Welcome
Charlotte NC Chapter
Wednesday, May 12, 2004
Hosted by:
The Business Impact Analysis
Presented by
Dave Shimberg, CBCP
Based on materials from:
Ken Jaunais, KPMG
May 14, 2004
Agenda
1.The Business Impact Analysis
a.
Why do I have to do this? – the Goals
b.
Now that I’ve taken my time to do it, what’s in it for
me and my organization – the Objectives?
c.
Sounds easy, how do I do it – the Process?
2. Questions and Answers
BIA: The Goals
Two Primary Objectives
1) Information Gathering
– Establish the value of each unit or resource as they relate to
the function of the total organization
– Provide the basis for identifying the critical/time-sensitive
resources required to develop a business recovery strategy
– Establish an order of priority to restoring the function of the
organization in the event of an unplanned event
2) Sell / Justify BCP program
BIA: The Objectives
•
Assess the impact(s) of an outage
•
Determine time criticality of business processes, functions,
departments, and work areas as related to total organization function
– Risk Analysis (threat – impact – likelihood of occurrence)
•
Determine time critical applications systems, data, and telcom
•
Determine required availability time(s) for functional departments
•
Determine interdependencies between processes
•
Determine recovery resource requirements
– People, work area, equipment, supplied, applications, other
The BIA - Phases
1. Project Planning
2. Data Collection
3. Data Analysis
4. Reporting Findings
5. Approval for Next Phase
The BIA Phases – Project Planning
1. Objectives
- identify critical business functions and dependencies,
impact of disruptions and resources
2. Scope
-
departmental, facility/complex, region, organization
- At what level will BIA and planning be carried out?
- Department Function
- Process (based on process owner, may cross
departments or other boundaries)
The BIA Phases – Planning (cont.)
What are you trying to analyze?
- Mission
- Service Objectives
- Dependencies
- Impacts over time – SLA, Financial, Legal or
Regulatory, Customer Service, Market Share . . .
The BIA Phases – Planning (cont.)
Reference Materials?
- Business unit or Corporate Mission Statement
- SLAs
- Org Charts
- Policies and Procedures
- Annual Reports
The BIA Phases – Planning (cont.)
How are you going to collect the data?
- Questionnaire
– Variety of tools, documents, applications
- Interview
- Combination
The BIA Phases – Data Collection
End user should be able to provide:
- Potential impact of mitigation
- Critical time periods
- Legal, regulatory, contractual requirements
- Financial impact
- Operational impact
The BIA Phases – Data Analysis
Quantitative Impact
• Losses identified in quantities, percentages, or factor of standard that
can de described in monetary terms
• Sales, market share, penalties, assets, revenue, income
• Actual or order of magnitude
– Quick Risk Rating tool may help
Effort Priorities are set by Risk and Impact
•Threat is something that poses a danger
•Risk is the probability that a threat will materialize measured in impact $
The BIA Phases – Data Analysis (cont.)
Qualitative Impact
• Intangible losses that can impact operations but that can not be
quantified in monetary terms
• Losses with financial impact that can not be quantified
• Reputation, public image, moral, others?
• Efficiency, satisfaction, control, inter/intra-departmental
• Order of magnitude
The BIA Phases – Reporting Findings
• Who’s the audience
• Policy and procedures
• Keep it Simple
• Graphical or narrative
The BIA – Sample BIA Results
The next several slides are for informational purposes
The BIA Phases – Sample BIA Results
d
The BIA Phases – Sample BIA results
a
The BIA Phases – Sample BIA results
The BIA Phases – Sample BIA results
The BIA: It’s an Iterative Process
SME, and/or
whomever, complete
questionnaire(s) on
critical business
processes/functions
(Collect Data)
BIA
Workshop
SME, and/or whomever, level-set
process/function against
benchmark to determine if
additional drill-down into subprocesses is needed, if “Yes”,
sub-process goes through cycle
(Report/approval of Data)
SME, and/or whomever,
analyze process flows and
BIA dependencies/impacts
for critical
processes/functions
(Analyze Data)
Core Business
Function(s)
SME, and/or whomever,
review
financial/capacity/timedependent attributes for
critical business
processes/functions
(Analyze/report Data)
The BIA – Questions and Answers
That’s all folks
The BIA – Focus Areas
The following slides represent traditional
focus areas of the BIA
We can entertain discussing these slides
as time permits
BIA: Focus Areas
• Section 1 – Critical Functions
• Section 2 – Cyclical Processing
• Section 3 – Processing Profile
• Section 4 – Service Level Agreements
• Section 5 – Estimated Personnel Requirements
• Section 6 – Business Relationships
BIA: Focus Areas (continued)
• Section 7 – Vital Records Identification
• Section 8 – Infrastructure Requirements
• Section 9 – Operational Impacts
• Section 10 – Financial Exposure Due to Loss of Function
• Section 11 – Operational Procedures
• Section 12 – Previous Disruptions
• Section 13 – Other issues and/or concerns
The BIA: Section 1, Critical Functions
Define the functions that are most important to your business. What
triggers the function to start, and how do you know that the function has
been successfully completed?
Manufacturing
Financial Services
Operations
supply planning, processing
(cleaning, filling, packaging,
warehousing, quality control, etc.) .
..
payments made, files sent . . .
