Business Impact Analysis
|
A Business Impact Analysis (BIA) analyzes the effect of interruptions to business operations or processes in all business functions.
The BIA should identify all critical business functions, qualify and quantify losses resulting from such interruptions, and determine the tolerable downtime and minimum resources needed to recover them.
|
|
The key objective of the Business Impact Analysis (BIA) phase is to ensure that the critical business functions are identified and prioritized.
Review of the BIA Implementation Process
- Was a BIA completed?
- Did the completion of the BIA involve the Executive Management or BCM Steering Committee, which includes at least one senior representative from each business unit?
- How was the criticality of the business functions that are performed by the business unit determined?
- Was the criticality of the business functions based on the decision of the Head of the Business Unit?
- Was the criticality of the business functions determined by using parameters established through well-established criteria?
- Is there any discrepancy between the determination of the Head of the Business Unit and the BC project team?
- How was this discrepancy resolved?
- Have recovery timeframes and resource requirements for critical business functions been determined?
- Were all business units involved in preparing the BIA from the start of the BC planning project?
- Has the criticality of business functions and records been defined, and have their priorities been established?
Inter-dependencies
- Is an agreed measure used to determine criticality?
- Have inter-dependencies between critical business functions and systems been determined?
- What is the process used to determine inter-dependencies?
- What is the method used to prioritize critical business functions or processes?
- Have critical business projects been catered for in interdependency mapping?
- Are BC service-level agreements established for supplier organizations?
- Are backup and restoration procedures in place for all vital records, both data and documents?
- Is the business unit dependent on others to receive or provide hard/soft copies, materials, and any work in progress?
- Do the other units have viable recovery plans that similarly acknowledge these interdependencies?
- Suppose the recovery sites of the affected units are not in the same building. Are there procedures built into both units’ BC Plan that will enable the interdependent processes to be restored?
Critical Business Function
- Is there any possible access to assets and business due to road, waterway damage or limited blockage?
- Is the expectation of access to common carriers for transporting crucial personnel and data realistically set up?
- Is there a qualitative or qualitative approach to identifying the business impact?
- Is there a possibility of replicating the counting of the financial impact on both the front and back offices?
- Is the organization relying on delivering water, sewage, power, and gas services?
- Is the evaluation of the impact of a loss of the business functions taken from the perspective of the organization’s budget outcomes and output?
-
- Loss of revenue
- Increased expense
- Service delivery standards
- Public or political embarrassment
- Loss of customer confidence
- Loss of management control
- Financial misstatement
- Regulatory, statutory or contractual liability
- Specific or unique vulnerabilities
- Political ramifications
- What aspects of impact have been considered?
- Financial
- Customers and suppliers
- Public relations/ reputation
- Legal and regulatory requirements
- Operational
- Personnel
- Are the critical success factors that ensure the business functions meet the organization’s recovery objectives?
- Are the processes and resources which underpin the key business functions identified?
- Are additional expenses incurred if processes are performed manually or in a substitute manner during a disaster?
- Are the minimum resource requirements necessary to perform the function identified?
- Are the records vital to the recovery processes identified?
IT Resources
- Have all critical IT application systems been identified?
- Have all critical IT application systems been prioritized based on their defined RTOs?
- Are procedures in place to acquire critical IT resources on short notice?
- Have critical IT application systems, spreadsheets, and databases been identified?
- Is there an IT DR plan?
- Were end-users involved in identifying the critical IT application systems?
- What procedures are in place for identifying new IT application systems?
- Have any issues of significance to IT application systems that have been highlighted during the recent audits?
- What were these issues, and how were they resolved?
BCM Institute Course Participants
This sample set of audit programs developed for Business Impact Analysis will be used during the session and the "live" audit.
Resource
Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.
Extracted from "BCM Questionnaires 4: Business Impact Analysis"
Singapore Government Funding for BCM-8530 Course
The following section applies to Singaporeans and permanent residents of Singapore. Click the "SkillsFuture Funding" button to learn more about the funding available from the Singapore government. This includes the SkillsFuture funding, SkillsFuture Credit and UTAP.
Find out more about ISO22301 BCMS Lead Auditor/ Auditor BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]
|
|
|
|
|
|
|
Please feel free to send us a note if you have any of these questions to
|
|