How to Conduct a Business Impact Analysis and Risk Assessment
How to Conduct a Business Impact Analysis and Risk Assessment By Larry Pedrazoli Business Recovery Analyst Miller Brewing Company February 2006 – Project Management Institute, La Crosse, WI Chapter Agenda Contingency Planning Model BIA Risk Assessment Presenting Results to Leadership 2 Contingency Planning Model Crisis Mgt Crisis Management – The overall coordination of __________ response to a crisis in an effective, timely manner to avoid or minimize damage to our profitability, reputation, and ability to operate. [Lead: Legal or Risk Management] Organization Business Continuity Business Continuity – Plans and activities designed to ensure continuity of services and support for _________ customers and to maintain its viability BEFORE, DURING and AFTER an event. [Lead: Combined effort, IS, Risk Management and Business] Business Technical Disaster Recovery Disaster Recovery – Plans and activities designed to recover the__________ technical infrastructure and restore critical business applications to an acceptable condition. [Lead: IS] 3 Business Impact Analysis (BIA) PURPOSE: To provide a factual, understandable, and informative set of findings that leadership can use to provide direction for development of the Business Continuity Program. 4 Business Impact Analysis (BIA) OBJECTIVES: Identify Business functions and their dependence upon technology, infrastructure and applications Potential financial and operational impacts of disruption over time Interdependencies Legal and regulatory requirements Risks and single points of failure Critical records and documentation External resource products and services Departmental recovery requirements Determine Recovery timeframes and acceptable levels of data, operational and financial losses Provide Business case for the operational recovery strategies and recommended business recovery strategies 5 Business Impact Analysis (BIA) ASSUMPTIONS: Executive Leadership will identify and make available division/department representatives qualified to participate in the Business Impact Analysis All information gathered in the interviews is assumed to be accurate—no independent audit steps will be taken to verify the data The BIA Report and Presentation will be based on the information gathered from representatives who participated in the BIA process. Recommendations included in the BIA report and presentation will be made in response to the requirements received in the information gathering process 6 Business Impact Analysis (BIA) CRITICAL SUCCESS FACTORS: Promote awareness of the possibility of a disaster Leverage compliance initiatives, industry regulations, recent disaster events Align with strategic and business objectives Perform an informal business impact analysis and risk assessment 7 Business Impact Analysis (BIA) APPROACH: Questionnaires Interviews Workshops Combination of any or all above PARTICIPANTS: Executive Management Managers / Directors 8 Business Impact Analysis (BIA) 7 - STEP PROCESS: 1. Department Profile 2. Business Functions 3. IT Recovery Requirements Disaster Recovery 4. Business Function Impact 5. Critical Records and Documentation 6. External Business Partners, Vendors, and Supplier Products and Services 7. Department Recovery Requirements 9 Business Continuity Risk Assessment PURPOSE: Determine the events & external surroundings that can adversely affect an organization and its resources, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss OBJECTIVE: Provide cost-benefit analysis to justify investment in controls to mitigate risk THREATS: Natural Man-Made (Intentional) Man-Made (Unintentional) Business Risks Information Technology-Specific Other 10 Risk Assessment LIKELIHOOD X THREAT FACTOR X IMPACT = Risk Score Likelihood Threat + 1 Very High: More than two incidents per year High: 1 – 2 incidents per year Speed of Onset Warning Medium: 1 – 2 years between incidents Duration Low: 2 – 5 years between incidents Very Low: 5+ years between incidents Impact High: Service disrupted for more than 3 days. Impacts many business functions Medium: Service disruption between 1 -3 days. Impacts one business function Low: Service disruption less than a day. Impacts a number of individuals 11 Risk Assessment RISK REMEDIATION: Identify controls currently in place Identify potential remediation controls and rank them by cost Very High: Very high cost to remediate ($50,000.00+) High: High cost to remediate ($10,001.00 :- $50,000.00) Medium: Medium cost to remediate ($1,001.00 - $10,000.00) Low: Small cost to remediate ($100.00 - $1,000.00) Very Low: No, or very low cost to remediate (under $100.00) Use inverse scoring to get the “best bang for your buck” 12 Presenting to Leadership BIA RESULTS: Report Minimums Executive Summary Purpose Objectives Scope Approach Assumptions Key Take-Aways Recommendations Action Items Next Steps Possible Core Metrics Lowest RTO for systems Business Loss Matrix High-Level Business Function Recovery Timeline Flowcharts Processing Models Departmental Requirements Timeline Event Calendar 13 Presenting to Leadership RISK ASSESSMENT RESULTS: Executive Summary Key Take-Aways Recommendations Risk Categories Risk Remediation Action Items Next Steps 14 Presenting to Leadership RISK RANKINGS: Red is a high vulnerability Should be addressed immediately Yellow is a medium vulnerability Requires close monitoring for changes and escalation Green is a low vulnerability Requires monitoring Should be addressed as part of organizations strategic vision 15 Presenting to Leadership RISK Classification Recommendation Denial of Service Attack Power Outages System Performance Human Error 16 Action Plan / Comments Status Risk Assessment RISK ASSESSMENT RESULTS: High Risk High Risk High Impact Low Impact Risk High Impact Low Risk Low Impact Low Risk Impact RISK & IMPACT MATRIX 17 Wrap-Up Questions? Good luck! Feel free to contact me with questions Miller…Good Call! Thank you 18
© Copyright 2024