This document provides guidance on conducting a business impact analysis (BIA). It discusses key BIA concepts and outlines the BIA process, including determining critical business functions, quantifying impacts and tolerable downtimes, identifying interdependencies, and seeking management approval of findings. The document also walks through a BIA questionnaire template and discusses minimum business continuity objectives, recovery time objectives, and recovery point objectives.

1. Practical Strategies of Conducting a Business Impact Analysis

2. Practical Strategies of Conducting a Business Impact Analysis Dr Goh Moh Heng PhD BCCE DRCE BCCLA President 2

3. Dr Goh Moh Heng President Business Continuity Management (BCM) Institute www.bcm-institute.org Managing Director GMH Continuity Architects Asia Pacific BCM Consulting Firm www.GMHasia.com Professional BCM Appointments Technical Advisor for TR19:2005 & SS540:2008 BCM Standard (Management Council and Technical Committee) www.ss540.org Project Director, Technical Working Group for SS507:2004 ISO/IEC 24762 Guidelines for BC-DR Services SS507 SS540 http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng

4. Dr Goh Moh Heng Prior Appointments Government of Singapore Investment Corporation (GIC) Standard Chartered Bank Global Head for BCM PriceWaterhouse (Coopers) Past Certification Broad Member for DRI International’s Certification Board Past Executive Director for DRI Asia Senior Technical Advisor, China Business Continuity Management Forum http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng

5. BCM Institute Started in January 2005. Provide competency based BC-DR training to all levels. Certify BC-DR professionals globally. Started Certification programme in April 2007. More than 1500 professionals from 850 organizations and 40 countries.

6. Professional Certification Business Continuity IT Disaster Recovery BCM Audit Membership

7. Agenda What Exactly is BIA? Key concepts Strategic, tactical and operational BIA Walkthrough of BIA Template

8. Source: Goh, Moh Heng (2008): Managing Your Business Continuity Planning Project 2nd Edition ISBN: 978-981-05-9767-2 Business Impact Analysis How-to Do It?

9. Business Continuity Management Body of Knowledge 3 Implement business impact analysis (BIA) process. Understand the principles and scope of the BIA process. Apply the BIA implementation process. Understand the available BIA data collection mechanisms. Determine and apply the appropriate BIA data collection mechanism. Design a custom tailored BIA questionnaire. Gather BIA Information. Identify activities that support Critical Business Functions (CBF) and identify owners. Determine impacts of a disruption to each activity/process across the organization that may damage organization's reputation, assets or financial position. Quantify timescales where interruption becomes unacceptable to organization. Determine key requirement for organization-wide tolerable downtime. Determine Inter-dependencies and intra-dependencies. Identify vital records needed for recovery. Identify and document CBFs, critical processes and critical application. Determine continuity resources. Provide the resource information to determine or recommend recovery strategies. Identify internal and external resource requirements to support activities. Quantify the people, technology and telephony resources required over time to maintain business activities at an acceptable level and within the maximum tolerable period of disruption. Seek Executive Management Approval. Seek sign off of requirements by process owners. Present requirements to executive management and seek approval to adopt the findings as the basis for determining a BC strategy. 9 http://www.bcmpedia.org/wiki/BCMBoK_3:_Business_Impact_Analysis

10. Mandatory Understanding of BIA Terminology Minimum Business Continuity Objective (MBCO) Business Impact Analysis (BIA) Critical Business Function (CBF) Recovery Time Objective (RTO) Recovery Point Objective (RPO) Impact Quantitative Qualitative

11. Business Impact Analysis Steps Determine information to gather Tailor questionnaires to internal requirements Conduct training on completion of questionnaire Collate and review questionnaires Conduct selective interviews Consolidate and analyze data Summarize and present findings

12. Recovery Time Objective Time-Sensitive Systems are Operational with Current & Accurate Data Time-Sensitive Systems are Operational Resumption of Critical Functions Point of Disruption Recovery Time Objective Time The maximum tolerable time within which Critical Business Functions must be restored to its MBCO

13. Wks RTO versus RPO Secs Mins Hrs Days Wks Secs Mins Hrs Days Recovery Point Recovery Time

14. BCMpedia www.bcmpedia.org

15. Minimum Business Continuity Objective (MBCO) is the minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during an incident, emergency or disaster. is set by the Executive Management of the organization and can be influenced, dictated and/or changed by current regulatory requirements or industry practices. The definition provided here rephrases the operational perspective into an objective - the mission objective for BCM

16. MBCO 16

17. Walkthrough of a BIA Questionnaires Workbook

18. Minimum Business Continuity Objective

19. P1: Identify BU and Business Functions Workbook

20. P2: Identification of Impact Workbook

21. P3: Impact Over Time Workbook

22. P4: Vulnerable Periods of Critical Business Functions Workbook

23. P5: Resources Required for Critical Business Functions during a Crisis Workbook

24. P6: Inter-dependencies Workbook

25. P7: Vital Records Workbook

26. BCM Institute Forum Building a Community 80% Asian and Middle Eastern BCM and DR Professionals bcmi.groupsite.com

27. Summary Provide a key understanding on the fundamentals of BIA Understand the strategic, tactical and operational aspects of BIA Experienced a walkthrough of BIA process using template Be aware of tools and guides

28. THANK YOU Dr Goh Moh Heng President Mobile: +65 96711022 Tel: +65 63231500 Fax: +65 63230933 Email: moh_heng@bcm-institute.org