Business Impact Analysis S.V. Sunder Krishnan 29th November 2007
A Reliance Capital
Disaster
Disaster is an event, often unexpected, that seriously disrupts your usual operations or processes and can have long term impact on your normal way of life or that of your organization Here is a sample list disasters: Environmental Fire Earthquake Heavy Rains Flooding Lightning Surge Severe Weather Epidemics Tsunami Hurricane Others Legal Problem Vendor Breakdown
Loss of Utility and Services Building Collapse Communication Breakdown Electric Short Circuits Electricity / UPS Failure Transportation Strike Telecommunications Vendors Organized Deliberate Terrorism War Riots Sabotage Labor Disputes Data Center Theft
2 of 48
Equipment Service Failure Internal Power Failure AC Failure Equipment Failure IT System Failure Server Hang Power Surge Info Security Incident Virus Attack Cyber Crime Hacking Dos attack SPOF breakdown System Corruption
A Reliance Capital
3 of 48
A Reliance Capital
The Fatal Impact!
Disasters could cause an organisation to suffer: • Inability to maintain critical customer services • Damage to market share, reputation or brand • Failure to protect the company assets including intellectual properties and personnel • Business control failure • Failure to meet legal or regulatory requirements
4 of 48
A Reliance Capital
WHAT IS - BUSINESS CONTINUITY PLANNING?
BCP is about identifying and, where appropriate, reducing your internal and external business risks & exposures and implementing an affective business recovery strategy
BCP ensures that you can provide an acceptable level of service to your clients / customers and other business ‘stakeholders’ regardless of any events or incidents that occur
BCP should be an integral part of your business risk management strategy BCP addresses the whole business continuity management process from risk & business impact analysis through strategy & plan development to implementation, testing and ongoing change control
5 of 48
A Reliance Capital
Why Have a Business Continuity Plan? Recovery or Failure Fully Tested Effective Plan
A
INCIDENT
B Level of Business
No Plan – Lucky Escape
Managed Short-term Interruption
C
Critical Recovery Point
No Plan – Possible Outcome
Time
Ensure that you can provide an acceptable level of service to your clients, customers and other business partners regardless of any events or incidents that occur
BCP is not a ‘box ticking’ exercise to satisfy the regulators it is about ensuring continuity of your business Effective BCP is in the interest of all staff at all levels. This requires you to take ownership of BCP for your business unit 6 of 48
A Reliance Capital
WHAT IS - BUSINESS CONTINUITY PLANNING? 1. Analyse your Business
Analyse your Business Business Impact Analysis
4. Test & Update
Analyse the Risks Business Continuity Risk Assessment
Develop Recovery Strategy Business Continuity Plan
Test & Update Periodically test and update BCP
2. Analyse the Risks
3. Develop Recovery Strategy
BCP is the responsibility of the Business it is not just an IT issue! BCP encompasses a DRP (Disaster Recovery Plan) which is an IT plan 7 of 48
A Reliance Capital
How do you develop a Business Continuity Plan? Development of a Business Continuity plan is not ‘rocket science’ – it’s really just common sense Essentially, it consists of:
identifying tasks which your team may need to perform if an incident occurs
documenting those tasks
organizing the tasks logically by phase and activity
compiling team contact info and any other supporting documentation
8 of 48
A Reliance Capital
What assumptions should you make? In developing your business unit’s plan, you should make the following assumptions:
The incident may occur at the worst possible time
The incident may be a ‘worst case’ scenario, or it may be a lesser incident (e.g. loss of computer systems, temporary loss of access to the facility, telecommunications failure)
Some or many of your staff may be unavailable for work following the incident
An alternate location would be available for your critical business unit within 4 hours of an incident, with the number of workstations specified
The alternate location would be within driving distance
The Business Enterprise has a formal Business Continuity Team structure in place, consisting of a Business Continuity Coordinator, a ‘Corporate Crisis Management Team’ (CCMT) and support teams (in addition to the business unit teams)
Only the BCP Coordinator and CCMT can authorize teams to activate their Business Continuity plans
