1. Business Impact Analysis (BIA) is the process of evaluating a business’s critical systems to determine what a failure, disaster, or breach would do in terms of loss. Outline the key components of BIA and briefly explain how you would implement a Business Continuity Plan (BCP).
The process of a Business Impact Analysis (BIA) in conjunction with a Business Continuity Plan allows for targeted recovery strategies to be developed in the event of an emergency. Through a detailed analysis, the length and severity of specific impacts, and their subsequent damage to the business can be reduced, allowing for a smoother transition to “business as usual”.
To identify the the minimum service level requirements for specific key process for each potential emergency, the following components should be evaluated for each critic business process.
After each critical business process is identified, the potential impacts resulting from loss of facilities, infrastructure, personnel, or supply chain should be examined for each process. Key minimum recovery components should be detailed for each critical process. Critical processes that are recovered to a minimum acceptable level of operation within a specified time frame, reduce the overall potential damage to the business. Through business impact analysis, companies can limit the financial and non-financial impacts of incidents associated with emergency situations that strain “business as usual”.
An effective BIA consists of five elements: Executive Sponsorship, Understanding the Organisation, BIA Tools, BIA Processes and BIA Findings.
Element One: Executive Sponsorship
Creating and conducting a Business Impact Analysis requires support of the executives in your company. Without management support, the analysis is destined to fail. Executive backing gives you the clout you need to get cooperation and priority with other departments within the organization. The most efficient and effective way to get management support is to ensure there is communication from the top down. The communication can be in the form of an email, a town hall meeting or a managers' meeting. Stress the importance of the BIA in keeping the business up and running in the case of a disaster.
Element Two: Understand the Organization
It will be impossible to complete the second element of a Business Impact Analysis unless you have identified all the critical business functions and processes your company performs. Look to the company's organizational structure, divisions and departments to find key contacts or subject matter experts who can help you identify and learn about the processes that will be impacted by a disaster. Business processes, systems and functions should be considered critical if the failure to perform them would result in unacceptable damage to the company.
Element Three: Business Impact Analysis Tools
Business Impact Analysis tools are the core of a successful analysis. These tools come into play after you have completed your review of the business and understand what part each process, function and system plays in the overall day-to-day operations. Use tools such as organizational charts, interviews, questionnaires, data flow diagrams and BIA software to gather data necessary to analyze the potential impact of a disaster on the business.
Element Four: Business Impact Analysis Process
Using the tools of BIA, list each business process and function. Designate each process as critical or non-critical to conducting business. Compile a list of personnel who must be in place to perform these functions. For the critical functions, gather detailed information about how each is performed, who performs it, and the operational and financial impact of interruption to each on the first day of interruption. Continue to do this after the first week of interruption, after 30 days, and so forth. Determine a target recovery date for each process, each business system and each business-critical function. Identify internal and external business dependencies. For example, list vendors who must be alerted to your status or new temporary location. Finally, designate a safe place for all the Business Impact Analysis data to be stored for future reference in the event of a disaster.
Element Five: Business Impact Analysis Findings
The final element of a Business Impact Analysis is to confirm and present the findings. Confirm your findings with department managers or key personnel to ensure that what you have determined is accurate and realistic. Present your BIA findings to the executive management team to gain approval to use the findings to develop business recovery strategies.
What is business continuity planning?
Critical services or products are those that must be delivered to ensure survival, avoid causing injury, and meet legal or other obligations of an organization. Business Continuity Planning is a proactive planning process that ensures critical services or products are delivered during a disruption.
A Business Continuity Plan includes:
Having a BCP enhances an organization's image with employees, shareholders and customers by demonstrating a proactive attitude. Additional benefits include improvement in overall organizational efficiency and identifying the relationship of assets and human and financial resources to critical services and deliverables.
Why is business continuity planning important
Every organization is at risk from potential disasters that include:
Creating and maintaining a BCP helps ensure that an institution has the resources and information needed to deal with these emergencies.
Creating a business continuity plan
A BCP typically includes five sections:
Establish control
A BCP contains a governance structure often in the form of a committee that will ensure senior management commitments and define senior management roles and responsibilities.
The BCP senior management committee is responsible for the oversight, initiation, planning, approval, testing and audit of the BCP. It also implements the BCP, coordinates activities, approves the BIA survey, oversees the creation of continuity plans and reviews the results of quality assurance activities.
