Your BCM, Risk & Crisis Management

software solution since 1999

Conducting an Effective
Business Impact Analysis (BIA)
Presented by:

Sherri Flynn
MBCP, CISM
 Agenda

• What is a Business Impact Analysis (BIA)?

• Why do a BIA?
• Elements of a BIA
• Presenting your BIA Results
• Common Mistakes
 What is a BIA?

A Business Impact Analysis (BIA) ….

… is a process that identifies & evaluates the
potential effects of events on business operations
… is a detailed inventory of critical business functions
and/or processes
… is an assessment & prioritization of all business
functions & their interdependencies
… provides an estimation of MOTs, RTOs, RPOs, and
recovery procedures
 What is a BIA?

A Business Impact Analysis (BIA) ….

… includes the identification of department critical
business functions as well as organization-wide
products and/or services.

Products and Services are created by processes that are made

up of activities. Products and Services are prioritized first; this
sets the time and service level parameters for process
prioritization.

- ISO Technical Specification Ref # ISO/TS 22317:2015(E)

 Why do a BIA?

Processes Applications

Vital Records People

Vendors
 Why do a BIA?

More than because you HAVE to

 Why do a BIA?

• Organizes / Prioritizes ALL the Data

• Provides a Basis for your Recovery Plan
• Aids in Resource Allocation
• Aids in Development of Recovery Strategies
• Provides a Focus for Testing
 Why do a BIA?

Identifies processes that are most critical

to the survival of an organization.

Activities that an organization performs in support of its primary

purpose(s); the production & delivery of goods and/or services.
 Why do a BIA?

Identifies processes that are most critical

to the survival of an organization.

Processes and systems that your business absolutely needs in

order to perform its main functions.
 Why do a BIA?

Identifies processes that are most critical

to the survival of an organization.

Saving your business from suffering a catastrophic blow that

could result in substantial damage to the business, including
closing its doors for the last time and shutting down for good.
 Elements of a BIA

Elements of a BIA
 Elements of a BIA

• Initiation (Developing the Mindset)

• Establishing the Process
• Gathering the Information (Data Collection)
• Documenting / Organizing the Information
• Analyzing the Collected Information
• Presenting the BIA Results to Management
 Elements of a BIA

• Initiation (Developing the Mindset)

• Define objectives, goals and scope
• Form BIA project team
• Kick off BIA with an Executive Sponsor with buy-in
• Establish business importance of the BIA
 Elements of a BIA
• Establishing the Process
• EDUCATE participants and PREPARE in advance!
• Set Priorities
• Time commitments for departments / deadlines
• Consistent Recovery Time Objectives
• Budget time for interviews – allot enough time
• Set expectations for follow up
• Establish relevant Impacts
• Establish RTO / Criticality determination
• Subjective
• Objective (Formula based – criticality increasing over time)
Calculate an RTO
 Scoring Min / Max
• Critical 4
Customer Impact 0 / 12.00
3 • High
• Medium
3
2 Operational Impact 0 / 8.00
Customer • Low 1 Financial Impact 0 / 4.00
Impact • N/A 0

• Critical 4 Recovery Time Objectives

2 • High
• Medium
3
2
0 – 24 hrs (12/8/4)
25 – 48 hrs (12/8/4)
Operational • Low 1 49 – 7 days (12/8/4)
Impact • N/A 0 >1 week (12/8/4)
(48/32/16) = 96
• Critical 4

1 • High
• Medium
3
2 Overall Criticality
Financial • Low 1 Low (>1 wk) 1 - 24
Impact • N/A 0 Medium (49h-7d) 25 - 49
High (25-48h) 50 - 74
Critical (0-24h) 75 - 96
 If the function was unavailable what would be the impact?

Customer Impact
3x1=3
3x2=6
30 + 22 + 16 = 68
3x3=9
3 x 4 = 12
30 Overall Criticality
Operational Impact Low 1 - 24
Medium 25 - 49
2x0=0
2x3=6
High 50 - 74
2x4=8
Critical 75 - 96
2x4=8
22
Financial Impact
Overall Criticality = High
1x4=4
1x4=4
1x4=4 Calculated RTO = 25-48 hrs
1x4=4
16
Threshold RTO
 If the function was unavailable what would be the impact?
Customer Impact

Establish RTO Threshold = Critical

The earliest RTO where Critical is

Operational Impact
selected

This is your Function RTO

0 – 24 hrs
Financial Impact

Overall Criticality = Critical

 Elements of a BIA

• Gathering the Information (Data Collection)

• Create a consistent Questionnaire for everyone
• Set up BIA Workshops and/or Interviews
• Quantify as much as possible – gather FACTS
• Quantify responses OVER TIME (Impacts/RTOs)
• Ask people what they do? Don’t assume.
 Elements of a BIA

• Documenting / Organizing the Information

• Prioritize by Criticality
• Report the facts for discussion – do not provide opinion
• Be careful of adding “conversational” notes not factual

• Analyzing the Collected Information

• Note trends/observations that you have uncovered
 Elements of a BIA

Analyzing Your Data

By Department
By Criticality
Resource Report
 Elements of a BIA

• Presenting the BIA Results to Management

• Create high level / “easy on the eye” reporting

• Executive Summary Reports

• Objectives / Goals / Scope
• Methodology
• Participants
• Summary of Results
• Most Critical Items
• Concerns
• Recommendations
Overall Function Count
 Functions by Criticality

Functions by Criticality

50 45

40
30 26
21
17 15
20 Functions by
Criticality
10
0
 Department Functions

Accounting Department Functions

Accounting Department Functions

2.5

1.5

0.5

0
Critical High Significant Medium Low
 Resource Summary Count

Resource RTO Distribution

5-10 Days 10+ Days

9% 7% 0-24 Hours
2-3 Days
3-5 Days 0-24 Hours
14% 43% 3-5 Days
5-10 Days
10+ Days
2-3 Days
27%
 Why do a BIA?

• Organizes / Prioritizes ALL the Data

• Provides a Basis for your Recovery Plan
• Aids in Resource Allocation
• Aids in Development of Recovery Strategies
• Provides a Focus for Testing
 Common Mistakes

Mistakes to Avoid
 Common Mistakes

• Minimal or No Management Support

• Backing into the BIA Results
• Lack of Preparation for the Interviews/Meetings
• Gathering Too Much Data
• Focus on the Tools/Applications instead of the Processes
• Doing a Risk Assessment and NOT a BIA (do both)
• No Timely Follow Up / Result Presentation
• Unclear Presentation of Results
 References
ISO Standards
- ISO 22301
2012 Societal security – Business continuity management systems
- ISO 22317
2015 Societal security -- Business continuity management systems -- Guidelines for
business impact analysis (BIA)

DRII.org
Professional Practices

NCUA.gov
- Letter #: 06-CU-12
- Letter #: 01-CU-21

Ready.gov
https://www.ready.gov/business/implementation/IT

Gartner – IT Library
https://www.gartner.com/it-glossary/library
 References

FFIEC https://ithandbook.ffiec.gov/
- BCP Examination Booklet
- BCP Examiners Checklist (IT Work Program)
 Thank you!
Questions?
Sherri Flynn, MBCP, CISM
sflynn@recoveryplanner.com

Contact us for an online demo

www.RecoveryPlanner.com
877.455.9990