practitioner’s guide to business impact analysis · a n auerbach book crc press is an imprint of...

A N A U E R B A C H B O O K

CRC Press is an imprint of theTaylor & Francis Group, an informa business

Boca Raton London New York

Practitioner’s Guide to Business Impact Analysis

Priti Sikdar

CRC PressTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742

© 2017 by Taylor & Francis Group, LLCCRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

International Standard Book Number-13: 978-1-4987-5066-0 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, trans-mitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.com

and the CRC Press Web site athttp://www.crcpress.com

vii

Contents

Foreword ..........................................................................................................xviiPreface ..............................................................................................................xixAbout the Author .............................................................................................xxi

1 Understanding Organizational Context ................................................1Where to Begin? ..........................................................................................2Use of Work Breakdown Structure (WBS) ..................................................2Understanding of Organization Structure ...................................................8Types of Organizational Structures ..............................................................9

Understanding the People Culture ........................................................12Understanding the IT Infrastructure of the Organization .........................12Study the Geographical Dispersion of Business .........................................15Understanding Applicable Compliance Requirements of the Organization ..............................................................................................16

Understanding Third-Party Service Providers........................................16Refer to Audit Reports ...............................................................................18

2 Business Impact Analysis .....................................................................21Introduction to Business Impact Analysis (BIA) ........................................21

Definitions ............................................................................................21Top Management Commitment ............................................................22Geographical Scope of a BIA .................................................................24

Data Gathering for the Business Impact Analysis ......................................26Some Golden Rules for Data Collection for BIA ...................................28Key Deliverables from Data Collection for BIA ....................................29

Observation ......................................................................................30Surveying..........................................................................................31Face-to-Face Key Informant Interviews ............................................33Group Interviews ............................................................................. 34Document Analysis ......................................................................... 34Workshops ........................................................................................35Delphi Technique .............................................................................35

viii ◾ Contents

Appendix ...................................................................................................39Conducting an Interdependencies’ Workshop ............................................39

Background ...........................................................................................39Attendees to the Interdependencies’ Workshop .................................... 40Steps for Conducting Interdependencies Workshop ............................. 40Benefits of Dependency Workshop ....................................................... 42Conclusion ........................................................................................... 42

Business Impact Factors ............................................................................ 44Chief Impact Factors on Business ..........................................................45Some Emerging Trends in Global Business Environment ..................... 46

External Factors That Impact Business .............................................48Legal and Regulatory Factors ...........................................................49Environmental Factors ......................................................................50Operational Factors ..........................................................................51

Technology ............................................................................................59Business Impact Analysis ...........................................................................62

Loss Impact Analysis ............................................................................ 64PESTLE Analysis for BIA .................................................................... 64Application Impact Analysis ..................................................................72

Identify Mission-Critical Records .....................................................74Recovery of Documents ....................................................................75Minimum Business Continuity Objectives (MBCOs) ......................75

Failover and Failback Systems ...............................................................79Content of the BIA Workbook per Business Unit ..................................85Consolidate BIA Responses ...................................................................86

Annexure A ................................................................................................91Case Study of Ambiguous Bank Inc. Disaster Recovery and Business Continuity Planning ..................................................................................91

3 Risk Assessment and Reporting ...........................................................95Introduction ..............................................................................................95

Risk Breakdown Structure ....................................................................99Risk Assessment and Business Impact Analysis ...................................100

Risk Management ....................................................................................101Risk Management Framework ............................................................102Risk Management Framework Development .......................................103PPRR Risk Model ...............................................................................103

PPRR Steps .....................................................................................104Risk IT Framework (ISACA) ..........................................................104The Risk IT Principles ....................................................................105What Are the Benefits of Using Risk IT? ........................................106

Contents ◾ ix

Business Rationale for Risk Management Framework .........................107Risk Identification (Risk Identification, Risk Register) ........................ 111

Techniques for Risk Identification ..................................................112Risks That Affect Business ..............................................................113Risk Inventory and Risk Register .................................................... 115

