charlotte nc chapter wednesday, may 12, 2004 welcome hosted by:
TRANSCRIPT
Presented byDave Shimberg, CBCP
Based on materials from:Ken Jaunais, KPMG
May 14, 2004May 14, 2004
The Business Impact AnalysisThe Business Impact Analysis
Agenda
1.The Business Impact Analysis
a. Why do I have to do this? – the Goals
b. Now that I’ve taken my time to do it, what’s in it for me and my organization – the Objectives?
c. Sounds easy, how do I do it – the Process?
2. Questions and Answers
BIA: The Goals
Two Primary Objectives
1) Information Gathering
– Establish the value of each unit or resource as they relate to the function of the total organization
– Provide the basis for identifying the critical/time-sensitive resources required to develop a business recovery strategy
– Establish an order of priority to restoring the function of the organization in the event of an unplanned event
2) Sell / Justify BCP program
BIA: The Objectives
• Assess the impact(s) of an outage
• Determine time criticality of business processes, functions, departments, and work areas as related to total organization function
– Risk Analysis (threat – impact – likelihood of occurrence)
• Determine time critical applications systems, data, and telcom
• Determine required availability time(s) for functional departments
• Determine interdependencies between processes
• Determine recovery resource requirements
– People, work area, equipment, supplied, applications, other
The BIA - Phases
1. Project Planning
2. Data Collection
3. Data Analysis
4. Reporting Findings
5. Approval for Next Phase
The BIA Phases – Project Planning
1. Objectives
- identify critical business functions and dependencies, impact of disruptions and resources
2. Scope
- departmental, facility/complex, region, organization
- At what level will BIA and planning be carried out?
- Department Function
- Process (based on process owner, may cross departments or other boundaries)
The BIA Phases – Planning (cont.)
What are you trying to analyze?
- Mission
- Service Objectives
- Dependencies
- Impacts over time – SLA, Financial, Legal or Regulatory, Customer Service, Market Share . . .
The BIA Phases – Planning (cont.)
Reference Materials?
- Business unit or Corporate Mission Statement
- SLAs
- Org Charts
- Policies and Procedures
- Annual Reports
The BIA Phases – Planning (cont.)
How are you going to collect the data?
- Questionnaire
– Variety of tools, documents, applications
- Interview
- Combination
The BIA Phases – Data Collection
End user should be able to provide:
- Potential impact of mitigation
- Critical time periods
- Legal, regulatory, contractual requirements
- Financial impact
- Operational impact
The BIA Phases – Data Analysis
Quantitative Impact
• Losses identified in quantities, percentages, or factor of standard that can de described in monetary terms
• Sales, market share, penalties, assets, revenue, income
• Actual or order of magnitude
– Quick Risk Rating tool may help
Effort Priorities are set by Risk and Impact•Threat is something that poses a danger•Risk is the probability that a threat will materialize measured in impact $
The BIA Phases – Data Analysis (cont.)
Qualitative Impact
• Intangible losses that can impact operations but that can not be quantified in monetary terms
• Losses with financial impact that can not be quantified
• Reputation, public image, moral, others?
• Efficiency, satisfaction, control, inter/intra-departmental
• Order of magnitude
The BIA Phases – Reporting Findings
• Who’s the audience
• Policy and procedures
• Keep it Simple
• Graphical or narrative
The BIA: It’s an Iterative Process
SME, and/or whomever, complete questionnaire(s) on
critical business processes/functions
(Collect Data)
Core Business Function(s)
BIA Workshop
SME, and/or whomever, analyze process flows and BIA dependencies/impacts
for critical processes/functions
(Analyze Data)
SME, and/or whomever, review
financial/capacity/time-dependent attributes for
critical business processes/functions
(Analyze/report Data)
SME, and/or whomever, level-set process/function against
benchmark to determine if additional drill-down into sub-processes is needed, if “Yes”,
sub-process goes through cycle (Report/approval of Data)
The BIA – Focus Areas
The following slides represent traditional focus areas of the BIA
We can entertain discussing these slides as time permits
BIA: Focus Areas
• Section 1 – Critical Functions
• Section 2 – Cyclical Processing
• Section 3 – Processing Profile
• Section 4 – Service Level Agreements
• Section 5 – Estimated Personnel Requirements
• Section 6 – Business Relationships
BIA: Focus Areas (continued)
• Section 7 – Vital Records Identification
• Section 8 – Infrastructure Requirements
• Section 9 – Operational Impacts
• Section 10 – Financial Exposure Due to Loss of Function
• Section 11 – Operational Procedures
• Section 12 – Previous Disruptions
• Section 13 – Other issues and/or concerns
The BIA: Section 1, Critical Functions
Define the functions that are most important to your business. What triggers the function to start, and how do you know that the function has been successfully completed?
Manufacturing Financial Services
Operations
supply planning, processing (cleaning, filling, packaging, warehousing, quality control, etc.) . . .
payments made, files sent . . .
