Business Impact Analysis Process
ISO22301 Toolkit Version 3 ŠCertiKit 2016
Business Impact Analysis Process
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document sets out how the process of determining continuity and recovery priorities, objectives and targets will be carried out.
Areas of the standard addressed The main sections of the ISO22301 standard addressed by this document are as follows: 8.2.2 Business impact analysis
General Guidance It’s important that a defined process is followed when carrying out the business impact analysis due to the often difficult nature of the task. You will need to make sure that each step is carried out fully before moving on to the next. You may decide to use different criteria for the classification of impacts and to consider different timeframes when assessing the Maximum Tolerable Period of Disruption. The ISO22301 standard is not too prescriptive in the way in which the business impact analysis process is performed so aspects of this document may be amended in line with the specific requirements of your organisation.
Review Frequency We would recommend that this document is reviewed annually.
Toolkit Version Number ISO22301 Toolkit Version 3 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
Version 1
Page 1 of 16
[Insert date]
Business Impact Analysis Process
To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to
Version 1
Page 2 of 16
[Insert date]
Business Impact Analysis Process
ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 16
[Insert date]
Business Impact Analysis Process
[Replace with your logo]
Business Impact Analysis Process
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 16
BCMS-DOC-08-1 1 [Insert date]
[Insert date]
Business Impact Analysis Process
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 16
Date
[Insert date]
Business Impact Analysis Process
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
BUSINESS IMPACT ANALYSIS PROCESS .......................................................................................... 8 2.1 PROCESS DIAGRAM ................................................................................................................................... 8 2.2 PROCESS INPUTS ....................................................................................................................................... 9 2.3 PROCESS ACTIVITIES ................................................................................................................................. 9 2.3.1 Establish the Context ...................................................................................................................... 9 2.3.2 Identification of Key Business Activities ....................................................................................... 10 2.3.3 Assessing the impact of disruption ................................................................................................ 11 2.3.4 Identifying the Recovery Time Objective (RTO) ........................................................................... 12 2.3.5 Defining the recovery needs at the RTO ....................................................................................... 12 2.3.6 Prioritising the recovery process .................................................................................................. 13 2.3.7 Obtaining Management Approval for the BIA .............................................................................. 13 2.3.8 Regular Review ............................................................................................................................. 13 2.4 PROCESS OUTPUTS .................................................................................................................................. 14
3
ROLES AND RESPONSIBILITIES ....................................................................................................... 15 3.1
4
RACI CHART .......................................................................................................................................... 15
CONCLUSION.......................................................................................................................................... 16
List of Figures FIGURE 1 - BUSINESS IMPACT ANALYSIS PROCESS ..................................................................................................... 8
List of Tables TABLE 1 - RACI CHART ........................................................................................................................................... 15
Version 1
Page 6 of 16
[Insert date]
Business Impact Analysis Process
1 Introduction The effective management of business continuity has always been a priority for [Organization Name] knowing as it does the high degree of reliance that its stakeholders place upon the continued operation of its critical business activities. However, there is still much to be gained by [Organization Name] in introducing industry-standard good practice processes, not the least of which is the ability to become more proactive in our approach to business continuity and to gain and maintain a better understanding of our customers’ needs and plans. The international standard for business continuity management, ISO 22301, was announced by the ISO in 2012. [Organization Name] has started on the road to adoption of the standard and has decided to pursue full certification to ISO 22301 in order that the effective adoption of best practice in business continuity management may be validated by an external third party.
Version 1
Page 7 of 16
[Insert date]
Business Impact Analysis Process
2 Business Impact Analysis Process 2.1
Process Diagram
The process of business impact analysis is shown in the diagram below. Establish the context
Identify the Key Business Activities
Assess the impact of disruption
Identify the Recovery Time Objective (RTO)
Define the recovery needs at the RTO
Prioritise the recovery process
Obtain Management Approval for the BIA
Regular Review
Figure 1 - Business Impact Analysis Process
Each step in this process is described in more detail in the rest of this document.