Risk Analysis (Threats, Vulnerabilities, Analysis, Business Impact from Risk and Recommendations for Risk Treatment Strategies) ........ 115Risk Evaluation Techniques ................................................................ 118Preliminary Hazard Analysis (PHA) ................................................... 119Risk Ranking and Filtering .................................................................120Supporting Statistical Tools .................................................................120Basic Risk Management Facilitation Methods.....................................121Initiating a Quality Risk Management Process ...................................127Risk Assessment Methodologies (Qualitative Assessment, Quantitative Assessment) ....................................................................127

Risk Estimation Techniques ...........................................................127Qualitative Risk Analysis ....................................................................128Risk Calculator ...................................................................................132Mixed Risk Assessment .......................................................................132Controls Recommendations ................................................................134

Recommend Recovery Strategies ....................................................134Risk Treatment (Accept, Avoid, Share, Transfer, Insure) ..........................135

Avoid the Risk .....................................................................................137Reduce the Risk ..................................................................................137

Risk Control ...................................................................................138Transfer the Risk .................................................................................138Accept the Risk ...................................................................................139

Risk Management Plan, Risk Review, and Risk Monitoring ....................139Risk Treatment Plan ............................................................................140

Use of Dashboards for Risk Monitoring .........................................141Risk Heat Map ...............................................................................143Sensitivity Analysis .........................................................................144Internal Rating System ...................................................................145

Risk Communication ..........................................................................146Review and Update Your Risk Management Plan ...............................146Customize a Risk Management Plan for Your Organization ...............146

Conclusion ...............................................................................................147Risk References ........................................................................................148Risk Glossary ...........................................................................................148

x ◾ Contents

4 Business Impact Analysis Reporting and Commitment of Resources .................................................................................... 151Format for Management Report .............................................................. 152Contents of the Report ............................................................................ 153

Business Units, Business Processes, Criticality Benchmarks ................ 153Depiction of Critical Functions/Departments and Criticality Scores .............................................................................................154Criticality Benchmarks ...................................................................154

Business Interdependencies.................................................................. 155Single Point of Failure ......................................................................... 157Criticality Can Be Defined across Timelines .......................................158Load Analysis Chart ............................................................................ 159Recovery Objectives and Workaround Procedures .............................. 159

Turnaround Time (TAT)................................................................160Recovery Objectives ........................................................................160

Integrating Risk Assessment Findings into the Management Report ... 161Losses on Past Incidents ......................................................................165Dollar Loss by Downtime ...................................................................166

Formalizing Management Report and Presentation .................................168Essential Features of BIA/RA Report to Management ........................169

Calculation of ROI on Investment in BCM....................................171Recommendations to Management..........................................................173

Segregation of Duties ..........................................................................173Managing Change ............................................................................... 174

Case Study ...................................................................................... 174Continuous Monitoring of BIA/RA Results ............................................175Keeping the BIA Alive .............................................................................175Conclusion ...............................................................................................175

5 BCM Strategy and Plans ....................................................................177Introduction ............................................................................................177Formulation of Business Continuity Strategy ..........................................177

Corporate Sponsorship ........................................................................180Preplanning Phase ...............................................................................181

Mission Statement for Business Continuity ....................................182BCM Objectives .............................................................................182Ascertain the Budget ......................................................................182Evaluate the Different Recovery Options ........................................182Awareness and Training ..................................................................188Other Factors ..................................................................................189

Planning and Development .................................................................189Business Continuity Team Organization ........................................189

Contents ◾ xi

Review the BCM Strategy Requirements ........................................196Evaluating Recovery Alternatives in the Light of BCM Objectives ................................................................................... 198Documenting the BCM Strategy ....................................................198

Case Study—Sriman Health Insurance...............................................199Details of Company ........................................................................199Solution ..........................................................................................205BCM Strategy of Sriman Health Insurance ....................................205Recommendations for Remediation Noted during BIA/RA (Preventive Measures) .................................................................... 208

Implementation and Maintenance ....................................................... 211Introduction of BCM Applications to Review and Update BCM Plans .....................................................................................212Business Continuity Follows the PDCA Cycle (Plan-Do-Check-Act) .....213

Business Continuity Management Plans ..................................................214Business Imperatives............................................................................214Plan Development .............................................................................. 215

Emergency Response Plan (ERP).................................................... 215Crisis Management Plan ................................................................ 222

Crisis Communication Plan (Suggestive) .................................................231Incident Management Plans ............................................................... 234Business Recovery Plans or Business Continuity Plans ....................... 234Business Resumption Plans .................................................................235

