Business Impact Analysis

  • Uploaded by: runushaw
  • 0
  • 0
  • June 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Business Impact Analysis as PDF for free.

More details

  • Words: 3,535
  • Pages: 48
Business Impact Analysis S.V. Sunder Krishnan 29th November 2007

A Reliance Capital

Disaster 



Disaster is an event, often unexpected, that seriously disrupts your usual operations or processes and can have long term impact on your normal way of life or that of your organization Here is a sample list disasters: Environmental Fire Earthquake Heavy Rains Flooding Lightning Surge Severe Weather Epidemics Tsunami Hurricane Others Legal Problem Vendor Breakdown

Loss of Utility and Services Building Collapse Communication Breakdown Electric Short Circuits Electricity / UPS Failure Transportation Strike Telecommunications Vendors Organized Deliberate Terrorism War Riots Sabotage Labor Disputes Data Center Theft

2 of 48

Equipment Service Failure Internal Power Failure AC Failure Equipment Failure IT System Failure Server Hang Power Surge Info Security Incident Virus Attack Cyber Crime Hacking Dos attack SPOF breakdown System Corruption

A Reliance Capital

3 of 48

A Reliance Capital

The Fatal Impact!

Disasters could cause an organisation to suffer: • Inability to maintain critical customer services • Damage to market share, reputation or brand • Failure to protect the company assets including intellectual properties and personnel • Business control failure • Failure to meet legal or regulatory requirements

4 of 48

A Reliance Capital

WHAT IS - BUSINESS CONTINUITY PLANNING? 

BCP is about identifying and, where appropriate, reducing your internal and external business risks & exposures and implementing an affective business recovery strategy



BCP ensures that you can provide an acceptable level of service to your clients / customers and other business ‘stakeholders’ regardless of any events or incidents that occur



BCP should be an integral part of your business risk management strategy BCP addresses the whole business continuity management process from risk & business impact analysis through strategy & plan development to implementation, testing and ongoing change control

5 of 48

A Reliance Capital

Why Have a Business Continuity Plan? Recovery or Failure Fully Tested Effective Plan

A

INCIDENT

B Level of Business

No Plan – Lucky Escape

Managed Short-term Interruption

C

Critical Recovery Point



No Plan – Possible Outcome

Time

Ensure that you can provide an acceptable level of service to your clients, customers and other business partners regardless of any events or incidents that occur

 BCP is not a ‘box ticking’ exercise to satisfy the regulators it is about ensuring continuity of your business  Effective BCP is in the interest of all staff at all levels. This requires you to take ownership of BCP for your business unit 6 of 48

A Reliance Capital

WHAT IS - BUSINESS CONTINUITY PLANNING? 1. Analyse your Business



Analyse your Business Business Impact Analysis

4. Test & Update



Analyse the Risks Business Continuity Risk Assessment



Develop Recovery Strategy Business Continuity Plan



Test & Update Periodically test and update BCP

2. Analyse the Risks

3. Develop Recovery Strategy

BCP is the responsibility of the Business it is not just an IT issue! BCP encompasses a DRP (Disaster Recovery Plan) which is an IT plan 7 of 48

A Reliance Capital

How do you develop a Business Continuity Plan?  Development of a Business Continuity plan is not ‘rocket science’ – it’s really just common sense  Essentially, it consists of: 

identifying tasks which your team may need to perform if an incident occurs



documenting those tasks



organizing the tasks logically by phase and activity



compiling team contact info and any other supporting documentation

8 of 48

A Reliance Capital

What assumptions should you make? In developing your business unit’s plan, you should make the following assumptions: 

The incident may occur at the worst possible time



The incident may be a ‘worst case’ scenario, or it may be a lesser incident (e.g. loss of computer systems, temporary loss of access to the facility, telecommunications failure)



Some or many of your staff may be unavailable for work following the incident



An alternate location would be available for your critical business unit within 4 hours of an incident, with the number of workstations specified



The alternate location would be within driving distance



The Business Enterprise has a formal Business Continuity Team structure in place, consisting of a Business Continuity Coordinator, a ‘Corporate Crisis Management Team’ (CCMT) and support teams (in addition to the business unit teams)



