensive assessment of damage after disaster has occurred, including: - Missing staff, injuries and loss of life; - Extent of facility damage; and - Damaged equipment (Computer Hardware, Network Components, UPS, etc.)

  40. What is the role of Support Team? • Handle all of the ‘public relations’ issues associated with a potentially disastrous incident • Responsibilities could include: • Preparing press releases and public announcements • Coordinating news conferences, interviews • Interfacing with media personnel • Issuing communiqués to employees and stakeholders • Managing the Company's image and reputation during the crisis

  41. What is the role of Administration Personnel in the Support Team? • Handle all of the ‘facility issues’ associated with a potentially disastrous incident • Responsibilities could include: • Liaison with civil authorities • Damage assessment, salvage, and restoration • Preparing the alternate location(s) for occupancy • Physical security • Transportation of equipment and materials • Redirecting of mail and courier service • Management of interim phone systems

  42. What is the role of Human Resources Department Personnel in the Support Team? • Handle all of the ‘people issues’ associated with a potentially disastrous incident • Responsibilities could include: • Ensuring all employees are accounted for • Contacting employees’ families • Coordinating temporary relocation of staff, including travel and accommodation arrangements • Hiring contract personnel • Providing assistance to individual employees • Ensuring continuance of salaries and benefits

  43. What is the role of Finance Department Members in the Support Team? • Handle all of the ‘accounting issues’ associated with a potentially disastrous incident • Responsibilities could include: • Authorizing and tracking expenditures • Ensuring appropriate accounting controls are maintained • Identifying losses • Processing insurance claims

  44. The Phases in a Business Continuity Plan To sum up

  45. The Five BCP Phases Return To Normal Business Resumption Resource Recovery & Commissioning Interim Contingencies Initial Response And Assessment

  46. Acknowledgement • ISACA

  47. Thank you November 29 2007

More Related