bc2013_day1_tamer-chareif-the-art-of-bia-v13

BCM’s Back Bone – Business Impact Analysis (BIA)

The Art of Data Gathering & Analysis

23 April 2013

Tamer Charife •

Deloitte – ME, Information & Technology Risk Services Manager

•

Based in Kuwait & Responsible for Kuwait’s I&TR Practice

•

COBIT, CISA, BS 25999, ISO 27001 LA/LI, ISO 20000 LI

•

CISA Director , Kuwait ISACA Chapter In-Formation

•

E&Y – PWC – Deloitte

•

6 End-End Business Continuity/DR Planning Exercises in Kuwait & ME

•

50+ IT Audits, GCCs, Application Reviews

•

10+ Information Security Projects

•

Developed 20+ IT & Information Security P&Ps

tcharife@deloitte.com +965-97314314

Overall BCM Framework

Role of the BIA in Company A’s Service Continuity Program A Business Impact Analysis (BIA) measures the potential impacts to a business function if it was unable to operate following a disruption. This measurement establishes a ‘prioritization’ of business functions and application recovery requirements which are then used as a baseline to develop business continuity and disaster recovery plans and strategies.

A BIA helps prioritize critical business processes to determine where to focus time and resources in business continuity planning and recovery strategies

-4-

The BIA as a Driver to Business Continuity Plans & Recovery Requirements A Business Impact Analysis (BIA) identifies the impacts to the business functions and determines the business function location Maximum Tolerable Downtime (MTD). This drives the operational continuity requirements that support recovery of a business function.

Operational Continuity Impacts Building Legal & Regulatory Equipment

Business Function Location

Business Function Location Maximum Tolerable Downtime (MTD)

Financial

Operational

RTO Technology

RPO 3rd Party

Brand/Customer Human Resources

Business function location MTD derived from the BIA process is a guide to determine resilience strategies and recovery requirements RTO

Recovery Time Objective

RPO

Recovery Point Objective -5-

BIA Overview

Goals of the BIA The BIA should meet following goals and objectives to drive better decision making for business continuity and recovery strat egies.

Goals of the BIA

 Determine focus and priority for recovering business functions following a disruption ̵

̵

Identify where impacts could occur and how the disruption could impact the business function Evaluate the potential impact of uncontrolled, non-specific events on the business functions and processes Determine any regulatory/financial obligations of not recovering a function or system within a specific period of time Prioritize ‘recovery order’ for business functions across business units Drive better investment decisions ̵ ̵ ̵

 Identify interdependencies that impact the business and recovery operations ̵ ̵

Identify upstream and downstream dependencies between the different business functions and business partners Identify interdependencies that exist between internal systems, applications, business processes, and business functions

 Establish reasonable values for Maximum Tolerable Downtime (MTD) & identify required Applications ̵

̵

Identify the maximum time that a business function can be unavailable before it causes significant impact to the organization Determine critical applications and systems that are used to support the business function Determine Recovery Time Objective (RTO) and Recovery Point Objective (RPO) values of critical applications and systems ̵

 Establish a process to align Business Function and Technology recovery requirements ̵

Evaluate existing business and technology dependencies to begin aligning recovery requirements between the business and IT

A BIA does not assess the risks that could negatively impact the business functions; a risk assessment (RA) needs to be conducted prior to completing a BIA. The RA determines specific risks that could impact the business and proposes mitigating controls and refines strategies. -7-

BIA Lifecycle & Approach

Characteristics of a BIA The BIA process is divided into three phases; data collection, aggregation & analysis, and reporting. The desired characteristics of a BIA are defined to establish the baseline for the BIA.

1. Data Collection

2. Aggregation & Analysis

3. Reporting

Characteristics of a Leading Practice BIA

 Uses a consistent impact scoring approach  Provides flexible impact scores for different business functions (e.g. revenue generating, cost center, operational functions)

 Creates a standardized method for ‘tiering’ business processes based on impact score  Establishes consistent naming conventions, questions, and terminology for evaluating business functions and associated impact and criticality

 Pulls the application information from a single authoritative source for consistency  Provides graphical interface for the business users to input the data and view reports  Provides user friendly interface to the users with pre-populated information about their business functions  Gathers feedback from the users on the process

With these established goals and characteristics of the BIA, the process to execute the BIA has been defined

-9-

BIA - Data Collection

1. Data Collection Establishing a consistent, sustainable and repeatable framework for collecting BIA information is critical. This enables lead ership to evaluate results at an enterprise level and consolidate impacts and priorities to drive better investment decisions. Data Category

Business Function Information Business Function

The BIA should be completed by stakeholders with insight into business strategies and interdependencies between business functions.