Only the BCP Coordinator and CCMT can authorize teams to activate their Business Continuity plans

9 of 48

A Reliance Capital

BCP RISK ANALYSIS – BUSINESS IMPACT  Four Variables that affect the Level of Business Exposure and Impact:  Likelihood of risk occurring  Vulnerability to the risk  Severity of risk  Time taken to recover  Time taken to recover relates to the Severity of the Risk:  Short-term impact (up to 1 working day) resulting from denial of access to place of work / data (e.g. due to power failure)  To: 

Long-term impact (several weeks / months) resulting from total destruction of place of work / staff / data (e.g. 9/11)

 Quantifying Risk - how do we Prioritise the Risk? :  Risk Weighting = Business Impact Assessment x Degree of Vulnerability x Likelihood of each Threat

10 of 48

A Reliance Capital

BCP RISK ANALYSIS – LIKELIHOOD / IMPACT CHART High Impact War Pandemic Major Fraud

Confidentiality Breach

Plane Crash

Terrorism Major Fire

Major IT Failure

Epidemic

Virus

Low Likelihood Supplier Failure

Minor Fire

Water Leak

High Likelihood

Limited IT Failure Minor Fraud

Theft

Power Failure

Four Variables that affect the Scale of Business Impact: Likelihood of risk occurring Vulnerability to the risk Severity of risk Time taken to recover

Low Impact 11 of 48

A Reliance Capital

Business Process Criticality Definition 

A Company’s revenue generating ability and corporate image are supported by the timely execution of its business processes. However, the degree of criticality that some business processes carry are more than others on account of their importance to the business operations either in terms of their revenue generation capability or their ability to sustain the corporate image.



Provided below are guidelines, which have been considered at the time of assigning criticality to RLIC’s business processes: ­

Critical (High)

Inability to perform this process within the indicated cycle time would significantly affect revenuegenerating capability and / or the operating effectiveness of the other business processes.

­

Important (Medium)

Inability to perform this process on a timely basis would affect revenue-generating activities and / or the operating effectiveness of the other business processes. These processes normally support the execution of critical processes, but are not directly part of the critical business process itself.

­

Minor (Low)

Inability to perform this process for a significant period of time in excess of the indicated cycle time would impact the efficiency of other business processes and affect revenue-generating activities. 12 of 48

A Reliance Capital

Factors to be considered for determining the criticality 

Financial Factors



Non Financial Factors

­ Delay / loss of revenues

­ Corporate Image

­ Delay in recognition of revenues

­ Customer Confidence

­ Fines for regulatory non compliance

­ Employee Morale

­ Lost interest / interest paid on borrowed funds

­ Shareholder / Investor confidence

­ Resumption Expenses

­ Legal Contractual obligation

­ Penalties for delayed processing

­ Competitive Advantage

­ Lost Opportunity

13 of 48

A Reliance Capital

The generally observed classification Criteria

Critical (High)

Important (Medium) Minor (Low)

Long term

Medium / Short term



Effect on business processes

Severe

Moderate



Contractual obligations

Breached



Competitive advantage

Immediate loss

Loss over a period of time

Regulatory Compliance

Non­compliance

Non­compliance





Impact on revenue

Loss of goodwill and Loss of goodwill and customer confidence customer confidence 

Affects efficiency only

X

Reputation loss

14 of 48

X

X X Non­compliance

X

A Reliance Capital

BCP – Invocation Flowchart / Call Tree Recovery Timescales

INCIDENT DETECTED (Security Alerted) CALL OUT

Incident Alert

INCIDENT ALERT to BCP Team

0 to 2 hrs

CALL OUT

INVOKE

CALL OUT

BUSINESS RECOVERY

CORPORATE COMMUNICATION

CRISIS MANAGEMENT TEAM (CMT)

INVOK E DEPARTMENT BCP PLAN IMPACT ASSESSMENT

INVOKE

INVOKE

Incident Invocation

Business Recovery

• BCP PLAN • RECOVERY SITE • VOICE DIVERT - TO MESSAGE • BCP WEBSITE MESSAGE UPDATE • STAFF MESSAGE LINE UPDATE OTHER LOCATIONS TEAM LEADERS