Components of BRP .......................................................................236Example Business Resumption Plan ...............................................237

Annexures ................................................................................................239Annexure A: BCM Task List ...................................................................239Annexure B: Emergency Preparedness Plan and Team ............................241Annexure C ........................................................................................... 246Annexure D: Crisis Communication Form—Incident Media Call Sheet ..........................................................................................250Annexure E: Incident Declaration Criteria ..............................................250Annexure F: Incident Management Plan Template ..................................251Annexure G: Incident-Handling Log .......................................................255Annexure H .............................................................................................255Annexure I ...............................................................................................255Annexure J: Incident-Handling Procedures .............................................256Incident-Handling Procedures—Earthquake ...........................................256

Earthquake Emergency Response Procedures ......................................256Practice Drills......................................................................................256

Major Considerations during an Earthquake Drill .........................256Before .............................................................................................257

xii ◾ Contents

During an Earthquake ....................................................................257After an Earthquake .......................................................................258Evacuation Instructions and Plans ..................................................258Insurance Checklist ........................................................................259

Establish Priorities ...............................................................................259Gather and Store Important Documents in a Fire-Proof Safe ..............259

Incident Response Procedures for Floods Hazard ................................... 260Policy ................................................................................................. 260Notification Procedures ...................................................................... 260Incident Response in Case of Building Floods ................................... 260

Incident Response Procedures for Terrorist Attacks .................................263Consequences of a Terrorist Attack .................................................... 264After the Incident Procedures ..............................................................265

Appendix ................................................................................................ 266

6 Information Technology Is All Pervasive in an Organization ............285Introduction ............................................................................................285Emerging Technologies in Business ........................................................ 286

Features of IT in an Enabling Capacity ...............................................289Information Technology Infrastructure ...................................................290

The Need for an Information Systems Infrastructure ..........................291Managing the Hardware Infrastructure ..........................................292Managing the Software Infrastructure............................................294Data and Knowledge ......................................................................295Facilities ..........................................................................................296Web Services ...................................................................................297Managing the Human Resource Infrastructure ..............................297

IT Disaster Recovery Plan .......................................................................299Storage and Server Options ................................................................ 300

Data Backup ...................................................................................301Data Marts .....................................................................................303

Choosing the Right Backup Strategy ..................................................303Disk Replication (Mirroring, Shadowing) ..................................... 304

Server Virtualization .......................................................................... 304Business Recovery in a Cloud .........................................................305Cloud Services: Computing ............................................................305Backup to the Public Cloud ........................................................... 306

Use of IT Services to Improve Resiliency ........................................... 306Backup as a Service (BaaS) ............................................................ 306Storage as a Service (STaaS) ............................................................307DR as a Service ...............................................................................307Software as a Service ...................................................................... 308

Contents ◾ xiii

Evaluation of Business Continuity Strategy of Critical Vendors ..........309Legal and Regulatory Considerations in a Business Recovery .............312Security of Operations, a Key Consideration in Recovery Planning ....313IT Disaster Recovery Management Program Office ............................ 314IT DRM Team Organization .............................................................. 315BCM Governance Decisions ...............................................................316BCM Program Implementation and Management Processes and Mechanisms ........................................................................................ 317

Preliminary Steps ............................................................................ 317Developing the BCM Program ....................................................... 318

Disaster Recovery Scenario ................................................................. 319Implement and Validate ..................................................................320Monitor and Manage ......................................................................320

BCM Program Metrics ........................................................................321Tier One Metrics in Business Continuity Programs .......................321Tier Two Metrics in Business Continuity Programs .......................321

Considerations for DR Siting ...................................................................323Considerations in Designing the DR Plant .........................................323Considerations in Building Own DR Site ...........................................324Updates to the DR Plan ......................................................................326

Audit/History .................................................................................326Disaster Recovery Testing ...................................................................326Administration/Maintenance of the Plan ............................................327Emerging Technology Benefits for BCM .............................................327

Conclusion ...............................................................................................328

7 Business Continuity Tests and Exercises ............................................329Introduction ............................................................................................329Nature of Tests and Exercises ...................................................................330