Data Elements Identifies process information: • Business Function Name • Type of business function (e.g., cost center, revenue generating, support)

• Location • Description • Owner/User

Determines interdependencies:

Dependencies

• Upstream Process dependencies • Downstream Process dependencies • Third party/vendor dependencies

• Single Points of Failure (SPOF) across locations, equipment, technology, personnel, and third parties

Evaluates the impact to the organization across common categories:

Impacts & Criticality

• Financial Impact • Operational Impact

• Regulatory and Compliance Impact • Brand & Reputation Impact

Determines specific recovery information for applications:

Appropriate individuals from Finance and Risk & Compliance should be involved to estimate the impacts

Applications

• Application Name • Application Hosting site • Application description

• Recovery Time Requirement (RTR) • Recovery Point Requirement (RPR)

Identifies critical paper and electronic assets required for recovery:

Vital Records

• Vital record • Application Hosting site • Application description

- 11 -

• Recovery Time Requirement (RTR) • Recovery Point Requirement (RPR)

1. Data Collection – cont’d The list below identifies the important Data Collection phase considerations should be taken into consideration while planning for conducting the BIA Workshops:

1. Awareness Sessions on the BIA detailing

A. BIA Goals B. BIA Objectives

C. BIA Importance D. BIA Approach

E. Responsibilities of Business Function Owners towards the BIA (R&Rs) 2. Knowledge of the business function operations, impacts, requirements, etc…

3. Challenging the inputs of Business Function Owners to reach the most accurate process criticality

4. Providing examples as applicable to facilitate obtaining the right answers 5. Benchmarking processes to other processes within the organization to explain differences

in criticality of the process from an organization wide perspective

- 12 -

1. Data Collection – cont’d Maintaining and refining the BIA over time enables Company A to adapt and respond to the changing business environment. These parameters provide a set of guidelines in sustaining the BIA program:

What triggers an update to a BIA?

How are changes addressed?

 Scheduled/annual re-certification  Major change in business strategy that alters impact categories or category weightings  Following response to a disruption

 New or changes to business functions should be addressed via a “change request” as they are identified  Deletions of business functions may be addressed during annual re-certification  Application additions or deletions are to be addressed during annual re-certification

How often is the BIA recertified?

 The BIA is recertified on an annual basis  Business stakeholders should also be surveyed (annually) for their feedback on the BIA process

What occurs for an annual review of the BIA methodology?

    

Re-evaluation of BIA program requirements Review of impact weightings Assessment of reporting requirements against business needs Confirmation of criticality tiers Definition of schedule for next BIA methodology review

- 13 -

A Distinguishing Factor: Operations Impact Analysis for Manufacturing Organizations Deloitte has created a unique methodology in order to adapt BCP development to the needs of the manufacturing & O&G industry. We realize that a traditional Business Impact Analysis (BIA) has its limitation when conducted for plant processes. With that limitation in mind, an Operations Impact Analysis (OIA) methodology was developed in order to ensure robust OIA implementation in the manufacturing sector: Step 1: Identifying and Understanding the Organization Value Chain Visualizing the value chain allows continuity planners to define fit-for-purpose continuity and recovery strategies.

Before proceeding with continuity planning, a robust understanding of the value chain must be established by: •

Identifying Outgoing Products

•

Identifying and quantifying finished goods inventory

•

Identifying Downstream Dependencies

•

Identifying Upstream Dependencies

•

Identifying key production units and their operational criticality on the overall value chain

•

Identifying/quantifying raw materials:

•

•

−

Identify/quantify WIP Inventory

−

Identify current and possible sources

Determining operational pattern including: −

No. of lines of process

−

No. of shifts and Shift Management Procedures

−

Current Capacity

−

Workforce Requirements

Identifying production assets −

Determine daily targets

−

Determine production rates

−

Avg. Revenue per production quantity

•

Identifying access roads, holding areas

•

Identifying key infrastructure

•

Identifying key utilities systems

- 14 -

A Distinguishing Factor: Operations Impact Analysis for Manufacturing Organizations Step 1: Identifying and Understanding the Organization Value Chain – Cont’d To complete the understanding of the value chain, it is essential to translate production loss to revenue loss through the following: • Determining current storage capacities

• Determining daily production rate • Determining daily inventory depletion • Translating production loss to revenue loss (based on an average price index) • Defining a period of Time (“T1”) after which financial losses become intolerable by management • Defining a period of Time (“T2”) after which current stored inventory is completely depleted and customer service is

completely halted • Through careful consideration of T1 and T2, the following important parameters must be validated and approved by management: • Maximum Tolerable Period of Disruption (MTPD) • Recovery Time Objective (RTO)

- 15 -

A Distinguishing Factor: Operations Impact Analysis for Manufacturing Organizations Step 2: Identifying “Production Enablers” and their Recovery Requirements The OIA consolidates all the resources (inputs/operational enablers) which are required for continuity and recovery purposes. This enables continuity planners in developing an accurate business continuity plan: Production Enabler

Description

Manpower & HR Requirements

Collection of information to plan and respond to drop in staff levels and cases of manpower shortages (HR Continuity Planning).