IT RECOVERY

INVOKE

INVOKE

DEPARTMENT BCP CMT BCP PLAN IT BCP PLAN IMPACT ASSESSMENT BACKUP TAPE DELIVERY LOCAL BCP PLAN PLAN ‘BATTLEBOX’ DELIVERY CLIENT / PUBLIC VOICE DIVERT - TO RECOVERY SITE RELATIONS IA process STRATEGY - Incident / Damage & Salvage Assessment -

2 to 4 hrs

4 to 24 hrs

• EMERGENCY SERVICES

CMT

RECOVERY Processes

Invoke Recovery Site or put on Standby Call-out the CMT and Confirm Invocation Invoke Voice Divert & Message Updates (Staff Line & BCP Website) Call-out Recovery Team Leaders or their Alternates Manage Invocation and IT / Services Recovery and Support

- Liaise with IA teams and Confirm Invocation - Set-up Command Centre / Conference Call - Conduct Business Impact Assessment & Determine Recovery Priorities - Assume Ongoing Crisis Management Responsibility - Team Leaders to Call-out Team Members & Invoke BCP Plan - Conduct Business Impact Assessment & Advise CMT - Recover Business / IT / Service Functions 15 of 48

A Reliance Capital

Recovery Timeframes (RTO) 

Recovery timeframes refer to the period by which each business process needs to be recovered / resumed to avoid disruption to business i.e. a business process may not be critical at the time of disaster striking the organization.



However if such process is not recovered within the stipulated period subsequent to the disaster then such process may also become critical at the end of such identified period



For e.g. process for payment of salaries if not resumed / recovered within 15 days would become critical.



There are two factors to be considered ­

Recovery time: Refers to the time taken to ensure that key business processes are up and running

­

Currency of data: Refers to the currency of data (i.e how latest the data should be – yesterday’s back up or information keyed in two hours before the disaster or every SECOND! no data lost)

16 of 48

A Reliance Capital

Executive Summary         

Introduction  Essentials of BIA Incident Management Impact Analysis RTO / RPO Recovery Strategies / Alternatives Threat Scenarios and assumptions The teams Summing up

17 of 48

confidentia A Reliance Capital

BCP Process Phases of the business continuity planning process • • • •

Creation of a business continuity and disaster recovery policy Business impact analysis Classification of operations and criticality analysis Development of a business continuity plan and disaster recovery procedures • Training and awareness program • Testing and implementation of plan • Monitoring

18 of 48

A Reliance Capital

The Essentials: • Rigorous planning and commitment of resources • Risk assessment to identify critical business processes • Reduction of risk for unexpected disruption to critical functions • Assure continuity of minimum level of service for critical operations • Responsibility of senior management • Address all functions and assets to continue as a viable organization

19 of 48

A Reliance Capital

BIA ­ Elements 

• •



Disasters ­ Disrupt the operation of critical information processing ­ Adversely impact business operations Not all disruptions are disasters Causes of service disruption ­ Natural ­ Expected services no longer supplied BCP must take into account all types of events impacting IS processing facilities and end users functionality

20 of 48

A Reliance Capital

BCP Incident Management





The management of incidents need be dynamic, proactive and documented All types of incidents need to be categorized ­ Negligible: causing no significant damage ­ Minor: produce no negative material or financial impact ­ Major: cause negative material impact on business processes ­ Crisis: serious material impact on the functioning of the business 21 of 48

A Reliance Capital

Business Impact Analysis 



Identifying the various events that could impact the continuity of operations and their impact on the organization Issues to consider for BIA: • Different business processes • Critical information resources related to critical business processes • Critical recovery time period before significant losses are incurred • Systems risk ranking

22 of 48

A Reliance Capital

Recovery Point Objective and Recovery Time Objective





Recovery Point Objective (RPO) ­ Based on acceptable data loss ­ Indicates earliest point in time in which it is acceptable to recover the data Recovery Time Objective (RTO) ­ Based on acceptable downtime ­ Indicates earliest point in time at which the business operations must resume after a disaster

23 of 48

A Reliance Capital

Recovery Point Objective and Recovery Time Objective (continued)  



RPO and RTO are based on time parameters The lower the time requirements, the higher the cost of recovery strategies Parameters to consider when defining recovery strategies: ­ Interruption window ­ Service delivery objective (SDO) ­ Maximum tolerable outages

24 of 48

A Reliance Capital

Recovery Strategies 

Like all threats, the most effective action would be: ­ To remove the threat altogether ­ To minimize the likelihood and effect of occurrence



A recovery strategy is a combination of preventive, detective and corrective measures.



