RISK MANAGEMENT STRATEGIES

 

Ten steps to a successful business impact analysis

Conducting a business impact analysis (BIA) is hard work and takes time. But once this data is collected, security practitioners can confidently request resources, and more importantly, prioritize security efforts across the enterprise.

 

Simply stated, BIA is an analytic process that aims to reveal business and operational impacts stemming from any number of incidents or events.

 

A BIA traditionally leads to a report detailing likely incidents and their related business impact in terms of time and dollars. For example, a BIA report for an online retailer may include a Web site outage of one day with the loss calculated as the yearly gross sales divided by number of days per year the site is open for business.

 

In order to conduct a BIA you need to understand the business operations of your company in detail. You need to roll up your sleeves and reach out to operational people to get the real picture. We were told of one such exercise from a consulting engagement at a large bank where it was assumed that if the tellers lost their computer terminals that the dollar impact per hour was in the millions. The bank tellers later told that when the terminals aren't available they can continue accepting deposits and other transactions, then manually batch the transactions at the end of the day. There was actually a five- to seven-hour window of no real loss of revenue.

 

Here is a simple step-by-step approach that will put you on your way to conducting a successful BIA.

 

  1. Document the gross revenue and net profit your organization generates per year. This data sets the upper bound for business losses related to business operations.
  2. Define the critical business systems your organization operates. This data can be entered and tracked in a spreadsheet.
  3. Classify each system as business critical, important or non-critical. Ask system operators what would happen if a particular system was not available for an hour, a day or a week.
  4. Document which systems have cross dependencies. There may be non-critical systems that act as upstream or downstream components to critical systems.
  5. Estimate the financial, revenue and non-revenue impacts associated with each system. For example, a payment gateway server for fax orders that does only 1% of the total revenue of the company can easily be estimated as .01 x gross revenue.
  6. Estimate the cost to identify, remediate, recover and resume operations for each system in the spreadsheet.
  7. Identify the Maximum Acceptable Outage (MAO) for each system. This is the time from the detection of the outage to obviation of importance to business.
  8. Identify and document potential system threats, severity and the probability at which they may occur. Threat statistics are available from a variety of sources and are used by insurance companies to calculate insurance premiums. Create a threat score for each incident type in a different section of the same spreadsheet.
  9. Now you have most of the data needed to start the process. It is best to use the simple formula functions that a spreadsheet provides. For every system you have defined with a loss value, multiply the series of values from the threats listed in step eight with the combined loss values from step six to see the relative loss or impact per system. Do this on a line item basis. For each system calculate all possible listed threats. Do not include items that are not physically possible.
  10. In this last step you will sort the data you have to show the top priority systems both from a business criticality and impact perspective. In the spreadsheet, select all columns in the sheet and use the "auto-filter" function on the data-sorting menu of your spreadsheet to link all the columns relationally. You can now sort on any of the variables in the sheet. Optionally, you can create a scorecard-like report by dressing up the spreadsheet, or add a narrative document and use the spreadsheet as the supporting data source.

Your BIA report can be used to request and prioritize resources, and incident-response activity. If done properly, it will be in a format your CFO and finance department can understand and include impact data gathered from these very same people, thus overcoming any objections or pushback on the validity of your report and subsequent resource requests!

 

Saragosta Group offers leading practices within Business Continuity Planning and Risk Management consultancy and helps you to address your issues of identifying and managing risks across the Enterprise.

 

 

 

To learn more about our Solutions.....

Saragostas Business Continuity Planning Services

 

 

Contact Saragosta Group....

E-mail : Saragosta@Saragosta.com

Telephone : +48 22 697 79 70

Address : Ilmet, Al. J. Pawla II 15 / 10-05, 00-828 Warszawa

 

  

 

 

 

 

 
{This will be replace by an unsubscribelink - when the mail has been generated}
ul. Wielicka 33A - 02-657 Warszawa - T: +48 22 853 50 26 - F: +48 22 853 50 27 - e-mail: Saragosta@saragosta.com