Power & Utilities Requirements

Collection of information on the course of action to respond to a failure of a particular utility system or power source and the impact of outage on overall production.

Chemical Supplies

Defining the impact of disruption of supply of a particular chemical, in addition to identifying potential alternate sources and buffer storage quantities.

Technology & Control Systems

The purpose of this section is to collect information on the criticality of IT applications, Data Communication, and Control Systems to conduct operational activities.

Equipment Supplies Requirements

The purpose of this section is to collect information on the quantity of equipment and supplies required for restoring regular operational activities.

Transportation & Logistics

Identification of access routes, material handling requirements, vehicles requirements, and modes of transportation and their workarounds.

Contractors & 3rd Parties

The purpose of this section is to identify critical contractors and document contingencies in case their services are disrupted.

Infrastructure Requirements Critical Data



Identification of non-plant building spaces required to directly support production.



Identification of warehousing and storage requirements.



Identification of spaces needed for control rooms

The purpose of this section is to identify critical data (whether hard-copy or electronic), the impact of data loss, and methods for regeneration. - 16 -

BIA - Analysis & Aggregation

2. Analysis and Aggregation – Impact Analysis To capture consistent and measurable results across completed BIAs, a framework must be established to provide a common set o f impacts, associated definitions, and guidance in evaluating the potential impacts to the organization. Types of Impacts

Definition

Financial Impact

The loss of a business function could ultimately result in revenue loss; reduced cash flow, fines; limited ability to collect account receivables; accounts payable discounts; legal liability exposure; or loss of productivity.

Operational Impact

This includes the loss of or a significant increase in the workflow/transaction backlog, decrease in internal controls, inability to work with third parties/vendors that could occur from a disruption.

Regulatory & Compliance Impact

Depending on the business function and the location there could be potential liabilities for non-compliance with applicable regulations (e.g. International Standards, Governing Laws & Regulations)

Brand and Reputation Impact

A business disruption or outage to a function could negatively impact the Company A brand and its ongoing reputation. This could ultimately result in loss of customers, key suppliers, or cause a poor industry image. Impact Scoring

Impact Category

1 Slight

2 Minor

3 Moderate

4 Major

5 Significant

Minimal or no revenue loss

< $XXX MM within 1 week

> $ XXX MM to < $ XXX MM impact within 1 week

> $ XXX MM to < $ XXX MM impact within 1 week

> $ XXX MM impact within 1 week

Operational Impact

Disruption would not impact operations

• Workflow backlog begins to accumulate • Some customers consider a competitor

• Backlog requires overtime to clear • Customers in a market or region consider a competitor

• Backlog requires overtime to clear • Customers in a region/ country consider a competitor

• Transaction backlog is too significant • Wide segment of customers move to a competitor

Regulatory & Compliance Impact

No regulatory exposure

Minor regulatory exposure

Increases potential for scrutiny or audit

Potential to cause penalty or fine

Criminal / revocation of license

Brand and Reputation Impact

No negative impact on Company A’s reputation

Outage would reach the media and one customer market

• Media coverage • Long-term customer loss

• Significant media coverage • Extended image problem for Company A

Severe negative impact on Company A’s reputation

Financial Impact

- 18 -

2. Analysis and Aggregation – Impact Aggregation Aggregating the BIA results assists Organizations in rationalizing the impacts based on their importance to the organization. This serves to normalize the impacts across the various business functions and prioritizes those functions that are critical to the organization – establishing a clear “order” for developing recovery plans. The example below shows the process:

Impact Weightings (IW)

Score

Significant

5

Major

4

Moderate

3

Minor

2

Slight

1

Sample Formula

Scoring Formula

CIS = ∑ [ IW * CR ]

Weighting

Combined Impact Score (CIS)

Process Criticality Tier

Financial Impact

10

112-140

1

Operational Impact

8

75-112

2

Brand & Reputation Impact

6

56-74

3

28-55

4

Regulatory Impact

3

Category Rating (CR)

- 19 -

2. Analysis and Aggregation – Impact Analysis Alignment It is crucial to consider the alignment with existing ERM Framework while determining the types of impacts and impact categories in order to maintain a coherent enterprise wide Risk Management Framework.