9 of 48
A Reliance Capital
BCP RISK ANALYSIS – BUSINESS IMPACT Four Variables that affect the Level of Business Exposure and Impact: Likelihood of risk occurring Vulnerability to the risk Severity of risk Time taken to recover Time taken to recover relates to the Severity of the Risk: Short-term impact (up to 1 working day) resulting from denial of access to place of work / data (e.g. due to power failure) To:
Long-term impact (several weeks / months) resulting from total destruction of place of work / staff / data (e.g. 9/11)
Quantifying Risk - how do we Prioritise the Risk? : Risk Weighting = Business Impact Assessment x Degree of Vulnerability x Likelihood of each Threat
10 of 48
A Reliance Capital
BCP RISK ANALYSIS – LIKELIHOOD / IMPACT CHART High Impact War Pandemic Major Fraud
Confidentiality Breach
Plane Crash
Terrorism Major Fire
Major IT Failure
Epidemic
Virus
Low Likelihood Supplier Failure
Minor Fire
Water Leak
High Likelihood
Limited IT Failure Minor Fraud
Theft
Power Failure
Four Variables that affect the Scale of Business Impact: Likelihood of risk occurring Vulnerability to the risk Severity of risk Time taken to recover
Low Impact 11 of 48
A Reliance Capital
Business Process Criticality Definition
A Company’s revenue generating ability and corporate image are supported by the timely execution of its business processes. However, the degree of criticality that some business processes carry are more than others on account of their importance to the business operations either in terms of their revenue generation capability or their ability to sustain the corporate image.
Provided below are guidelines, which have been considered at the time of assigning criticality to RLIC’s business processes:
Critical (High)
Inability to perform this process within the indicated cycle time would significantly affect revenuegenerating capability and / or the operating effectiveness of the other business processes.
Important (Medium)
Inability to perform this process on a timely basis would affect revenue-generating activities and / or the operating effectiveness of the other business processes. These processes normally support the execution of critical processes, but are not directly part of the critical business process itself.
Minor (Low)
Inability to perform this process for a significant period of time in excess of the indicated cycle time would impact the efficiency of other business processes and affect revenue-generating activities. 12 of 48
A Reliance Capital
Factors to be considered for determining the criticality
Financial Factors
Non Financial Factors
Delay / loss of revenues
Corporate Image
Delay in recognition of revenues
Customer Confidence
Fines for regulatory non compliance
Employee Morale
Lost interest / interest paid on borrowed funds
Shareholder / Investor confidence
Resumption Expenses
Legal Contractual obligation
Penalties for delayed processing
Competitive Advantage
Lost Opportunity
13 of 48
A Reliance Capital
The generally observed classification Criteria
Critical (High)
Important (Medium) Minor (Low)
Long term
Medium / Short term
Effect on business processes
Severe
Moderate
Contractual obligations
Breached
Competitive advantage
Immediate loss
Loss over a period of time
Regulatory Compliance
Noncompliance
Noncompliance
Impact on revenue
Loss of goodwill and Loss of goodwill and customer confidence customer confidence
Affects efficiency only
X
Reputation loss
14 of 48
X
X X Noncompliance
X
A Reliance Capital
BCP – Invocation Flowchart / Call Tree Recovery Timescales
INCIDENT DETECTED (Security Alerted) CALL OUT
Incident Alert
INCIDENT ALERT to BCP Team
0 to 2 hrs
CALL OUT
INVOKE
CALL OUT
BUSINESS RECOVERY
CORPORATE COMMUNICATION
CRISIS MANAGEMENT TEAM (CMT)
INVOK E DEPARTMENT BCP PLAN IMPACT ASSESSMENT
INVOKE
INVOKE
Incident Invocation
Business Recovery
• BCP PLAN • RECOVERY SITE • VOICE DIVERT - TO MESSAGE • BCP WEBSITE MESSAGE UPDATE • STAFF MESSAGE LINE UPDATE OTHER LOCATIONS TEAM LEADERS
IT RECOVERY
INVOKE
INVOKE
DEPARTMENT BCP CMT BCP PLAN IT BCP PLAN IMPACT ASSESSMENT BACKUP TAPE DELIVERY LOCAL BCP PLAN PLAN ‘BATTLEBOX’ DELIVERY CLIENT / PUBLIC VOICE DIVERT - TO RECOVERY SITE RELATIONS IA process STRATEGY - Incident / Damage & Salvage Assessment -
2 to 4 hrs
4 to 24 hrs
• EMERGENCY SERVICES
CMT
RECOVERY Processes
Invoke Recovery Site or put on Standby Call-out the CMT and Confirm Invocation Invoke Voice Divert & Message Updates (Staff Line & BCP Website) Call-out Recovery Team Leaders or their Alternates Manage Invocation and IT / Services Recovery and Support
