Read/Post Comment: 0 Posted by Thomas Omogi

 / 
03.02.2016

Business Impact Analysis and its Role in Business Continuity Planning. By Thomas Omogi Freelance Journalist 

Utilizing the Business Impact Analysis to Enhance Business Continuity Planning Effective enterprise management requires the development of an encompassing business continuity plan (BCP) as a critical plank in the business continuity planning platform. The BCP should mirror the complexity and size of the institution and should be consistent with the company’s comprehensive business strategy. The objective of the BCP should be to mitigate potential financial loss to the organization, serve internal and external clients with few disruptions, and minimize the negative impact of any disruption upon the operations of the organization. Periodic review of the business continuity planning practice, which must include an assessment of the relevant BCP, should become an established process. Changes in business practices and cyber crime related terrorism concerns, current catastrophic natural disasters, and the potential for a pandemic have resulted in deeper attention to the need for a comprehensive BCP. As a result, these issues should be integrated into the BCP process. Enterprise management must account for the possibility for regional disasters that could impact an entire region, thereby causing significant losses to the organization. Moreover, the BCP process should integrate the interdependencies among industry participants, both geographic and market-based. In many instances, recovery time objectives (RTOs) have decreased in recent years, and for some organizations, RTOs are counted in hours rather than days. Consequently, every well-managed organization should anticipate and plan for potential disruptions to ensure the BCP and related processes adequately address the lessons learned from previous negative events. Business Continuity Planning and Processes The BCP process includes the restoration, resumption and retention of the entire business, but at the core involves the technology component. While the restoration of electronic data and IT systems remains crucial, resumption of these operations will most likely be inadequate to restore comprehensive operations. Business continuity planning requires the evolvement of an enterprise-wide plan and the ranking of operational objectives that are critical for recovery. This enterprise-wide platform should account for each critical process, department, business division and system, including how each will respond to negative disruptions and which solutions will be implemented. Moreover, this platform should include plans for both short- and long-term recovery operations. Without an encompassing continuity plan that incorporates every critical plank of the entire operation, an enterprise may fail to restore customer service at profitable levels. In addition, management must prioritize critical operations and organizational objectives that impact the survival of the enterprise as the complete restoration of each organizational unit may prove unfeasible due to logistics, costs or other unforeseen situations. Business continuity planning assimilates the organization’s role within its respective industry. Indeed, in today’s interconnected world, a BCP may need to examine the organization’s role to ancillary industries as well. Industry participants that perform logistical, supply chain related activities for crucial market participants (core organizations) and enterprises that process high percentage of transactions in the industry should be evaluated in relation to governmental guidelines and industry standards, when applicable, to ensure the maintenance of support service and activities. Based upon these criteria, key industry participants should identify their critical operations, thereby establishing the ability to restore and resume key operations within the RTO, and routinely test restoration and resumption procedures. Because these enterprises participate along a multi-industry spectrum, they must recognize that the failure to perform crucial activities could represent systemic risk for organizations up and down that spectrum, and they must address their roles in maintaining optimum performance in support of entire sectors. Moreover, ancillary institutions that have a more indirect impact on the primary industry on regional and national levels rather than international, should be expected to implement a BCP in relation to their importance to the wider market. In addition, smaller, less complex organizations should develop appropriate BCPs that assimilate comprehensive restoration guidelines in relation to their size and risk profile. This process should also include regular, period updates based upon audit recommendations, business processes and lessons learned through testing. Changes to business processes may involve technology advancements resulting in quicker, more efficient processing, which decrease the acceptable RTO. In response to customer demand and competition, many enterprises are adopting shorter RTOs and incorporating technology recovery solutions directly into the business process. These lightning fast technological advancements accentuate the gravity of maintaining an enterprise-wide, current BCP. In addition, several industry best practices used commonly to keep a BCP current include: Performance of periodic audits and yearly, or more frequent, testing of the BCP; Assigning responsibility of the periodic assessment of the BCP to a planning group, coordinator, committee or department; Integrating