Version 1
Page 8 of 16
[Insert date]
Business Impact Analysis Process
This process should be followed using the form Business Impact Analysis Workbook which has pre-formulated templates for each of the steps described. 2.2
Process Inputs
The process of business impact analysis starts with a number of inputs which are needed to ensure that all of the steps can be completed successfully. These inputs should include where available:
Business strategy, plans and objectives Business Continuity Context, Requirements and Scope Business Continuity Policy Business process documentation e.g. procedures Lists of team members by team Relevant contractual documentation Legal and regulatory requirements Relevant performance information e.g. number of calls normally taken, number of products produced Financial information regarding costs and contribution to turnover and profit
The availability of this information will ensure that the conclusions reached are based on factual data rather than approximations. 2.3
Process Activities
The following activities should be performed as part of the business impact analysis process. It is recommended that each step is undertaken as part of a series of structured workshops facilitated by an independent resource qualified in business continuity if available. 2.3.1
Establish the Context
The overall environment in which the business impact analysis is carried out should be described and the reasons for it explained. This should include a description of the internal and external context and any recent changes that affect the impact of an inability to provide business activities in general. The internal context may include:
governance, organizational structure, roles and accountabilities policies, objectives, and the strategies that are in place to achieve them the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies) information systems, information flows and decision-making processes (both formal and informal) relationships with, and perceptions and values of, internal stakeholders
Version 1
Page 9 of 16
[Insert date]
Business Impact Analysis Process
the organization's culture standards, guidelines and models adopted by the organization form and extent of contractual relationships
The external context may include:
the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local key drivers and trends having impact on the objectives of the organization relationships with, and perceptions and values of, external stakeholders
The scope of the business impact analysis should also be defined. This may be expressed in terms of factors such as: 2.3.2
geographical location e.g. countries, offices, data centres organizational units e.g. specific departments business process(es) IT services, systems and networks Customers, products or services Identification of Key Business Activities
It is important to fully identify those business activities that are key to the achievement of the organisation’s objectives as these will be the ones that will require the greatest degree of protection against disruption. The document Business Continuity Context, Requirements and Scope should help in defining the organization’s:
Products and services Partners and suppliers Interested parties Business continuity objectives Risk appetite Scope of the BCMS
The key business activities will normally be those which provide a product or service to the customer. They will be supported by internal business processes that also need to be considered as part of the business impact analysis. It is recommended that an initial workshop is held with a relatively wide attendance to gain views on the key business activities from across the organisation. Function managers that are not able to attend should be consulted separately and/or encouraged to send a deputy to the meeting to ensure that all points of view are represented. For each business activity identified as being key, the following should also be established:
Version 1
Page 10 of 16
[Insert date]
Business Impact Analysis Process
The resources typically required to deliver the activity under normal circumstances The outcome or deliverable of the activity The legal, contractual and statutory obligations that apply to the activity
General agreement should be obtained within the organisation that the list of key business activities is correct before proceeding to the next step. 2.3.3
Assessing the impact of disruption
Having identified the key business activities it is now necessary to assess the impact of each activity being disrupted for increasing periods of time. The following types of impact should be considered:
Customers – particularly whether any hardship will be experienced as a result of the product or service not being supplied Finance – how will the disruption affect short-term cash-flow and longer term revenue and profit? Health and Safety – will lives be put at risk as a result of the activity not being performed? Reputation – will the disruption be widely reported or will it affect the confidence of supplier, customers or other interested parties? Knock-on impact in the organisation – will other areas of the business be adversely affected by a disruption to the activity? Legal, contractual and statutory obligations – will a disruption result in breach of contract or an inability to meet legal obligations?
[You may decide to use different impact types; the ISO22301 standard is not prescriptive] A scoring system on a scale of 1-5 will be used to assess the degree of impact in each of the above areas where: 1 = None or minimal impact 2 = Some impact but manageable 3 = Moderate impact, an uncomfortable situation 4 = High, serious impact causing real hardship 5 = Very high, potentially catastrophic impact [You may decide to use a different scoring system; the ISO22301 standard is not prescriptive] In the event that there is disagreement about the level of impact that should apply it is recommended that you should err on the side of caution and assign the higher of the proposed impact scores.