- Liaise with IA teams and Confirm Invocation - Set-up Command Centre / Conference Call - Conduct Business Impact Assessment & Determine Recovery Priorities - Assume Ongoing Crisis Management Responsibility - Team Leaders to Call-out Team Members & Invoke BCP Plan - Conduct Business Impact Assessment & Advise CMT - Recover Business / IT / Service Functions 15 of 48
A Reliance Capital
Recovery Timeframes (RTO)
Recovery timeframes refer to the period by which each business process needs to be recovered / resumed to avoid disruption to business i.e. a business process may not be critical at the time of disaster striking the organization.
However if such process is not recovered within the stipulated period subsequent to the disaster then such process may also become critical at the end of such identified period
For e.g. process for payment of salaries if not resumed / recovered within 15 days would become critical.
There are two factors to be considered
Recovery time: Refers to the time taken to ensure that key business processes are up and running
Currency of data: Refers to the currency of data (i.e how latest the data should be – yesterday’s back up or information keyed in two hours before the disaster or every SECOND! no data lost)
16 of 48
A Reliance Capital
Executive Summary
Introduction Essentials of BIA Incident Management Impact Analysis RTO / RPO Recovery Strategies / Alternatives Threat Scenarios and assumptions The teams Summing up
17 of 48
confidentia A Reliance Capital
BCP Process Phases of the business continuity planning process • • • •
Creation of a business continuity and disaster recovery policy Business impact analysis Classification of operations and criticality analysis Development of a business continuity plan and disaster recovery procedures • Training and awareness program • Testing and implementation of plan • Monitoring
18 of 48
A Reliance Capital
The Essentials: • Rigorous planning and commitment of resources • Risk assessment to identify critical business processes • Reduction of risk for unexpected disruption to critical functions • Assure continuity of minimum level of service for critical operations • Responsibility of senior management • Address all functions and assets to continue as a viable organization
19 of 48
A Reliance Capital
BIA Elements
• •
•
Disasters Disrupt the operation of critical information processing Adversely impact business operations Not all disruptions are disasters Causes of service disruption Natural Expected services no longer supplied BCP must take into account all types of events impacting IS processing facilities and end users functionality
20 of 48
A Reliance Capital
BCP Incident Management
The management of incidents need be dynamic, proactive and documented All types of incidents need to be categorized Negligible: causing no significant damage Minor: produce no negative material or financial impact Major: cause negative material impact on business processes Crisis: serious material impact on the functioning of the business 21 of 48
A Reliance Capital
Business Impact Analysis
Identifying the various events that could impact the continuity of operations and their impact on the organization Issues to consider for BIA: • Different business processes • Critical information resources related to critical business processes • Critical recovery time period before significant losses are incurred • Systems risk ranking
22 of 48
A Reliance Capital
Recovery Point Objective and Recovery Time Objective
Recovery Point Objective (RPO) Based on acceptable data loss Indicates earliest point in time in which it is acceptable to recover the data Recovery Time Objective (RTO) Based on acceptable downtime Indicates earliest point in time at which the business operations must resume after a disaster
23 of 48
A Reliance Capital
Recovery Point Objective and Recovery Time Objective (continued)
RPO and RTO are based on time parameters The lower the time requirements, the higher the cost of recovery strategies Parameters to consider when defining recovery strategies: Interruption window Service delivery objective (SDO) Maximum tolerable outages
24 of 48
A Reliance Capital
Recovery Strategies
Like all threats, the most effective action would be: To remove the threat altogether To minimize the likelihood and effect of occurrence
A recovery strategy is a combination of preventive, detective and corrective measures.