Discussion-Based Exercises ..................................................................334Plan Orientation or Plan Walkthrough ...........................................334Game ..............................................................................................335Live Play .........................................................................................335Workshop (Scenario-Based) ............................................................335Desk Check Exercise .......................................................................335Checklist Exercise ...........................................................................336Desktop Exercises or Tabletop Exercises (TTXs) ............................336

Operations-Based Exercises ................................................................ 340Drill ............................................................................................... 340Functional Exercise ........................................................................ 342Full-Scale Exercise ......................................................................... 344Simulation Exercise........................................................................ 344

xiv ◾ Contents

Technical Recovery Testing ............................................................345IT Environment (Systems and Application) Walkthrough ............. 346Alternate Site Testing ..................................................................... 346

Frequency of Tests and Exercises ........................................................ 348Debrief Teams of Testing Methodologies ............................................349

Parts of BCM Testing ..............................................................................349Scenario Planning ...............................................................................350Development of Scenarios ...................................................................350Key Points in Scenarios .......................................................................350Requirements of a Scenario .................................................................351

No Blame Scenario .........................................................................351Scenarios Rehearsing Lack of People ...................................................351Ex. Pandemic Flu ................................................................................352Scenarios to Rehearse “Lack of Access” ...............................................352Scenarios to Rehearse Lack of Rehearsing “Lack of Infrastructure” .....352Illustrative Examples ...........................................................................353

Blackout .........................................................................................353Downtime ......................................................................................354Terrorism ........................................................................................356

Debrief ................................................................................................357Assumptions in Building Scenarios .....................................................358Example Scenarios...............................................................................358Aftermath of Disaster ..........................................................................359Reason Why Organizations Must Plan for People Reactions? .............359Cyclical Testing of the Disaster Recovery Plan ................................... 360Preparing a Test Plan .......................................................................... 360Considerations Governing Design of Exercises ....................................365Formal Change Control Process ......................................................... 366Define Change Control Process ......................................................... 366Business Continuity Plan Exercise, Audit, and Maintenance ..............367Identify Postexercise Activities.............................................................367Establish Plan Maintenance Program ..................................................368Evaluating BCM Plans ........................................................................368Set Up the Next Exercise .....................................................................369

Annexures ................................................................................................369Annexure A: Considerations in Taking Help of Experts ..........................369Annexure B: Scenario Task List ...............................................................370Annexure C: Tabletop Exercise Walkthrough Scenario............................373

Inject One ...........................................................................................374Inject Two ...........................................................................................374Inject Three .........................................................................................374

Contents ◾ xv

8 Aligning IT with Business Requirement ............................................377Introduction ............................................................................................377Considerations in Requirement Analysis and Specifications ....................378Application Impact Analysis ....................................................................383

Coverage .............................................................................................384Impact of Security Concerns Caused by IT .............................................386Telecommunication Continuity Needs and Implementation of the Same ..........................................................................................386

Last Mile Circuit Protection ................................................................386Five Guiding Principles for Enhancing the Resilience of Communications ............................................................................388

Impact from Data Unavailability/Corruption ..........................................388Optimize Your Data Centre Environment ..........................................390

Impact from Failure of Supply Chain ......................................................390BCM Supply Chain Vendor Checklist ................................................391Key Principles......................................................................................392

Best Results Come from Alignment and Optimization............................392Information Technology Service Continuity Management .................393Why ITSCM? .....................................................................................394ITSCM Processes ................................................................................394ITSCM Objectives ..............................................................................394Risks Addressed by ITSCM ................................................................394ITSCM Must Be Aligned to the Business Continuity Lifecycle ..........395Service Level Management ..................................................................395The Business Value of ITSCM ............................................................395

Conclusion ...............................................................................................396

9 Comparative Analysis of Requirements for Common Standards/Compliances .......................................................................................399Need for Standards for BCM ...................................................................399BCM Standards ...................................................................................... 400

NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity ........................................................................... 400ASIS SPC.1 ASIS International SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems ..........................................................................402

ASIS SPC.1.....................................................................................402BS 25999 The British Standard 25999-2:2007 ....................................403

NFPA 1600 versus BS 25999 ......................................................... 404DRII/DRJ GAP versus BCMI GPG 2013 ......................................405Professional Practice Subject Area Overview ...................................405

xvi ◾ Contents

ISO 22301 Was Published by the International Standardization Organization ...................................................................................... 408

