Business Continuity

profilebwilson
PROJECT3Step3QUESTION..docx

Step 3: Conduct a Business Impact Analysis

You've defined the scope for the BCP. Next, use an established risk management framework to conduct a business impact analysis (BIA).

The BIA provides written documentation to assist Maria and the other executives in understanding the business impact should an outage occur. Such impacts may be financial, in terms of lost revenues and additional expenses; operational, in terms of inability to deliver products and services; or even intangible, in terms of damage to the organization's reputation and loss of public confidence.

This analysis should include all departments and facilities of the enterprise, list what it would take for each to resume adequate operations to meet the needs of the enterprise, and must include each phase of the recovery activities.

Remember, a key element to "business impact" is the financial aspect. What will it "cost" to take a particular action and, equally important, what could be the "cost" of inaction?

Prioritization is a key to the successful recovery of operations. The sequence of activities is an essential element in your contingency planning.

Use the Business Impact Analysis Template and then upload your BIA here for feedback.

Risk Management Framework

Print

ISACA Risk IT describes risk management framework as risk holistically across the organization and explains that IT affects risk and the organization concurrently (ISACA, 2009).

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), enterprise risk management is defined as “a process … applied … across the enterprise, designed to identify potential events ... and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004). The COSO framework is used by risk executives to manage enterprise risks.

Risk is identified as:

· the risk of not realizing a benefit from IT

· the risk of not delivering on IT programs

· the risk of not providing intended services with IT

What’s important is that the risk management framework definition is largely consistent across four organizations concerned with standardization: ISACA, COSO, ISO (International Organization for Standardization), and NIST (National Institute for Standards and Technology). Differences are understandable for the audience and emphasize variations. The guidance to system security engineers is to recognize requirements, clarify responsibilities, and work as a team to identify and mitigate risk holistically and continuously across the organization.

Risks are evaluated along with benefit using this framework, for a more complete strategic decision process.  Otherwise, the ISACA model is similar to the NIST risk management model in NIST Special Publication 800-39, Managing Information Security Risk. The ISACA risk model (2009) stresses connectivity to the business model (framing), risk governance (leadership involvement), evaluation (assessment) and response, and prescribes communication (cross-organization teams) and continuous assessment (monitoring).

ISACA framework definitions are consistent with ISO 31000 definitions. ISO 31000:2009, “A Practical Guide for SMEs (small- and medium-sized enterprises),” features a process cycle similar to NIST guidance, featuring planning (frame and assess), implementing (respond) and monitoring (monitor), but adds an important continuous improvement prescription to improve the plan and process in response to a changing environment.

ISO Guide 73:2009 is a definitions standard that contains a definition of risk management. Like all ISO standards, it is available for purchase. Nonetheless, the freely available online ISO 31000:2009 defines risk as a combination of the consequences of an uncertain event (including changes in circumstances) and the associated uncertain likelihood of occurrence.

Importantly, “Risk in ISO 31000:2009 is neutral; the consequences associated with a risk can enhance the achievement of objectives (i.e. positive consequences) or can limit or diminish the achievement of objectives (i.e. negative consequences)” (ISO/ITC, 2009). This interpretation is different from that of the NIST special publications.

References

Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2014). Enterprise risk management -- integrated framework. Executive summary. https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf

ISACA. (2009). The risk IT framework. https://www.isaca.org/Knowledge-Center/Research/Documents/Risk-IT-Framework-Excerpt_fmk_Eng_0109.pdf

ISO/ITC. (2009). ISO 31000:2009: A practical guide for SMEs. http://www.iso.org/iso/iso_31000_for_smes.pdf

Business Impact Analysis

Print

A business impact analysis (BIA) is an important component of a business continuity plan. In fact, organizations must perform a BIA in order to determine which functions, activities, and business processes are of vital importance for the organization to function.

A BIA is essentially the classification of an organization's functions, activities, and business processes as either critical or noncritical. There are certain elements of an organization that are essential for its proper functioning (critical) and that must be addressed to have an organization up and running in the aftermath of a disaster. In other words, a BIA helps an organization identify critical components to its survival.

A critical component of any BIA is its recovery methods such as recovery point objective (RPO), recovery time objective (RTO), and business and technical recovery requirements. A recovery point objective (RPO) states how far back should an organization go in time in order to recover data after an incident. Recovery time objective (RTO) is based on how long it takes to restore backup data to its original state to resume business operations.

Understanding the balance between actions that are important and actions that are urgent is an essential concept in developing the near-term situation analysis. When a task is important, there may be severe consequences if it is not accomplished. When a task is urgent, there may not be another opportunity to accomplish the task before time or resources run out. Many tasks are obviously important or obviously urgent. Discerning which of these tasks are both important and urgent, however, is somewhat difficult in a postdisaster situation. The figure below shows a framework for assessing the priority of various possible actions.

Priority Assessment

Near-term analysis of the disaster situation should determine whether the business process is recoverable within predetermined timelines or whether the focus should switch to more strategic actions such as:

· reassigning business process responsibility to another organizational element

· building a new permanent facility

· foregoing the business process entirely

Globally or nationally dispersed organizations may have the option of reassigning business process responsibility to other similar facilities. This decision will shorten the business process recovery period and may improve overall organizational efficiency by decreasing excess production capability across the enterprise. Residual effects may include personnel relocation or integration of telecommunications features in remaining business processes or both.

Forward-looking organizational leaders can see opportunity in the aftermath of disaster. This type of planning is beyond the scope of a disaster recovery plan (DRP) but must be considered within the larger business continuity plan concept. If a facility is determined to be unrecoverable, but is still required to support a key business process, planners should focus on infusing new technology or workflow improvements into the supported business process. Armed with a thorough understanding of the organization's overarching business strategy, planners can create an outline for specific actions and investments to transform loss into new opportunity.

Discontinuing a business process may be a valid decision in view of the organization's long-term business strategy. If the business process was headed toward obsolescence in the current business perspective, merely accelerating the planned divestments will set the organization on its future course—ahead of schedule. Residual operating budgets and insurance payouts can be redirected toward developing next-generation capabilities.