RISK ANALYSIS AND THE SECURITY SURVEY

3RD EDITION

Chapter 15

Business Impact Analysis

Business Impact Analysis

Introduction

Business Impact Analysis (BIA): Establish the value of each business

unit Determines order of recovery Defines the impact of a disruption over

time Identifies interdependencies

Business Impact Analysis

Introduction BIA examines impacts over time

on: Service objectives Financial position/cash flow Regulatory issues/contractual issues Market share/competitive issues

Business Impact Analysis

Introduction BIA will also:

Identify critical processes and applications

Establish the value of each business unit

Identify critical resources Gain support for the recovery process Increase management awareness Reveal inefficiencies in normal

operations Justify recovery planning budgets

Business Impact Analysis

Introduction Determines Recovery Time

Objectives; Decides which functions are critical; Establishes financial basis for

strategies; Provides understanding of the amount

of risk to assume, transfer or mitigate

Business Impact Analysis

Introduction Establishes RTO and Recovery Point

Objective (RPO) Outage Tolerance vs. RTO Shorter objective equates to most costly

strategies Result of BIA and management agreement Can determine escalation point RPO is amount of acceptable data loss Often used to determine backup strategies Timing considerations in RTO, RPO

determination

Business Impact Analysis

Introduction Illustrates business cycle criticality BIA is a separate planning element Management time is minimized Questions often included relate to:

Mitigation and Preparedness Hazard identification Resource requirements Single points of failure

Initial strategy development

Business Impact Analysis

BIA vs. Risk Analysis

BIA subset of Risk Analysis Places ‘asset value’ on business

processes Focuses less on hazard

identification Cause of disruption not

considered Goal not to rank criticality of

risks

Business Impact Analysis

BIA vs. Risk Analysis

BIA/RA projects managed in similar ways

BIA is a partnership with senior management

Data presented differently

Business Impact Analysis

BIA Methodology

Project Planning Data Collection Data Analysis Presentation of Data

Business Impact Analysis

BIA Methodology Project planning

Management commitment: Biggest single predictor of success or

failure Management sponsor CFO

Top down approachCredible dataSenior Management influenceCorporate wide view

Business Impact Analysis

BIA Methodology

Agree on scope of analysis Determine who should participate

Highest level manager in each business unit

Prepare list of financial impacts Decide on method to collect data Schedule interviews Include Risk Management, Information Technology

Business Impact Analysis

Data Collection Examine all current business

functions Data collected through interviews Interviews seek financial and

subjective impact information Formation of questions important Software programs and

questionnaires Sample questions (Box 15.1)

Business Impact Analysis

Data Collection Resource Data Collection

Short vs. long term resources needed

Include: Employees and consultants Internal and External Contacts Customers Forms and Supplies Equipment Software and Applications Vital Records

Business Impact Analysis

Data Analysis Review of goals of analysis Criticality not determined solely upon

numerical data Avoid duplication Do not deduct insurance

reimbursement from loss calculations Validate results

Verify results with the business unit manager and CFO

Establish outage tolerance during normal and critical business cycles

Business Impact Analysis

Data Presentation Results presented to senior

management Data must be credible Presentation short and simple Financial data best presented

graphically State data as fact where possible Outline expectations of

managementWhat management must do with

the results of the analysis

Business Impact Analysis

Updates

Reanalyze annually Reanalyze when strategic

direction of company changes