business continuity management and business impact ... · pdf filewhat is a business impact...
TRANSCRIPT
Business Continuity Management
and
Business Impact Analysis (BIA)
Scope, Comprehension, and
Expectations
Absolute Continuity Solutions
Consultants, LLC“Absolute solutions for all your enterprise’s consulting needs”
Presented by Richard A. Harris, CBCP, MPMP
Overview
Scope, Comprehension, Expectations
• Often, senior leaders in the enterprise are reluctant to
engage in the BIA, a most critical portion of BCM.
• An epidemic of “geocentric thinking” can be the downfall of
numerous BCM Planning efforts.
SCOPE
• Many enterprises continue to view BCM as a “Business Recovery
Genie” that cures all ills when there is a fault in the business
while condemning BCM as a concept that doesn’t work.
• In very many cases, BCM is used synonymously with Continuity
of Operations (COOP). This is apples and oranges! (See NIST
800-34).
Overview Scope, Comprehension, Expectations
COMPREHENSION
• Expectations can obscure what BCM is designed to
do, leading to a lack of confidence.
• This session will discuss what BCM really is and
how these efforts are most effective when initiated
with clear scope, comprehension and expectations.
Overview Scope, Comprehension, Expectations
EXPECTATIONS
• Is the foundation of an enterprise's business continuity plan.
• Includes an exploratory component to uncover any risks and vulnerabilities,
and a planning component to develop strategies for minimizing risk.
• Identifies the possibilities of failures. Usually assessed in terms of their
impacts on safety, finances, marketing, legal compliance, and quality
assurance.
Where possible, impact is expressed monetarily for purposes of comparison.
For example, a business may spend three times as much on marketing in the
wake of a disaster to rebuild customer confidence.
Business Impact Analysis (BIA)...
What is a Business Impact Analysis
• help identify which major business functions, operations and processes
are essential to the survival of the business.
• will facilitate the identification of how soon essential business functions
and/or processes have to return to full operation following a disaster,
incident, or situation that cause interruptions for a significant time.
• help your enterprise determine what would be classified as a
“significant time” of interruption and assign a monetary value of the
affects of interruptions to the enterprises bottom line.
The BIA will:
• allow you to place a cost of the interruption on an hourly, daily, weekly, and/or
monthly basis (if that interruption were to last that long), and cost the impact on
the organization’s ability to deliver products and/or support mission-critical
services.
• facilitate the identification of the resources required to resume operations to a
“survival” level.
• identify impacts based on a worst-case scenario. Assuming that the physical
infrastructure supporting each respective business function has been severely
interrupted and is not accessible within 30 days.
What is a Business Impact Analysis(continued)
• identify costs linked to failures, such as loss of cash flow, replacement
of equipment, salaries paid to catch up with a backlog of work, loss of
profits, etc..
• quantify the importance of business components and suggests
appropriate fund allocation for measures to protect them.
• identify and prioritize the business’ Mission Essential Functions
(MEF), to act as a triage method in an event or interruption.
• identify all the dependencies, controls, inputs, resources, and outputs
associated with each business function.
Why Do Business Impact AnalysisSCOPE
A thorough BIA will enable the enterprise to :
Business Impact AnalysisSCOPE
MissionEssentialBusinessFunction
Controls/Mandates Legal Requirements
Customer/Stakeholder Requirements Federal/State/Local Mandates Ethical Issues Policies/Statutes
Outputs
Communications
Utilities Support Services Supplies/Equipment Vital Records
Vital Resources
Information
Human Capital Contract/Vendor Support Software/Hardware/Telecommunications
ProductsDependencies
Stakeholders Venue/Location
Services
The main objectives of the BIA are to:
• Estimate the financial and operational impacts for each major business function,
assuming a worst-case scenario.
• Define the estimated number of personnel and other resources required for recovery
operations.
• Identify the organization’s business functions and processes and the estimated
Recovery Time* and Recovery Point* for each major business function.
*NOTE:
• Recovery Time Objectives (RTO) – are the predetermined timeframes that the enterprise believes
they can regain functionality from the time the incident or event occurred.
• Recovery Point Objectives (RPO) – are the desired points (most critical) at which the enterprise
will resume business in relation to the point at which business was being conducted at the time the
incident or event
Why Do Business Impact AnalysisEXPECTATIONS
Signs of not fully understanding Business Continuity Management (BCM) are :
• Designing BCM around “what-if incidents” rather than interruptions of
business functions.
• Designing BCM recovery activities around “people” or “positions of affluence”
in the enterprise.
- Single Points of Failure (SPOF)
• Failure to integrate BCM into Strategic and Operational Planning, as well
other business/organizational development initiatives.
Business Continuity ManagementCOMPREHENSION
• Lack of processes for incident probability (before) and early detection (after
and incident), event severity determination procedures when the event occurs,
and plan escalation procedures.
• Lack of enterprise-wide notification procedures and testing of those
procedures.
• Inefficient and inadequate succession planning and proliferation of succession
plans throughout the enterprise.
• Inadequate or nonexistent coordination with internal and external
dependencies.
Business Continuity ManagementCOMPREHENSION (continued)
• Ambiguous recovery goals and objectives (see Recovery Time/Point Objectives
above) that are not data-driven nor support the mission and enterprise’s
customers.
• Inadequate, outdated, or nonexistent policies, standards, and governance by
which the enterprise can follow for direction and clarity.
• Inadequate documentation, proliferation, and articulation of policies, standards,
and governance throughout the enterprise for all employees to comprehend.
• Inadequate, outdated, or nonexistent procedures by which the enterprise can
follow for direction and to take appropriate actions (at all levels of the
enterprise).
Business Continuity ManagementCOMPREHENSION (continued)
• Failure to adequately test existing plans - compounded by having outdated
plans, procedures, and policies in place when testing is done.
• Inappropriate combination of testing approaches. Meaning, testing is quite
often done using “live exercises” and “drills”.
These testing processes are effective, however, they should only be done after
their have been a series of “tabletop” exercises first to identify major gaps in the
plan before committing resources to a live exercise.
• Infrequent, inappropriate*, and/or nonexistent testing procedures for
recovery goals and objectives.
Business Continuity ManagementCOMPREHENSION (continued)
• Live exercises are necessary but are very taxing on financial resources due to
downtime and commitment of Human Capital.
• Quite often, only the upper echelons of the organization have any knowledge of
the enterprise’s business continuity plans and their contents.
In most instances, the operations-level of the business don’t even understand
what Business Continuity Management really is!
Business Continuity ManagementCOMPREHENSION (Continued)
Thoroughly assessing, documenting, and testing your enterprises:
• Business Impact Analysis before starting the planning process.
• Policies, Standards, and Governance
• Incident Probability and Early Detection Assessment, Event Impact
Severity Determination, and Plan Activation and Escalation Activities
• Incident Assessment, Event Severity Determination, and Plan Escalation
• Enterprise Notification Procedures
• Succession Planning
• Alternate Location Readiness (cold, warm, hot site preparedness)
• Command Center/Emergency Operations Management
• Coordination with Internal and External Dependencies and
Stakeholders
• Recovery Time and Point Objectives – Set Realistic Goals
Business Continuity ManagementSOLUTIONS
Business Continuity ManagementQUESTIONS and ANSWERS