BCP maintenance duties directly in the respective employee job descriptions and into employee evaluations; and Assimilating BCP planning into every organizational decision. Thus, each institution should adopt process-oriented, cyclical approaches to business continuity planning. Moreover, this approach should include four critical steps in the planning process including: Business Impact Analysis Risk Assessment Risk Management Risk Monitoring and Testing While this method represents four steps, the comprehensive continuity planning process is a continuous cycle that evolves with each review based upon changes in business operations, potential threats, test results and audit recommendations. In addition, the process should address each critical business function and the IT that supports that function. Thus, other standards, policies and processes will conform to the overall BCP. Business Impact Analysis The first step an enterprise takes in the business continuity process is the development and implementation of the business impact analysis (BIA). The amount of resources and time necessary to complete the BIA will be based upon the complexity and size of the organization, and it should include a work flow analysis that assesses and prioritizes the operational functions and processes that will need to be restored in case of failure or disruption. The work flow analysis must be dynamic in order to identify the interdependencies between departments, critical operations, services and personnel. The determination of these interdependencies should assist management in prioritizing the business processes and functions as well as the total effect on RTOs. Once management has assessed and prioritized business processes and functions, the BIA should detail the potential impact of negative, uncontrolled events on those processes and functions. Non-specific events must be identified allowing management to concentrate on the effects of a wide range of disruptions rather than specific threats, which many not materialize. Contemporaneously, management should also address potential threats that may be particular to the organization’s region. These may include flood-prone or earthquake-prone areas, or geographical locales susceptible to hurricanes or tornadoes. In addition to determining the effect of non-specific events on business processes and functions, the BIA should consider the effect of legal and regulatory mandates. For example, the BIA should assess the effects of compromised consumer data, which can bring about a loss of public confidence or regulatory concerns. By determining the possible impact of these issues in advance, management has a better grasp on the business processes and functions that may be negatively affected. Management must account for any regulatory requirements pertaining to notification to any governmental regulator when facilities are moved. In addition, the BIA should estimate the maximum permissible downtown for crucial business processes and functions and the permissible level of losses related to the estimated downtime, such as losses in operations, finances, data, market share and reputation. Included in the BIA should be a management decision regarding how long the systems can face downtime before the losses reach critical mass and how much data the enterprise can lose with a threat to survival. The results of these steps will assist the enterprise with establishing attainable RTOs for restoration of the critical path, which reflects those processes or systems that must have the highest priority during restoration and recovery. These restoration objectives should be assessed concurrently to identify with greater accuracy the total downtime an enterprise may experience before survival is endangered. Moreover, the restoration objectives must require management to identify which technologies, essential personnel, facilities, vital records, data and communication systems must be recovered and which sequence must be adhere to so that activities along the critical path secure the highest priority. One crucial advantage to analyzing permissible downtime and restoration objectives remains the potential support that analysis can provide for the funding requirements of a specific restoration solution based upon the losses that are pre-determined and the importance of identified business processes and functions. The personnel responsible for the business impact analysis should consider creating uniform inventory and interview queries that can be used across the organization. Uniformity can produce better consistency in responses and assist management involved in the analysis phase to evaluate and compare business processes. Initially, the analysis phase may result in priorities that focus on the achievement of strategic objectives and the maintenance of sound practices. Yet, this prioritization may need revisions once the organizational processes are modeled against a range of threat scenarios, thus resulting in an evolved, comprehensive BCP. When identifying an organization’s critical needs, all processes, functions and personnel should be part of that analysis. In addition, in documenting the functions that are mission critical, each division must consider the following questions: What crucial interdependencies exist between internal applications, systems, departments and business processes? How would each division function if the network, mainframe and/or Internet access be compromised? What specialized technology or equipment would be required, and what would its use be? What and where are the