This document provides guidance on conducting a business impact analysis (BIA). It discusses key BIA concepts and outlines the BIA process, including determining critical business functions, quantifying impacts and tolerable downtimes, identifying interdependencies, and seeking management approval of findings. The document also walks through a BIA questionnaire template and discusses minimum business continuity objectives, recovery time objectives, and recovery point objectives.
2. Practical Strategies of Conducting a Business Impact Analysis Dr Goh Moh Heng PhD BCCE DRCE BCCLA President 2
3. Dr Goh Moh Heng President Business Continuity Management (BCM) Institute www.bcm-institute.org Managing Director GMH Continuity Architects Asia Pacific BCM Consulting Firm www.GMHasia.com Professional BCM Appointments Technical Advisor for TR19:2005 & SS540:2008 BCM Standard (Management Council and Technical Committee) www.ss540.org Project Director, Technical Working Group for SS507:2004 ISO/IEC 24762 Guidelines for BC-DR Services SS507 SS540 http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng
4. Dr Goh Moh Heng Prior Appointments Government of Singapore Investment Corporation (GIC) Standard Chartered Bank Global Head for BCM PriceWaterhouse (Coopers) Past Certification Broad Member for DRI International’s Certification Board Past Executive Director for DRI Asia Senior Technical Advisor, China Business Continuity Management Forum http://www.bcmpedia.org/wiki/Dr_Goh_Moh_Heng
5. BCM Institute Started in January 2005. Provide competency based BC-DR training to all levels. Certify BC-DR professionals globally. Started Certification programme in April 2007. More than 1500 professionals from 850 organizations and 40 countries.
7. Agenda What Exactly is BIA? Key concepts Strategic, tactical and operational BIA Walkthrough of BIA Template
8. Source: Goh, Moh Heng (2008): Managing Your Business Continuity Planning Project 2nd Edition ISBN: 978-981-05-9767-2 Business Impact Analysis How-to Do It?
9. Business Continuity Management Body of Knowledge 3 Implement business impact analysis (BIA) process. Understand the principles and scope of the BIA process. Apply the BIA implementation process. Understand the available BIA data collection mechanisms. Determine and apply the appropriate BIA data collection mechanism. Design a custom tailored BIA questionnaire. Gather BIA Information. Identify activities that support Critical Business Functions (CBF) and identify owners. Determine impacts of a disruption to each activity/process across the organization that may damage organization's reputation, assets or financial position. Quantify timescales where interruption becomes unacceptable to organization. Determine key requirement for organization-wide tolerable downtime. Determine Inter-dependencies and intra-dependencies. Identify vital records needed for recovery. Identify and document CBFs, critical processes and critical application. Determine continuity resources. Provide the resource information to determine or recommend recovery strategies. Identify internal and external resource requirements to support activities. Quantify the people, technology and telephony resources required over time to maintain business activities at an acceptable level and within the maximum tolerable period of disruption. Seek Executive Management Approval. Seek sign off of requirements by process owners. Present requirements to executive management and seek approval to adopt the findings as the basis for determining a BC strategy. 9 http://www.bcmpedia.org/wiki/BCMBoK_3:_Business_Impact_Analysis
10. Mandatory Understanding of BIA Terminology Minimum Business Continuity Objective (MBCO) Business Impact Analysis (BIA) Critical Business Function (CBF) Recovery Time Objective (RTO) Recovery Point Objective (RPO) Impact Quantitative Qualitative
11. Business Impact Analysis Steps Determine information to gather Tailor questionnaires to internal requirements Conduct training on completion of questionnaire Collate and review questionnaires Conduct selective interviews Consolidate and analyze data Summarize and present findings
12. Recovery Time Objective Time-Sensitive Systems are Operational with Current & Accurate Data Time-Sensitive Systems are Operational Resumption of Critical Functions Point of Disruption Recovery Time Objective Time The maximum tolerable time within which Critical Business Functions must be restored to its MBCO
13. Wks RTO versus RPO Secs Mins Hrs Days Wks Secs Mins Hrs Days Recovery Point Recovery Time
15. Minimum Business Continuity Objective (MBCO) is the minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during an incident, emergency or disaster. is set by the Executive Management of the organization and can be influenced, dictated and/or changed by current regulatory requirements or industry practices. The definition provided here rephrases the operational perspective into an objective - the mission objective for BCM
26. BCM Institute Forum Building a Community 80% Asian and Middle Eastern BCM and DR Professionals bcmi.groupsite.com
27. Summary Provide a key understanding on the fundamentals of BIA Understand the strategic, tactical and operational aspects of BIA Experienced a walkthrough of BIA process using template Be aware of tools and guides
28. THANK YOU Dr Goh Moh Heng President Mobile: +65 96711022 Tel: +65 63231500 Fax: +65 63230933 Email: moh_heng@bcm-institute.org
Hinweis der Redaktion
BCM Institute Leading global Business Continuity (BC) & Disaster Recovery (D R) Institute. Established in 2005. Offers a wide range of quality BC and DR courses. Certified over 1,250 professionals from 36 countries.
Key Concepts and Definitions from BCMpedia.org Minimum Business Continuity Objective, MBCO.Business Impact Analysis, BIA.Critical Business Function, CBF.Recovery Time Objective, RTO.Recovery Point Objective, RPO.Quantitative and Qualitative Impact.
Activity:Develop the MBCO for two of the business units found in the case studyTime Allocated:15 minutes individual activity15 minutes of class activities
Maximum Tolerable Period of Disruption and Recovery Time Objectives Business Function codeThe code that the will be allocated to the business function. E.g. Finance – Accounts Payable will be FIN-01, Human Resources – Welfare and Benefits will be HR-02.Impact AreaThis is the Impact to the organization due to the unavailability of the function. This will have been derived in the previous section.Impact over timeBased on the Risk Descriptor attached, indicate what is the impact to the organisation that will be caused by the unavailability of this business function at the respective time frames. This will be based on a scale of 1 to 5 and the impact descriptor illustrating this is attached in table 1-1.Recovery Time Objective (RTO)The RTO is the maximum acceptable length of time that can elapse before the unavailability of a business function severely impacts the organisation. For the conduct of this Business Impact Analysis, the RTO is the point of time where the impact reaches a 3.Maximum Tolerable Period of Disruption (MTPD)MTPD is the duration after which an organization's viability will be irrevocably threatened due to the adverse impacts that would arise as a result of not performing the business function. For the conduct of this Business Impact Analysis, the MTPD is the point of time where the impact reaches a 5.