Version 1
Page 11 of 16
[Insert date]
Business Impact Analysis Process
Typically the impact of a disruption will change over time; it will usually (but not always) become more extreme the longer the disruption continues. It is therefore necessary to assess how the impact will develop across the following time periods:
1 hour 3 hours 1 day 3 days 1 week 1 month
[You may decide to use different time periods; the ISO22301 standard is not prescriptive] This assessment will result in individual scores for each type of impact by time period and also a total score for each time period across all impact types. 2.3.4
Identifying the Recovery Time Objective (RTO)
The point at which the individual score in one or more impact types reaches a score of 4 (High, serious impact causing real hardship) or above represents the Maximum Tolerable Period of Disruption (MTPD, also known as Maximum Acceptable Outage, MAO) for that business activity. This is the point at which an alternative method of providing the business activity needs to be in place. The MTPD/MAO for a business activity becomes the Recovery Time Objective (RTO) for the business continuity strategy that will be adopted to address the requirement. 2.3.5
Defining the recovery needs at the RTO
Having established when a business activity must be recovered by, we also need to define what level of service will be acceptable at this point (this is known as the Minimum Business Continuity Objective or MBCO) and what resources will be needed by this time to allow this to happen. The MBCO may be expressed as a percentage of normal service or in any other appropriate terms e.g. numbers of people, transactions processed per hour or products produced. For each business activity, make a list of the quantities and types of resources required to satisfy the MBCO. The following checklist is a starting point for this:
Staff Buildings (e.g. for delivery of frontline service) Work station (Desk, PC & Telephone) Specialist IT applications (please specify) Specialist equipment Information Internet Access
Version 1
Page 12 of 16
[Insert date]
Business Impact Analysis Process
Networked PCs Laptops Landlines Mobile Phones Fax Machine Work Vehicles Office Space (e.g. customer reception points, trading premises, storage space) Car Parking External suppliers
Depending on the business activity, there are likely to be further resources required that are not on this list; add them to the workbook where appropriate. For some activities it may also be necessary to identify the Recovery Point Objective (RPO, also known as the Maximum Data Loss, MDO) which in many cases refers to the point at which electronic data must be restored to. This is often stated in terms of time e.g. two hours before the incident, but may also be defined in terms of any identifiable point from which recovery will start. 2.3.6
Prioritising the recovery process
Now that the business critical activities have been identified, the impact of their disruption and their Recovery Time Objectives established, a priority order can be defined for the recovery of the activities. This will be used in the event of a disruptive event that affects multiple business activities so that recovery resources may be allocated to the activities with the highest priority first. 2.3.7
Obtaining Management Approval for the BIA
At each stage of the business impact assessment process management will be kept informed of progress and decisions made, including formal signoff of the proposed RTOs, MBCOs and RPOs. Signoff will be indicated according to [Organization Name] documentation standards. 2.3.8
Regular Review
In addition to a full annual review, business impact assessments will be evaluated on a regular basis to ensure that they remain current and the resulting strategies and plans valid. The relevant business impact assessments will also be reviewed upon major changes to the business such as office moves, mergers and acquisitions or introduction or new or changed IT services.
Version 1
Page 13 of 16
[Insert date]
Business Impact Analysis Process
2.4
Process Outputs
The process of business impact analysis results in a number of outputs which show that all of the steps have been completed successfully. These outputs should include where possible:
The completed business impact assessment workbook Minutes of workshop sessions held Business impact analysis report Management approval of the conclusions reached Results of regular reviews
The availability of this information will allow the conclusions reached to be verified and validated in future reviews and audits.
Version 1
Page 14 of 16
[Insert date]
Business Impact Analysis Process
3 Roles and Responsibilities Within the process of business impact assessment there are a number of key roles that play a part in ensuring that all impacts are identified, addressed and managed. These roles are shown in the RACI table below, together with their relative responsibilities at each stage of the process. 3.1
RACI Chart
The table below clarifies the responsibilities at each step using the RACI model, i.e.: R= Responsible
A= Accountable
C= Consulted
Role: Business Continuity Manager Establish the context A Identification of Key A Business Activities Assessing the impact of A disruption Identifying the RTO A Defining the recovery needs A at the RTO Prioritising the recovery A process Obtaining Management A Approval for the BIA Regular Review A Step
I= Informed
Business Process Owners R R
Operational Staff
C C
R
C
R R
C C
R
C
R
I
R
C
Table 1 - RACI chart
Further roles and responsibilities may be added to the above table as the business impact analysis process matures within [Organization Name].
Version 1
Page 15 of 16
[Insert date]
Business Impact Analysis Process
4 Conclusion The process of business impact analysis is fundamental to the implementation of a successful Business Continuity Management System (BCMS) and forms a significant part of the ISO 22301 standard. By following this process [Organization Name] will go some way to ensuring that its key business processes are identified and that its business continuity strategies and plans are based on a firm and well-considered foundation.
Version 1
Page 16 of 16
[Insert date]