single points of failure and what is the crucial significance of those risks? What are the mission critical outsourced dependencies and relationships? What are the mandatory responsibilities between the enterprise and third-party service providers as defined in the SLA? What crucial security and operational controls need implementation prior to restoration? What is the minimum level of staffing and amount of space necessary at a recovery site? What special supplies or forms are required for a recovery site? What equipment would be necessary at a restoration site to communicate with customers, vendors and employees? What is the possible impact is combined restoration sites need to serve multiple customers? Have personnel received cross training and has the BIA defined back-up roles or functions that staff may need to perform if key employees are not available? Are the personal requirements of staff adequately addressed? Have the liquidity requirements and cash management issues been addressed? The completed BIA should be evaluated as a condition of the risk assessment process and integrated into, and tested as a component of, the BCP. Moreover, the completed BIA should be reviewed by senior management and the board on a regular basis and amended to reflect changes in audit recommendations, business operations and lessons learned from the testing procedures. For security, a copy of the completed business impact analysis should be stored at a secured, offsite facility for access if necessary. Risk Assessment The risk assessment step is highly crucial and weighs heavily on the success of the business continuity planning efforts. As part of the risk assessment step, the BIA assumptions and business processes receive evaluation against a variety of threat scenarios. This will produce a range of potential outcomes that may require adjustments to the BCP. Industry-critical organizations should utilize realistic threat scenarios that could disrupt their business operations and their abilities to meet customer expectations, whether those customers are internal, external, suppliers or business partners. The threats should take a wide array of forms, including technical and natural disasters, malicious activity and pandemic threats. When possible, organizations should analyze various threats by utilizing a non-specific, all-encompassing method of planning that targets the impact of the threat rather than the nature of the threat. For instance, the impact of various threat scenarios could include disruptions that affect work areas, facilities, systems or regional geographies. In addition, the magnitude of the potential disruption should account for a wide range of threat scenarios based on potential circumstances, events and practical experiences. If the threat scenarios are too narrow, the BCP may fail to be comprehensive and omit common steps necessary for at timely restoration after a disruption. Moreover, threat scenarios must address the severity of a disaster, basing it on the impact and the probable disruptions resulting from those identified threats. Threats may fall along a continuum from a high probability of incident and a low impact on the enterprise, such as a brief interruption in power supply, to threats with a low probability of incident with a high impact on the enterprise, such as terrorist attacks or tornadoes. The most complex threats to assess are those with a low probability of incident but a high impact to the business. Yet, thorough non-specific, comprehensive risk planning will result in a BCP that is adaptable and flexible through all types of scenarios. When determining the probability of various disruptions, organizations and their technology service providers should account for the geographic location of each facility, their adjacency to critical infrastructure, such as power sources, railroads, major highways, airports and nuclear power plants, and their susceptibility to external threats. While unpleasant to think about, worst-case scenarios must be integrated into the BIA, and these include total destruction of crucial facilities to a loss of life. In addition, external factors should be analyzed to estimate the probability of incident. External factors may be reviewed using open communication with government officials, community leaders and regulatory agencies. For instance, enterprises should monitor alerts sent out by agencies such as the World Health Organization and the Department of Homeland Security, which offer data regarding environmental risks and terrorist activity respectively. After analyzing the probability, impact and resulting severity of determined threats, the business can prioritize its processes and estimate potential disruptions utilizing a variety of threat scenarios. The resulting probability of incidence can be based on a rating rubric of low, medium and high. Once this is done, the organization can take the business continuity planning process one step further and perform a gap analysis. In relation to the BIA, the gap analysis is a methodical contrasting of the policies and procedures the organization has established to implement restoration, resumption and retention of regular business operations in comparison to what the current BCP provides. The difference between the BIA and BCP represents additional threat exposure that management should act upon as it develops the comprehensive BCP. Risk Management The risk assessment and BIA form the foundational platform of the BCP. Thus, the BCP should be developed to address the entire enterprise, and it should be reviewed and