Senior managers or a BCP Committee would normally:
This BCP committee is normally comprised of the following members:
The BCP committee is commonly co-chaired by the executive sponsor and the coordinator.
Business impact analysis
The purpose of the BIA is to identify the organization's mandate and critical services or products; rank the order of priority of services or products for continuous delivery or rapid recovery; and identify internal and external impacts of disruptions.
Identify the mandate and critical aspects of an organization
This step determines what goods or services it must be delivered. Information can be obtained from the mission statement of the organization, and legal requirements for delivering specific services and products.
Prioritize critical services or products
Once the critical services or products are identified, they must be prioritized based on minimum acceptable delivery levels and the maximum period of time the service can be down before severe damage to the organization results. To determine the ranking of critical services, information is required to determine impact of a disruption to service delivery, loss of revenue, additional expenses and intangible losses.
Identify impacts of disruptions
The impact of a disruption to a critical service or business product determines how long the organization could function without the service or product, and how long clients would accept its unavailability. It will be necessary to determine the time period that a service or product could be unavailable before severe impact is felt.
Identify areas of potential revenue loss
To determine the loss of revenue, it is necessary to determine which processes and functions that support service or product delivery are involved with the creation of revenue. If these processes and functions are not performed, is revenue lost? How much? If services or goods cannot be provided, would the organization lose revenue? If so, how much revenue, and for what length of time? If clients cannot access certain services or products would they then to go to another provider, resulting in further loss of revenue?
Identify additional expenses
If a business function or process is inoperable, how long would it take before additional expenses would start to add up? How long could the function be unavailable before extra personnel would have to be hired? Would fines or penalties from breaches of legal responsibilities, agreements, or governmental regulations be an issue, and if so, what are the penalties?
Identify intangible losses
Estimates are required to determine the approximate cost of the loss of consumer and investor confidence, damage to reputation, loss of competitiveness, reduced market share, and violation of laws and regulations. Loss of image or reputation is especially important for public institutions as they are often perceived as having higher standards.
Insurance requirements
Since few organizations can afford to pay the full costs of a recovery; having insurance ensures that recovery is fully or partially financed.
When considering insurance options, decide what threats to cover. It is important to use the BIA to help decide both what needs insurance coverage, and the corresponding level of coverage. Some aspects of an operation may be overinsured, or underinsured. Minimize the possibility of overlooking a scenario, and to ensure coverage for all eventualities.
Document the level of coverage of your institutional policy, and examine the policy for uninsured areas and non specified levels of coverage. Property insurance may not cover all perils (steam explosion, water damage, and damage from excessive ice and snow not removed by the owner). Coverage for such eventualities is available as an extension in the policy.
When submitting a claim, or talking to an adjustor, clear communication and understanding is important. Ensure that the adjustor understands the expected full recovery time when documenting losses. The burden of proof when making claims lies with the policyholder and requires valid and accurate documentation.
Include an expert or an insurance team when developing the response plan.
Ranking
Once all relevant information has been collected and assembled, rankings for the critical business services or products can be produced. Ranking is based on the potential loss of revenue, time of recovery and severity of impact a disruption would cause. Minimum service levels and maximum allowable downtimes are then determined.
Identify dependencies
It is important to identify the internal and external dependencies of critical services or products, since service delivery relies on those dependencies.
Internal dependencies include employee availability, corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and support services such as finance, human resources, security and information technology support.
External dependencies include suppliers, any external corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and any external support services such as facility management, utilities, communications, transportation, finance institutions, insurance providers, government services, legal services, and health and safety service.
Plans for business continuity
This step consists of the preparation of detailed response/recovery plans and arrangements to ensure continuity. These plans and arrangements detail the ways and means to ensure critical services and products are delivered at a minimum service levels within tolerable down times. Continuity plans should be made for each critical service or product.
Mitigating threats and risks
Threats and risks are identified in the BIA or in a full-threat-and-risk assessment. Moderating risk is an ongoing process, and should be performed even when the BCP is not activated. For example, if an organization requires electricity for production, the risk of a short term power outage can be mitigated by installing stand-by generators.
Another example would be an organization that relies on internal and external telecommunications to function effectively. Communications failures can be minimized by using alternate communications networks, or installing redundant systems.
Analyze current recovery capabilities
Consider recovery arrangements the organization already has in place, and their continued applicability. Include them in the BCP if they are relevant.