The selection of a recovery strategy would depend upon: ­ The criticality of the business process and the applications supporting the processes ­ Cost ­ Time required to recover ­ Security

25 of 48

A Reliance Capital

Recovery Strategies (continued) Recovery strategies based on the risk level identified for recovery would include developing: • Hot sites • Warm sites • Cold sites • Duplicate information processing facilities • Mobile sites • Reciprocal arrangements with other organizations

26 of 48

A Reliance Capital

Recovery Alternatives Types of offsite backup facilities • Hot sites ­ Fully equipped facility • Warm sites ­ Partially equipped but lacking processing power • Cold sites ­ Basic environment • Duplicate information processing facility • Mobile sites • Reciprocal agreement –

Contract with hot, warm or cold site



Procuring alternative hardware facilities

27 of 48

A Reliance Capital

Recovery Alternatives (continued)

Procuring alternative hardware facilities • Vendor or third­party • Off­the­shelf • Credit agreement or emergency credit cards

28 of 48

A Reliance Capital

What is a Potentially Disastrous incident?

A potentially disastrous incident (hereafter referred to as an ‘incident’) is any internal or external incident which may cause an unacceptable interruption in the company’s critical and important business processes.

29 of 48

A Reliance Capital

Threat scenarios Threat

Impact

Scenario

Environmental Incidents

Loss and Damage of records, premises

Inaccessibility of premises

Fire

Loss and Damage of records, premises

Inaccessibility of premises

Power Outages

Temporary disruption of services/operations

Critical IT Systems non availability

Sabotage / Terrorist activity

Loss, Damage

Inaccessibility of premises

Civil Disturbances

Loss, Damage

Inaccessibility of premises

Loss or theft of key data

Loss, Damage and disclosure of confidential information

Critical IT Systems non availability (due to disruption in the integrity of the data)

Failure of IT and/or Telecom Infrastructure

Disruption of services

Non availability of critical IT Systems

IT Security Incident

Disruption of services, Loss of data

Non availability of critical IT Systems

Logistical failures for centralized operations

Disruption of services

Inaccessibility of premises

•Water Damage •Earthquake

30 of 48

A Reliance Capital

What assumptions should you make? 

In developing your business unit’s plan, you should make the following assumptions: ­ The incident may occur at the worst possible time ­ The incident may be a ‘worst case’ scenario, or it may be a lesser incident (e.g. loss of computer systems, temporary loss of access to the facility, telecommunications failure) ­ Some or many of your staff may be unavailable for work following the incident

31 of 48

A Reliance Capital

What assumptions should you make? 

You can also make the following assumptions: ­ An alternate location would be available for your critical business unit within 4 hours of an incident, with the number of workstations specified ­ The alternate location would be within driving distance ­ The Company has a formal Business Continuity Team structure in place, consisting of a Business Continuity Coordinator, a ‘Corporate Crisis Management Team’ (CCMT) and support teams (in addition to the business unit teams) ­ Only the the BCP Coordinator and CCMT can authorize teams to activate their Business Continuity plans

32 of 48

A Reliance Capital

What is a Business Continuity Team?

33 of 48

A Reliance Capital

What is a Business Continuity Team? 

A Business Continuity Team is a designated group of individuals responsible, at time of incident, for: ­ determining which tasks need to be performed ­ coordinating the execution of those tasks ­ communicating and coordinating with other Business Continuity Teams



Each team must have a team leader and alternate(s), and an appropriate number of members

34 of 48

A Reliance Capital

Typical Business Continuity Team Structure

Corporate Crisis Management Team Business Continuity Coordinator Support Team Support Team IT Team

Business Resumption Teams Critical Process 3 Critical Process 2 Critical Process 1

Local Incident Management Teams 35 of 48

A Reliance Capital

The Specific BCP Teams for Reliance Life Insurance Company Limited   Corporate Crisis Management Team

Business Continuity Coordinator

Support Team

Information Technology Team

36 of 48

Business Resumption Team

A Reliance Capital

What is a Crisis Management Team? 