approved by senior management as well as the board on a regular basis. Subsequent to approval, the final product should be disseminated to all relevant personnel for timely implementation. Moreover, every organization should implement a BCP that details the business continuity strategies and the required procedures to restore, resume and retain all crucial functions, operations and processes. Some enterprises may elect to develop their own internal BCP, while other organizations may choose to utilize third-parties to develop and maintain their business continuity plan. However, while outsourcing the development of the BCP can be a viable choice, the board and senior management remain ultimately responsible for its maintenance and implementation. Thus, senior management should have a comprehensive understanding of the negative impact of potential threats, retain the capability to establish mitigating controls, and ensure that the plan can be properly implemented by appropriate personnel and validated with encompassing testing. Therefore, when choosing to outsource the development of a BCP, senior management must ensure that the third-party service has more than adequate knowledge and expertise to thoroughly analyze and address the company’s operations. The service provider should have the capacity to create executable strategies relevant to the enterprise’s risk profile, design training and education programs required for the successful deployment of the plan, and follow up with adjustments when necessary to account for process changes. A comprehensive BCP will thoroughly detail the variety of events that could prompt the company to formally declare a disaster and invoke the BCP. It should also iterate the procedures and responsibilities that each continuity team must adhere to, have updated contact lists of key staff, detail communication processes for external and internal stakeholders, include procedures for approval of unexpected expenses, and identify relocation procedures to back-up facilities. In addition, the BCP should specify the immediate steps to be followed during a critical disruption in order to provide for the safety of staff and mitigate damage incurred by the organization. The plan must include exacting procedures to implement the top priorities for critical rather than non-critical operations, functions and processes. Specific, detailed procedures to ensure restoration of each critical function should be fully developed so that staff will understand their roles in the restoration process and efficiently implement the BCP within the RTO. The risk assessment and BIA should be incorporated into the BCP by integrating the identified changes in external and internal conditions and the effects of various threats that could disrupt the business operations instead of on specific events with a low probability of incidence. Examples of the effects of various threats can include any or all of the following: Vital records can be accessed Liquidity requirements cannot be met Utilities are not accessible, such as power and telecommunications Third-party services are not accessible Data and software may be corrupted or otherwise inaccessible Hardware or equipment has been destroyed or is malfunctioning Critical facilities, buildings or geographic locations are not reachable Critical staff are unavailable or inaccessible Risk Monitoring and Testing Risk monitoring and testing represent a necessary operation to ensure the viability of the business continuity planning process throughout the execution of the BIA and risk assessment within the BCP on an enterprise-wide basis. The testing program has been elevated to a higher priority as a result of recent, catastrophic financial, natural and economic disasters. This heightened focus worldwide comes from the success of the testing programs that provide viability and validity to the BCP. With this in mind, common principles have been developed to follow for high-quality testing. The principles outlined below should be followed with any business continuity testing program across any industry, regardless of their reliance upon third-party service providers or an internal development program: Responsibilities and roles for evaluation and implementation of the testing program should be detailed as specifically as possible The risk assessment and BIA should be utilized as the foundational platform of the testing program, in addition to the BCP that it verifies The depth and breadth of the testing activities should be in relation to the importance of the tested procedure to the entire enterprise in addition to critical areas within the greater industry Organization-wide testing should take place on a year basis as a minimum, more frequently for mission critical operations Management should view testing as a continuous cycle that evolves, and organizations should strive for an integrated, comprehensive program that integrates testing of the interdependencies Organizations should utilize testing to demonstrate that the BCP has the capabilities of sustaining the business until operations are restored and fully functioning The testing program should face scrutiny and review by an outside, independent source Test results should be contrasted to the BCP to determine any gaps between the business continuity guidelines and the test program, with adjustments to address those gaps incorporated into the BCP A significant challenge for the board and senior management is to create a testing program with a high level of assurance for the continuance of the mission-critical processes, including