Shared
Services
invoicing, order entry, cash
receipts, purchasing, human
resources, global raw spice
purchasing . . .
same
R&D
product development, product
creation . .
same
The BIA: Section 2, Cyclical Processing
Define during which months and weeks the performance of your
functions are most important.
Manufacturing
Financial Services
Operations
seasonal requirements, customer
supply and demand cycle . . .
daily, weekly, monthly schedules . . .
Shared
Services
quarter and year-end close,
recruiting, growing seasons . . .
same
R&D
new campaign cycles (internal and
external) . . .
same
The BIA: Section 3, Processing Profile
Quantify the peak period daily production of your critical functions. Also,
quantify, in dollars, the daily peak production of your critical functions in
terms of cost and revenue
Manufacturing
Financial Services
Operations
Pounds/#’s of product – cleaned,
palletized, number of trucks
loaded . . .
daily, weekly, monthly schedules . . .
Shared
Services
quarter and year-end close,
recruiting, number of orders
processed – entered, invoiced,
payments processed . . .
same
R&D
number of projects in queue . . . .
same
The BIA: Section 4, Service Level Agreements
Identify who you have agreements with, what kind of agreements are
they, and what are penalties for non-compliance.
Manufacturing
Financial Services
Operations
purchasing, other Plants, 3rd Party
warehouses, carriers . . .
clients, the Fed, vendors . . .
Shared
Services
vendor, customer and employee
master records . . .
same
R&D
new product development support,
product quality support . . .
same
.
The BIA: Section 5, Personnel Requirements
Quantify the total number of personnel required to perform each critical
function (same day). Identify the staffing requirements to recover the
critical functions over time. Consider that critical functions do not
necessarily have to be fully staffed immediately.
Manufacturing
Financial Services
Operations
to run the various lines,
warehousing . . .
mainframe and distributed system
recovery, scheduling . . .
Shared
Services
to do invoicing, purchasing . . .
same
R&D
to work on formulas, research . . .
same
The BIA: Section 6, Business Relationships
Identify who you support and how do you support them. What do you
provide and how critical is it? What do others provide you and how
critical is it to your processes?
Manufacturing
Financial Services
Operations
different plants with raw and/or
finished goods, on-site relationship
managers, materials movement . . .
other banks, the Fed, clients . . .
Shared
Services
invoicing, purchasing . . .
same
R&D
product management system,
defect research . . .
same
The BIA: Section 7, Vital Records
Identify documents by type that you require to perform your processes,
how long can you be without them, and what form they take?
Manufacturing
Financial Services
Operations
product content, supply schedule,
customer orders . . .
processing schedule, code . . .
Shared
Services
I-9 forms, SLAs, contracts . . .
same
R&D
research notes, library materials . .
same
The BIA: Section 8, Infrastructure
What infrastructure requirements do you need to perform your critical
functions – phones, fax, imaging system, etc.?
Manufacturing
Financial Services
Operations
ERP package, product
Management System . . .
ERP package, scheduling software . . .
Shared
Services
ERP package . . .
Same
R&D
ERP package, product
Management System . . .
Same
The BIA: Section 9, Operational Impact
Quantify the impact that the loss of a critical business function would
have over time?
Manufacturing
Financial Services
Operations
loss of one production over
another, shipping orders to external
versus internal customers. . .
In-fight payments may have a more
significant impact than evening runs . . .
Shared
Services
loss of SAP may significantly
impact cash flow after Day 3; but
order entry may not be impacted
until Day 5 . . .
Same
R&D
loss of formula records/codes may
have a significant impact on the
same day; but defect research may
only have a slight impact after Day
3...
Same
The BIA: Section 10, Financial Exposure
If the current recovery time is 48 – 72 to restore data, what financial
impact will this have on your processes over time?
Manufacturing
Financial Services
Operations
missed production shifts causes
other plants to miss deadlines,
where you are the sole provider
missed shipment times causes
customer to seek additional
sources . . .
missed payment penalties, SLA fines . . .
Shared
Services
missed investment opportunity,
missed payment terms increases
cost of production . . .
Same
R&D
inability to respond to defect inquiry
causes customer to indefinitely pull
product . . .
Same
The BIA: Section 11, Operational Procedures
Are procedures documented; when were they last updated; are there alternate
procedures; have they ever been tested; do people know about them?
Manufacturing
Financial Services
Operations
packaging line. Who’s in-charge? Which products
use the line? Where is product located? How is it
delivered? What happens if something breaks?
Transportation - Who is responsible for the
process? Where are materials stored? What are
the storage requirements? What triggers
movement? . . .
Schedules, who to
contact regarding outage
...
Shared
Services
Purchasing - Who is responsible? How are
purchase orders created? How are vendors
created? What are acceptable terms? . . .
Same
R&D
Formula/code generation. Who is responsible?
Who needs to be informed? When and how? How
is data collected? Where is the data stored? How
is the data retrieved? . . .
Same
The BIA: Section 12, Previous Disruptions
Identify disruptions, such as hurricanes (Isabel), that have had an impact
on your critical functions and what the impact was.
Manufacturing
Financial Services
Operations
water main breaks, power spikes,
icy roads . .
Same
Shared
Services
network outages . . .
Same
R&D
Same as above .
Same
The BIA: Section 13, Other Issues and Concerns
What hasn’t been addressed that you know will have an impact on
your processes?
•
Loss of intellectual property – internal and those entrusted to to you
by your customers
•
Other Single Points of Failure