Leading Practices & Standards

Industry Benchmarking

ERM Alignment

- 20 -

2. Analysis and Aggregation – Impact Analysis Alignment (Cont’d) When integrating BCM and ERM, there are three different models. The first model is having a central management for both BCM and ERM. The second model is to create a shared responsibility with BCM and integrate it functionally into the ERM program. The third, and least efficient way, is to maintain separate initiatives for both disciplines. Our integration methodology focuses on the first model as depicted below:

Business Strategy

Interview Workshops

Key risks / threats

Risk Assessment

Key processes

BIA of key processes

Risk Map Risk Register Threats, Impact Likelihood

Business Ops. Dependencies Resources Impact

Risk Strategy (including controls)

Risk Treatment Plans

ERM activity BCM activity Integrated ERM/BCM activity

BCM provides ERM with: • A much better understanding of important activities (products and services) and the resources that supports them • Contacts in the business and a pragmatic understanding of front line challenges

ERM provides BCM with: • A broader view of risk and access to senior management • Systems for managing risk • A better view of evolving threats and risks - 21 -

An integrated approach provides : • Better prioritization • More pragmatic risk treatment • More efficient investment in risk management

BIA - Reporting

3. Reporting Following consolidation and aggregation of results, the information should enable decision making on developing new recovery plans or enhancing existing plans. Results should also provide a perspective into the more significant impacts the organization fac es along with the resources it requires following a disruption (e.g., applications, equipment, vendors). BIA REPORTING DATA ELEMENTS Consolidated Business Processes Critical Applications (including RTR & RPR)

Critical Timing

Business Interdependency Analysis Impact Weighting & Scores

Third Party Dependency & Criticality

Maximum Tolerable Downtime

BIA Reporting

DECISIONS DRIVEN BY BIA REPORTING • How do I prioritize business processes in case of a • What should be the recovery strategies for my disaster? business processes to optimize investment? • What applications support critical business processes?

• What are my BCP and DR plan requirements?

• What are the interdependencies that need to be considered in event of a disaster?

- 23 -

• Where are the gaps in my business requirements and the technology capabilities?

3. Reporting (cont’d)

Key Decisions

Maintenance Frequency

Executive

Reporting level

 Chief Information Officer (CIO)  Chief Information Security Officer (CISO)

 Business Function Criticality Summary  Critical asset summary

 Do we have capabilities to recover business functions based on criticality?  What are the gaps in existing capabilities?  Which areas do we need to invest in?

 Annually

 Service Continuity Stakeholders (CISO, Operations, Engineering, Architecture etc.)  Regulators  Internal Audit Group (IAG)  Compliance office  Lead Operational Risk Officers (LOROs)

 Business Function Criticality Summary  Impact summary across all the business functions  Interdependency matrices between the business functions

 What are the interdependencies that need to be considered in event of a disaster?  What recovery strategies should we invest in longer term?  Are we compliant with applicable laws and regulations?

 Business function owners (VP or equivalent)  Business function location owners  Business Continuity coordinators  Relationship managers

 Application criticality  Maximum Tolerable Downtime or business process RTR for each function  Impact summary for a business function  Remediation plan for each business function

 How do I prioritize business processes in case of a disaster?  What applications support critical business processes?  What should be the recovery strategies for my business processes to optimize investment?  What are my BCP and DR plan requirements?

Business

Types of Reports

Senior Management

Reporting should drive informed decisions, illustrated below is the reporting that need to be developed at each level Audience

- 24 -

 Annually  Ad-hoc based on specific request

 Annually  Triggered by change in the business function  Ad-hoc based on specific request

3. Reporting (cont’d) The following are a sample of reports that should be generated in the target state to drive meaningful BIA decisions, business continuity planning, and recovery strategies.

Impact Summaries

Qualitative/quantitative impact summaries show the cumulative impacts of disruptions over time

Interdependency Matrices

Grids that show the relationships between business processes and their associated dependencies

Impact by business function

Includes insights into business continuity practices, levels of tolerance, and key recovery requirements

Business Function Criticality Summary

Visual representation of business functions criticality organized by business unit

- 25 -

Maximum Tolerable Period of Downtime

Adjustments are made due to changes in business decision or organizational change

Application Criticality

Visual representation of application criticality

Q&A Thank You‌ tcharife@deloitte.com +965-97314314

About Deloitte: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence. Deloitte's professionals are unified by a collaborative culture that fosters integrity, outstanding value to markets and clients, commitment to each other, and strength from cultural diversity. They enjoy an environment of continuous learning, challenging experiences, and enriching career opportunities. Deloitte's professionals are dedicated to strengthening corporate responsibility, building public trust, and making a positive impact in their communities. About Deloitte & Touche (M.E.): Deloitte & Touche (M.E.) is a member firm of Deloitte Touche Tohmatsu Limited (DTTL) and is the first Arab professional services firm established in the Middle East region with uninterrupted presence for over 87 years. Deloitte is among the region’s leading professional services firms, providing audit, tax, consulting, and financial advisory services through 26 offices in 15 countries with over 2,500 partners, directors and staff. Deloitte has been annually classified as a Tier 1 Tax advisor in the GCC region since 2010 by the International Tax Review World Tax Rankings.