A Corporate Crisis Management Team (CCMT) is a designated group of senior individuals responsible for overall management of a potentially disastrous incident Typical responsibilities include: ­ ­ ­ ­ ­

Activation of Business Continuity and support teams Coordination of all communication between teams High level decision making (including ‘incident declaration’) Prioritization of activities De-activation of Business Continuity and support teams

37 of 48

A Reliance Capital

What are Support Teams? 



Support Teams are specialized groups that may be activated by the CCMT to help manage the incident Typical support teams include: ­ Information Technology team - Systems and Application Support Members and Communications and Infrastructure Support Members ­ Support Team (including Facilities, Services, Finance, Functional representatives (SPOCs), Corporate Communications and so on)

38 of 48

A Reliance Capital

What is the role of Information Technology Teams? 



Typically, Information Technology Support Teams would handle all of the ‘technology issues’ associated with a potentially disastrous incident Responsibilities could include: ­ Recovering mainframe, mid-range, and server-based systems at the alternate location(s) ­ Restoring data from latest off-site backups ­ Re-establishing voice and data communications ­ Commissioning employees’ desktop systems ­ Restoring technology at the original location ­ Activating connections from Alternate Operations Center

39 of 48

A Reliance Capital

What is the role of the Support Team? 



Typically, the support team provides the damage assessment following an event, and assists with the site restoration process. Responsibilities would include: ­ Coordinating preparation of detailed damage assessments Facility ­ Business Process and ­ Systems ­ Overseeing damage assessment and control activities ­ Coordinating site cleanup and salvage activities ­ The Support Team will provide the CCMT and the BCP Coordinator with a comprehensive assessment of damage after disaster has occurred, including: Missing staff, injuries and loss of life; Extent of facility damage; and Damaged equipment (Computer Hardware, Network Components, UPS, etc.) ­

40 of 48

A Reliance Capital

What is the role of Support Team? 



Handle all of the ‘public relations’ issues associated with a potentially disastrous incident Responsibilities could include: ­ Preparing press releases and public announcements ­ Coordinating news conferences, interviews ­ Interfacing with media personnel ­ Issuing communiqués to employees and stakeholders ­ Managing the Company's image and reputation during the crisis

41 of 48

A Reliance Capital

What is the role of Administration Personnel in the Support Team? 



Handle all of the ‘facility issues’ associated with a potentially disastrous incident Responsibilities could include: ­ Liaison with civil authorities ­ Damage assessment, salvage, and restoration ­ Preparing the alternate location(s) for occupancy ­ Physical security ­ Transportation of equipment and materials ­ Redirecting of mail and courier service ­ Management of interim phone systems

42 of 48

A Reliance Capital

What is the role of Human Resources Department Personnel in the Support Team? 



Handle all of the ‘people issues’ associated with a potentially disastrous incident Responsibilities could include: ­ Ensuring all employees are accounted for ­ Contacting employees’ families ­ Coordinating temporary relocation of staff, including travel and accommodation arrangements ­ Hiring contract personnel ­ Providing assistance to individual employees ­ Ensuring continuance of salaries and benefits

43 of 48

A Reliance Capital

What is the role of Finance Department Members in the Support Team? 



Handle all of the ‘accounting issues’ associated with a potentially disastrous incident Responsibilities could include: ­ Authorizing and tracking expenditures ­ Ensuring appropriate accounting controls are maintained ­ Identifying losses ­ Processing insurance claims 44 of 48

A Reliance Capital

To sum up

The Phases in a Business Continuity Plan

45 of 48

A Reliance Capital

The Five BCP Phases Return To Normal Business Resumption Resource Recovery & Commissioning Interim Contingencies BUSINESS IMPACT ANALYSIS

Initial Response And Assessment

46 of 48

A Reliance Capital

Acknowledgement 

ISACA

47 of 48

A Reliance Capital

Thank you November 29 2007

A Reliance Capital

Related Documents


More Documents from ""