Shared Services
invoicing, order entry, cash receipts, purchasing, human resources, global raw spice purchasing . . .
same
R&D product development, product creation . .
same
The BIA: Section 2, Cyclical Processing
Define during which months and weeks the performance of your functions are most important.
Manufacturing Financial Services
Operations
seasonal requirements, customer supply and demand cycle . . .
daily, weekly, monthly schedules . . .
Shared Services
quarter and year-end close, recruiting, growing seasons . . .
same
R&D new campaign cycles (internal and external) . . .
same
The BIA: Section 3, Processing Profile
Quantify the peak period daily production of your critical functions. Also, quantify, in dollars, the daily peak production of your critical functions in terms of cost and revenue
Manufacturing Financial Services
Operations
Pounds/#’s of product – cleaned, palletized, number of trucks loaded . . .
daily, weekly, monthly schedules . . .
Shared Services
quarter and year-end close, recruiting, number of orders processed – entered, invoiced, payments processed . . .
same
R&D number of projects in queue . . . .
same
The BIA: Section 4, Service Level Agreements
Identify who you have agreements with, what kind of agreements are they, and what are penalties for non-compliance.
Manufacturing Financial Services
Operations
purchasing, other Plants, 3rd Party warehouses, carriers . . .
clients, the Fed, vendors . . .
Shared Services
vendor, customer and employee master records . . .
same
R&D new product development support, product quality support . . .
.
same
The BIA: Section 5, Personnel Requirements
Quantify the total number of personnel required to perform each critical function (same day). Identify the staffing requirements to recover the critical functions over time. Consider that critical functions do not necessarily have to be fully staffed immediately.
Manufacturing Financial Services
Operations
to run the various lines, warehousing . . .
mainframe and distributed system recovery, scheduling . . .
Shared Services
to do invoicing, purchasing . . .
same
R&D to work on formulas, research . . .
same
The BIA: Section 6, Business Relationships
Identify who you support and how do you support them. What do you provide and how critical is it? What do others provide you and how critical is it to your processes?
Manufacturing Financial Services
Operations
different plants with raw and/or finished goods, on-site relationship managers, materials movement . . .
other banks, the Fed, clients . . .
Shared Services
invoicing, purchasing . . . same
R&D product management system, defect research . . .
same
The BIA: Section 7, Vital Records
Identify documents by type that you require to perform your processes, how long can you be without them, and what form they take?
Manufacturing Financial Services
Operations
product content, supply schedule, customer orders . . .
processing schedule, code . . .
Shared Services
I-9 forms, SLAs, contracts . . .
same
R&D research notes, library materials . .
same
The BIA: Section 8, Infrastructure
What infrastructure requirements do you need to perform your critical functions – phones, fax, imaging system, etc.?
Manufacturing Financial Services
Operations
ERP package, product Management System . . .
ERP package, scheduling software . . .
Shared Services
ERP package . . . Same
R&D ERP package, product Management System . . .
Same
The BIA: Section 9, Operational Impact
Quantify the impact that the loss of a critical business function would have over time?
Manufacturing Financial Services
Operations
loss of one production over another, shipping orders to external versus internal customers. . .
In-fight payments may have a more significant impact than evening runs . . .
Shared Services
loss of SAP may significantly impact cash flow after Day 3; but order entry may not be impacted until Day 5 . . .
Same
R&D loss of formula records/codes may have a significant impact on the same day; but defect research may only have a slight impact after Day 3 . . .
Same
The BIA: Section 10, Financial Exposure
If the current recovery time is 48 – 72 to restore data, what financial impact will this have on your processes over time?
Manufacturing Financial Services
Operations
missed production shifts causes other plants to miss deadlines, where you are the sole provider missed shipment times causes customer to seek additional sources . . .
missed payment penalties, SLA fines . . .
Shared Services
missed investment opportunity, missed payment terms increases cost of production . . .
Same
R&D inability to respond to defect inquiry causes customer to indefinitely pull product . . .
Same
The BIA: Section 11, Operational Procedures
Are procedures documented; when were they last updated; are there alternate procedures; have they ever been tested; do people know about them?
Manufacturing Financial Services
Operations
packaging line. Who’s in-charge? Which products use the line? Where is product located? How is it delivered? What happens if something breaks? Transportation - Who is responsible for the process? Where are materials stored? What are the storage requirements? What triggers movement? . . .
Schedules, who to contact regarding outage . . .
Shared Services
Purchasing - Who is responsible? How are purchase orders created? How are vendors created? What are acceptable terms? . . .
Same
R&D Formula/code generation. Who is responsible? Who needs to be informed? When and how? How is data collected? Where is the data stored? How is the data retrieved? . . .
Same
The BIA: Section 12, Previous Disruptions
Identify disruptions, such as hurricanes (Isabel), that have had an impact on your critical functions and what the impact was.
Manufacturing Financial Services
Operations
water main breaks, power spikes, icy roads . .
Same
Shared Services
network outages . . . Same
R&D Same as above . Same