Create continuity plans
Plans for the continuity of services and products are based on the results of the BIA. Ensure that plans are made for increasing levels of severity of impact from a disruption. For example, if limited flooding occurs beside an organization's building, sand bagging may be used in response. If water rises to the first floor, work could be moved to another company building or higher in the same building. If the flooding is severe, the relocation of critical parts of the business to another area until flooding subsides may be the best option.
Another example would be a company that uses paper forms to keep track of inventory until computers or servers are repaired, or electrical service is restored. For other institutions, such as large financial firms, any computer disruptions may be unacceptable, and an alternate site and data replication technology must be used.
The risks and benefits of each possible option for the plan should be considered, keeping cost, flexibility and probable disruption scenarios in mind. For each critical service or product, choose the most realistic and effective options when creating the overall plan.
Response preparation
Proper response to a crisis for the organization requires teams to lead and support recovery and response operations. Team members should be selected from trained and experienced personnel who are knowledgeable about their responsibilities.
The number and scope of teams will vary depending on organization's size, function and structure, and can include:
The duties and responsibilities for each team must be defined, and include identifying the team members and authority structure, identifying the specific team tasks, member's roles and responsibilities, creation of contact lists and identifying possible alternate members.
For the teams to function in spite of personnel loss or availability, it may be necessary to multitask teams and provide cross-team training.
Alternate facilities
If an organization's main facility or Information Technology assets, networks and applications are lost, an alternate facility should be available. There are three types of alternate facility:
When considering the type of alternate facility, consider all factors, including threats and risks, maximum allowable downtime and cost.
For security reasons, some organizations employ hardened alternate sites. Hardened sites contain security features that minimize disruptions. Hardened sites may have alternate power supplies; back-up generation capability; high levels of physical security; and protection from electronic surveillance or intrusion.
Readiness procedures
Training
Business continuity plans can be smoothly and effectively implemented by:
Exercises
After training, exercises should be developed and scheduled in order to achieve and maintain high levels of competence and readiness. While exercises are time and resource consuming, they are the best method for validating a plan. The following items should be incorporated when planning an exercise:
Goal
The part of the BCP to be tested.
Objectives
The anticipated results. Objectives should be challenging, specific, measurable, achievable, realistic and timely.
Scope
Identifies the departments or organizations involved, the geographical area, and the test conditions and presentation.
Artificial aspects and assumptions
Defines which exercise aspects are artificial or assumed, such as background information, procedures to be followed, and equipment availability.
Participant Instructions
Explains that the exercise provides an opportunity to test procedures before an actual disaster.
Exercise Narrative
Gives participants the necessary background information, sets the environment and prepares participants for action. It is important to include factors such as time, location, method of discovery and sequence of events, whether events are finished or still in progress, initial damage reports and any external conditions.
Communications for Participants
Enhanced realism can be achieved by giving participants access to emergency contact personnel who share in the exercise. Messages can also be passed to participants during an exercise to alter or create new conditions.
Testing and Post-Exercise Evaluation
The exercise should be monitored impartially to determine whether objectives were achieved. Participants' performance, including attitude, decisiveness, command, coordination, communication, and control should be assessed. Debriefing should be short, yet comprehensive, explaining what did and did not work, emphasizing successes and opportunities for improvement. Participant feedback should also be incorporated in the exercise evaluation.
Exercise complexity level can also be enhanced by focusing the exercise on one part of the BCP instead of involving the entire organization.
Quality assurance techniques
Review of the BCP should assess the plan's accuracy, relevance and effectiveness. It should also uncover which aspects of a BCP need improvement. Continuous appraisal of the BCP is essential to maintaining its effectiveness. The appraisal can be performed by an internal review, or by an external audit.
Internal review
It is recommended that organizations review their BCP:
External audit
When auditing the BCP, consultants nominally verify:
What to do when a disruption occurs
Disruptions are handled in three steps:
Response
Incident response involves the deployment of teams, plans, measures and arrangements. The following tasks are accomplished during the response phase:
Incident management
Incident management includes the following measures:
Communications management
Communications management is essential to control rumors, maintain contact with the media, emergency services and vendors, and assure employees, the public and other affected stakeholders. Communications management requirements may necessitate building redundancies into communications systems and creating a communications plan to adequately address all requirements.
Operations management
An Emergency Operations Center (EOC) can be used to manage operations in the event of a disruption. Having a centralized EOC where information and resources can be coordinated, managed and documented helps ensure effective and efficient response.