The selection of a recovery strategy would depend upon: The criticality of the business process and the applications supporting the processes Cost Time required to recover Security
25 of 48
A Reliance Capital
Recovery Strategies (continued) Recovery strategies based on the risk level identified for recovery would include developing: • Hot sites • Warm sites • Cold sites • Duplicate information processing facilities • Mobile sites • Reciprocal arrangements with other organizations
26 of 48
A Reliance Capital
Recovery Alternatives Types of offsite backup facilities • Hot sites Fully equipped facility • Warm sites Partially equipped but lacking processing power • Cold sites Basic environment • Duplicate information processing facility • Mobile sites • Reciprocal agreement –
Contract with hot, warm or cold site
–
Procuring alternative hardware facilities
27 of 48
A Reliance Capital
Recovery Alternatives (continued)
Procuring alternative hardware facilities • Vendor or thirdparty • Offtheshelf • Credit agreement or emergency credit cards
28 of 48
A Reliance Capital
What is a Potentially Disastrous incident?
A potentially disastrous incident (hereafter referred to as an ‘incident’) is any internal or external incident which may cause an unacceptable interruption in the company’s critical and important business processes.
29 of 48
A Reliance Capital
Threat scenarios Threat
Impact
Scenario
Environmental Incidents
Loss and Damage of records, premises
Inaccessibility of premises
Fire
Loss and Damage of records, premises
Inaccessibility of premises
Power Outages
Temporary disruption of services/operations
Critical IT Systems non availability
Sabotage / Terrorist activity
Loss, Damage
Inaccessibility of premises
Civil Disturbances
Loss, Damage
Inaccessibility of premises
Loss or theft of key data
Loss, Damage and disclosure of confidential information
Critical IT Systems non availability (due to disruption in the integrity of the data)
Failure of IT and/or Telecom Infrastructure
Disruption of services
Non availability of critical IT Systems
IT Security Incident
Disruption of services, Loss of data
Non availability of critical IT Systems
Logistical failures for centralized operations
Disruption of services
Inaccessibility of premises
•Water Damage •Earthquake
30 of 48
A Reliance Capital
What assumptions should you make?
In developing your business unit’s plan, you should make the following assumptions: The incident may occur at the worst possible time The incident may be a ‘worst case’ scenario, or it may be a lesser incident (e.g. loss of computer systems, temporary loss of access to the facility, telecommunications failure) Some or many of your staff may be unavailable for work following the incident
31 of 48
A Reliance Capital
What assumptions should you make?
You can also make the following assumptions: An alternate location would be available for your critical business unit within 4 hours of an incident, with the number of workstations specified The alternate location would be within driving distance The Company has a formal Business Continuity Team structure in place, consisting of a Business Continuity Coordinator, a ‘Corporate Crisis Management Team’ (CCMT) and support teams (in addition to the business unit teams) Only the the BCP Coordinator and CCMT can authorize teams to activate their Business Continuity plans
32 of 48
A Reliance Capital
What is a Business Continuity Team?
33 of 48
A Reliance Capital
What is a Business Continuity Team?
