Business Continuity Management

and

Business Impact Analysis (BIA)

Scope, Comprehension, and

Expectations

Absolute Continuity Solutions

Consultants, LLC“Absolute solutions for all your enterprise’s consulting needs”

Presented by Richard A. Harris, CBCP, MPMP

Overview

Scope, Comprehension, Expectations

• Often, senior leaders in the enterprise are reluctant to

engage in the BIA, a most critical portion of BCM.

• An epidemic of “geocentric thinking” can be the downfall of

numerous BCM Planning efforts.

SCOPE

• Many enterprises continue to view BCM as a “Business Recovery

Genie” that cures all ills when there is a fault in the business

while condemning BCM as a concept that doesn’t work.

• In very many cases, BCM is used synonymously with Continuity

of Operations (COOP). This is apples and oranges! (See NIST

800-34).

Overview Scope, Comprehension, Expectations

COMPREHENSION

• Expectations can obscure what BCM is designed to

do, leading to a lack of confidence.

• This session will discuss what BCM really is and

how these efforts are most effective when initiated

with clear scope, comprehension and expectations.

Overview Scope, Comprehension, Expectations

EXPECTATIONS

• Is the foundation of an enterprise's business continuity plan.

• Includes an exploratory component to uncover any risks and vulnerabilities,

and a planning component to develop strategies for minimizing risk.

• Identifies the possibilities of failures. Usually assessed in terms of their

impacts on safety, finances, marketing, legal compliance, and quality

assurance.

Where possible, impact is expressed monetarily for purposes of comparison.

For example, a business may spend three times as much on marketing in the

wake of a disaster to rebuild customer confidence.

Business Impact Analysis (BIA)...

What is a Business Impact Analysis

• help identify which major business functions, operations and processes

are essential to the survival of the business.

• will facilitate the identification of how soon essential business functions

and/or processes have to return to full operation following a disaster,

incident, or situation that cause interruptions for a significant time.

• help your enterprise determine what would be classified as a

“significant time” of interruption and assign a monetary value of the

affects of interruptions to the enterprises bottom line.

The BIA will:

• allow you to place a cost of the interruption on an hourly, daily, weekly, and/or

monthly basis (if that interruption were to last that long), and cost the impact on

the organization’s ability to deliver products and/or support mission-critical

services.

• facilitate the identification of the resources required to resume operations to a

“survival” level.

• identify impacts based on a worst-case scenario. Assuming that the physical

infrastructure supporting each respective business function has been severely

interrupted and is not accessible within 30 days.

What is a Business Impact Analysis(continued)

• identify costs linked to failures, such as loss of cash flow, replacement

of equipment, salaries paid to catch up with a backlog of work, loss of

profits, etc..

• quantify the importance of business components and suggests

appropriate fund allocation for measures to protect them.

• identify and prioritize the business’ Mission Essential Functions

(MEF), to act as a triage method in an event or interruption.

• identify all the dependencies, controls, inputs, resources, and outputs

associated with each business function.

Why Do Business Impact AnalysisSCOPE

A thorough BIA will enable the enterprise to :

Business Impact AnalysisSCOPE

MissionEssentialBusinessFunction

Controls/Mandates Legal Requirements

Customer/Stakeholder Requirements Federal/State/Local Mandates Ethical Issues Policies/Statutes

Outputs

Communications

Utilities Support Services Supplies/Equipment Vital Records

Vital Resources

Information

Human Capital Contract/Vendor Support Software/Hardware/Telecommunications

ProductsDependencies

Stakeholders Venue/Location

Services

The main objectives of the BIA are to:

• Estimate the financial and operational impacts for each major business function,

assuming a worst-case scenario.

• Define the estimated number of personnel and other resources required for recovery

operations.

• Identify the organization’s business functions and processes and the estimated

Recovery Time* and Recovery Point* for each major business function.

*NOTE:

• Recovery Time Objectives (RTO) – are the predetermined timeframes that the enterprise believes

they can regain functionality from the time the incident or event occurred.

• Recovery Point Objectives (RPO) – are the desired points (most critical) at which the enterprise

will resume business in relation to the point at which business was being conducted at the time the

incident or event

Why Do Business Impact AnalysisEXPECTATIONS

Signs of not fully understanding Business Continuity Management (BCM) are :

• Designing BCM around “what-if incidents” rather than interruptions of

business functions.

• Designing BCM recovery activities around “people” or “positions of affluence”

in the enterprise.

- Single Points of Failure (SPOF)

• Failure to integrate BCM into Strategic and Operational Planning, as well

other business/organizational development initiatives.

Business Continuity ManagementCOMPREHENSION

• Lack of processes for incident probability (before) and early detection (after

and incident), event severity determination procedures when the event occurs,

and plan escalation procedures.

• Lack of enterprise-wide notification procedures and testing of those

procedures.

• Inefficient and inadequate succession planning and proliferation of succession

plans throughout the enterprise.

• Inadequate or nonexistent coordination with internal and external

dependencies.

Business Continuity ManagementCOMPREHENSION (continued)

• Ambiguous recovery goals and objectives (see Recovery Time/Point Objectives

above) that are not data-driven nor support the mission and enterprise’s

customers.

• Inadequate, outdated, or nonexistent policies, standards, and governance by

which the enterprise can follow for direction and clarity.

• Inadequate documentation, proliferation, and articulation of policies, standards,

and governance throughout the enterprise for all employees to comprehend.

• Inadequate, outdated, or nonexistent procedures by which the enterprise can

follow for direction and to take appropriate actions (at all levels of the

enterprise).

Business Continuity ManagementCOMPREHENSION (continued)

• Failure to adequately test existing plans - compounded by having outdated

plans, procedures, and policies in place when testing is done.

• Inappropriate combination of testing approaches. Meaning, testing is quite

often done using “live exercises” and “drills”.

These testing processes are effective, however, they should only be done after

their have been a series of “tabletop” exercises first to identify major gaps in the

plan before committing resources to a live exercise.

• Infrequent, inappropriate*, and/or nonexistent testing procedures for

recovery goals and objectives.

Business Continuity ManagementCOMPREHENSION (continued)

• Live exercises are necessary but are very taxing on financial resources due to

downtime and commitment of Human Capital.

• Quite often, only the upper echelons of the organization have any knowledge of

the enterprise’s business continuity plans and their contents.

In most instances, the operations-level of the business don’t even understand

what Business Continuity Management really is!

Business Continuity ManagementCOMPREHENSION (Continued)

Thoroughly assessing, documenting, and testing your enterprises:

• Business Impact Analysis before starting the planning process.

• Policies, Standards, and Governance

• Incident Probability and Early Detection Assessment, Event Impact

Severity Determination, and Plan Activation and Escalation Activities

• Incident Assessment, Event Severity Determination, and Plan Escalation

• Enterprise Notification Procedures

• Succession Planning

• Alternate Location Readiness (cold, warm, hot site preparedness)

• Command Center/Emergency Operations Management

• Coordination with Internal and External Dependencies and

Stakeholders

• Recovery Time and Point Objectives – Set Realistic Goals

Business Continuity ManagementSOLUTIONS

Business Continuity ManagementQUESTIONS and ANSWERS