Continuation
Ensure that all time-sensitive critical services or products are continuously delivered or not disrupted for longer than is permissible.
Recovery and restoration
The goal of recovery and restoration operations is to, recover the facility or operation and maintain critical service or product delivery. Recovery and restoration includes:
1. Business Impact Analysis (BIA) is the process of evaluating a business’s critical systems to determine...
1. It important to write-block a phone before doing forensic analysis to make certain data is not copied to the phone. A. True B. False 2. Which of the following is a 4G standard? A. EDGE B. GSM C. LTE D. GSM4 3. Where is the data for roaming phones stored? A. VLR B. HLR C. BTS D. GSM 4. All devices are in the __________ state when received from the manufacturer. 5. You are performing a forensic analysis on...
Create a Business Impact Analysis (BIA) Plan for this scenario. Scenario: You are an information technology (IT) intern working for Health Network, Inc. (Health Network), a fictitious health services organization headquartered in Minneapolis, Minnesota. Health Network has over 600 employees throughout the organization and generates $500 million USD in annual revenue. The company has two additional locations in Portland, Oregon and Arlington, Virginia, which support a mix of corporate operations. Each corporate facility is located near a colocation data center,...
Address the following by evaluating your position on Critical Thinking Situation: Critical factors for successful implementation of enterprise systems Enterprise resource planning (ERP) systems have emerged as the core of successful information management and the enterprise backbone of organizations. The difficulties of ERP implementations have been widely cited in the literature but research on the critical factors for initial and ongoing ERP implementation success is rare and fragmented. Through a comprehensive review of the literature, Various factors were found to...
Read the following and answer the question? Beginning the Contingency Planning Process Fundamentally, the contingency planning process describes comprehensive procedures used by organizations to plan, detect, and respond to various situations. The primary objective of contingency planning is to restore standard operational procedure and eliminate possible distractions (Whitman, Mattord, & Green, 2013). To begin the contingency planning processes, organizations should first identify effective policies and plans and implementing agencies. Correspondingly, the organization should develop response, disaster recovery, business continuity, and...
Identifying flaws in contingency plan Objectives: Research real world incidents, identify shortcoming (IR, BP or CP) and recommend possible solutions. Course Learning Outcomes: CL05, CL01: Student will be able to understand, implement and bring recommendations to contingency plan Tools or Equipment Needed: PC Internet explorer or chrome Internet Theoretical Background: A contingency plan is a course of action designed to help an organization respond effectively to a significant future event or situation that may or may not happen. A contingency...
conduct a market analysis whether you are starting a new business or launching a new product, conducting a marketing analysis is the first step in determining if there is a need or audience for your idea. Knowing in the market's needs and how it is currently serviced provides you with key information that is essential in developing your product/service and marketing plan. Too often, businesses spend thousands of dollars launching a "new" idea with a limited market because of competition....
Personal Business PlanThe point of this question is writing a personal business planPlease you can choose any type of business you want.(Example: opening a Grocery)"write" Personal Business Plan and highlight how entrepreneurship and innovation could play a role in their personal and career pathsCover all following kind of information1. Name of the company or Business• Select the right name which demonstrate your business activities• The Name which is available• The name is easy to save in memory• Not be in...
TASK Read the Regional gardens case study document before attempting this assignment. Background: You have been employed by Regional Gardens as their first Chief Information Officer (CIO). You have been tasked by the Board to conduct a review of the company’s risks and start to deploy security policies to protect their data and resources. You are concerned that the company has no existing contingency plans in case of a disaster. The Board indicated that some of their basic requirements for...
1. Explain the importance of an organization-specific down 4. Describe key components of a business continuity plan time risk assessment. 2. Describe the pros and cons of different assessment tools and (a) how they might differ for different types of orga- nizations and (b) how they might differ depending on for evaluating downtime events and discuss scenarios in EHR maturity level. which they might be used to their best advantage. 3. Compare and contrast the roles of the informatician, the...
Explain what enterprise resource planning (ERP) systems. Outline several of their key characteristics. Describe in reasonable detail how a company leverages an ERP system and how its operations are improved after installing an ERP system like SAP. Explain how a supply chain management system helps an organization make its operations more efficient What is Upstream and Downstream management of the supply chain? Explain the concept of “Supply Network”, its benefits, and how technology made this concept available Explain the difference...