supporting systems, infrastructure and applications, without negatively impacting production facilities. Thus, a robust testing procedure will assimilate responsibilities and roles, the execution, independent assessment, evaluation, the execution and reporting of testing results, as well as adjustments to the overall BCP and test program. Board and Senior Management Responsibilities The senior management and board remain responsible for the oversight of the business continuity planning process, which involves: Ensuring the BCP receives reviews and updates to reflect the changing operating environment Review the BCP test procedures and program on a regular, periodic basis Ensure that staff have received education and training on the BCP and know the roles in the execution of the plan Ensure the BCP receives independent review for periodic approval Allocate sufficient financial resources and appoint knowledgeable staff to properly execute the BCP Establish policies by identifying how the enterprise will mitigate and control risks The organization’s senior management and board hold the responsibility to ensure that the company determines, assesses, manages, prioritizes and mitigates risks as an element of the business continuity planning process. Together, they must establish policies to delineate how the organization will mitigate and control the identified risks. Once the policies are established, senior management and the board must review the consequences of those risks and support the periodic adjustments to update a viable BCP. Moreover, management and the board must allocate sufficient financial support and appoint knowledgeable staff to implement an efficient BCP. A large, complex organization may require an entire department devoted to planning for business continuity with teams of division liaisons throughout the company. Smaller businesses may need only a single coordinator. Moreover, businesses may need to select a committee or group that meets on a regular basis to explore topical issues, such as employee training, policy changes and testing plans. Regardless of how staffing resources are appointed, management must establish responsibilities, roles and succession plans in case of disruptions that may negatively impact the overall enterprise. The senior management and board must also ensure adequate financial resources to pay for unexpected expenses that may be related to finding alternative arrangements, comprehensive insurance policies, or business restoration. Senior management and the board must also ensure that the BCP receives independent review by an external or internal auditor at least once a year. Moreover, the management and board must review and approve the plan on a regular, periodic basis determined by the changes in the business environment, policy revisions, lessons learned from testing and examination and audit recommendations. The review methods will ensure better validation of the BCP planning process. Once the business continuity plan has been approved, the management and board must ensure that an encompassing training program is implemented. As part of this element, they must take steps to ensure that staff understand their responsibilities and roles as determined within the BCP. Consequently, they should provide oversight on the creation of the business continuity training program and verify that new and existing staff receive regular training on a continual basis. These instructional programs may involve classroom education, hands-on experience, and computer-based training using a variety of testing procedures. To ensure the effectiveness of the plan, the management and board must facilitate enterprise-wide testing on a minimum of a yearly basis or more frequently depending upon the velocity of changes within the operational environment. They may also establish formal procedures for reporting the results on implementing the various BIA and BCP programs to management and the board. Summary In conclusion, a wide variety of critical factors reflect crucial planks in the foundational platform of an efficient business continuity planning program: The effective implementation and efficiency of a BCP depends highly on the support, involvement and review of senior management and the board of directors Business continuity planning takes an evolving, process-oriented method that includes a risk assessment, risk management, a BIA, and risk monitoring and testing The BCP and subsequent testing methods should address the needs of the entire organization in relation to its position in its industry and ancillary industries A comprehensive risk assessment and BIA should be the foundation of a thorough, encompassing BCP The effectiveness and efficiency of the BCP should be verified through yearly testing The test program and the BCP should be evaluated by the board and management, thoroughly documented, independently reviewed by a either an external or internal auditor process, and those results should be reported to the board of directors The test program and BCP should be revised as necessary to respond to and reflect changes in the business environment and operational functions Moreover, along with the BCP, other enterprise policies, processes and standards must be fully assimilated into the business continuity planning process.
Submitted by Thomas Omogi
printer friendly

You must be logged in to make comments on this site - please log in, or if you are not registered click here to signup


Protected by Copyscape Online Plagiarism Tool

Other News Sources


Twitter Feed

- Enter Tracking Number -