A Business Continuity Team is a designated group of individuals responsible, at time of incident, for: determining which tasks need to be performed coordinating the execution of those tasks communicating and coordinating with other Business Continuity Teams
Each team must have a team leader and alternate(s), and an appropriate number of members
34 of 48
A Reliance Capital
Typical Business Continuity Team Structure
Corporate Crisis Management Team Business Continuity Coordinator Support Team Support Team IT Team
Business Resumption Teams Critical Process 3 Critical Process 2 Critical Process 1
Local Incident Management Teams 35 of 48
A Reliance Capital
The Specific BCP Teams for Reliance Life Insurance Company Limited Corporate Crisis Management Team
Business Continuity Coordinator
Support Team
Information Technology Team
36 of 48
Business Resumption Team
A Reliance Capital
What is a Crisis Management Team?
A Corporate Crisis Management Team (CCMT) is a designated group of senior individuals responsible for overall management of a potentially disastrous incident Typical responsibilities include:
Activation of Business Continuity and support teams Coordination of all communication between teams High level decision making (including ‘incident declaration’) Prioritization of activities De-activation of Business Continuity and support teams
37 of 48
A Reliance Capital
What are Support Teams?
Support Teams are specialized groups that may be activated by the CCMT to help manage the incident Typical support teams include: Information Technology team - Systems and Application Support Members and Communications and Infrastructure Support Members Support Team (including Facilities, Services, Finance, Functional representatives (SPOCs), Corporate Communications and so on)
38 of 48
A Reliance Capital
What is the role of Information Technology Teams?
Typically, Information Technology Support Teams would handle all of the ‘technology issues’ associated with a potentially disastrous incident Responsibilities could include: Recovering mainframe, mid-range, and server-based systems at the alternate location(s) Restoring data from latest off-site backups Re-establishing voice and data communications Commissioning employees’ desktop systems Restoring technology at the original location Activating connections from Alternate Operations Center
39 of 48
A Reliance Capital
What is the role of the Support Team?
Typically, the support team provides the damage assessment following an event, and assists with the site restoration process. Responsibilities would include: Coordinating preparation of detailed damage assessments Facility Business Process and Systems Overseeing damage assessment and control activities Coordinating site cleanup and salvage activities The Support Team will provide the CCMT and the BCP Coordinator with a comprehensive assessment of damage after disaster has occurred, including: Missing staff, injuries and loss of life; Extent of facility damage; and Damaged equipment (Computer Hardware, Network Components, UPS, etc.)
40 of 48
A Reliance Capital
What is the role of Support Team?
Handle all of the ‘public relations’ issues associated with a potentially disastrous incident Responsibilities could include: Preparing press releases and public announcements Coordinating news conferences, interviews Interfacing with media personnel Issuing communiqués to employees and stakeholders Managing the Company's image and reputation during the crisis
41 of 48
A Reliance Capital
What is the role of Administration Personnel in the Support Team?
Handle all of the ‘facility issues’ associated with a potentially disastrous incident Responsibilities could include: Liaison with civil authorities Damage assessment, salvage, and restoration Preparing the alternate location(s) for occupancy Physical security Transportation of equipment and materials Redirecting of mail and courier service Management of interim phone systems
42 of 48
A Reliance Capital
What is the role of Human Resources Department Personnel in the Support Team?
Handle all of the ‘people issues’ associated with a potentially disastrous incident Responsibilities could include: Ensuring all employees are accounted for Contacting employees’ families Coordinating temporary relocation of staff, including travel and accommodation arrangements Hiring contract personnel Providing assistance to individual employees Ensuring continuance of salaries and benefits
43 of 48
A Reliance Capital
What is the role of Finance Department Members in the Support Team?
Handle all of the ‘accounting issues’ associated with a potentially disastrous incident Responsibilities could include: Authorizing and tracking expenditures Ensuring appropriate accounting controls are maintained Identifying losses Processing insurance claims 44 of 48
A Reliance Capital
To sum up
The Phases in a Business Continuity Plan
45 of 48
A Reliance Capital
The Five BCP Phases Return To Normal Business Resumption Resource Recovery & Commissioning Interim Contingencies BUSINESS IMPACT ANALYSIS
Initial Response And Assessment
46 of 48
A Reliance Capital
Acknowledgement
ISACA
47 of 48
A Reliance Capital
Thank you November 29 2007
A Reliance Capital