ISO 22301 Standard for Societal Security ..................................... 408COBIT 5, Risk IT, and Val IT ...................................................... 409ISO 31000 (Risk) ...........................................................................410Alignment with ERM ..................................................................... 415Common Points between ISO 27001, PCI DSS, and ISO 22301 ...416Greater Focus across Standards for Third-Party Supplier Management ...................................................................................417How PCI DSS Can Support Third-Party Aspects of ISO 27001 Audits ...........................................................................418ISO/PAS 2239:2007—Guideline for Incident Preparedness and Operational Continuity Management ............................................419Overview of Information Security Standards and IT’s Role ............419Enhance Leadership Teams and Align Response Strategies ............419

Management to Take a Call on Certification .......................................... 420BCM Audit Assurance Program ............................................................. 422

Annexure A ........................................................................................ 422Assessment Maturity versus Target Maturity ................................. 422

Conclusion .............................................................................................. 423

Appendix: Annexures, Templates, Questionnaires, BIA and RA Forms, Graphs, and Illustrations ............................................................................425

Index ...........................................................................................................469

1

Chapter 1

Understanding Organizational Context

Practitioners are versatile; they are conversant with a large number of organizations having varied technological environments, different management structures, and diverse geographical expanses. Business environment is increasingly becoming complex; new styles of business are emerging; and e-commerce is coming up in a big way that affects styles of managing business and marketing of products.

Conducting a business impact analysis (BIA) for an organization makes it imperative for a practitioner to understand the business and the manifold depen-dencies and relationships and to study the enterprise as an extended enterprise (Figure 1.1).

The Internet provides a good means of obtaining information about organiza-tions, which includes news stories, articles, and financial data published by orga-nizations. Increasing velocity of data makes mining of information really difficult!

Business environment is dynamic and is constantly evolving to realize benefits through optimizing the resources. Every organization aims at carrying on business perpetually and being able to serve its customers almost on a 24/7 basis. We live in customer-centric markets operating in different time zones, and it is critical to keep our systems up and running to meet the requirements of all stakeholders.

A preclude to business impact analysis is understanding the organizational context. Some of the trends impacting the business landscape include globalization, electronic commerce, enterprise resource planning, outsourcing business opera-tions, and increasing legal and regulatory norms and crossborder laws for interna-tional businesses. In understanding the organizational context, it is important to consider external vendors, business partners, regulatory bodies, and customers as a part of “Extended Enterprise.”

2 ◾ Practitioner’s Guide to Business Impact Analysis

Where to Begin?When a practitioner gets introduced to a new organization for BIA, he or she will first exercise his or her energies in getting information about the business organi-zation from industry publications, company web site, and published information to get a first-hand idea of the size, geographical expanse, and management of the organization.

Use of Work Breakdown Structure (WBS)In large multinational organizations, there are multiple products and many diverse processes; some are linked and some are independent. The presence of huge work-flows in different geographical and global locations makes the determination of the impact on these business processes indeed a challenge! Understanding business processes is important in studying the organizational context. Hence a work break-down structure will be useful.

A work breakdown structure is a key project deliverable that organizes the team’s work into manageable sections. It can be applied in breaking complex organi-zational structures into manageable sections and in studying complex processes (Figure 1.2).

A business continuity management process is considered as a project and will follow the same principles as followed under project management. The Project Management Body of Knowledge (PMBOK) defines the work breakdown structure as a “deliverable oriented hierarchical decomposition of the work to be executed by the project team.”* In this process, complex business functions are broken down

* http://www.workbreakdownstructure.com/how-to-make-a-work-breakdown-structure.php.

People

Technology

Process

Stakeholders

Supply chainvendors

Legal andregulatory

bodies

Applicationservice

providers

Customers

Consultants

Internalenvironment

Figure 1.1 Extended enterprise.

Understanding Organizational Context ◾ 3

into activities and subactivities in order to better comprehend each part and its relevant importance to the overall business function (Figure 1.3).

The culture and management philosophy gets reflected in the vision, mission, policies, and procedures adopted by the organization. As-is documentation is a big tool while attempting an organization-wide exercise. Our best assumption is that

Business

International Domestic

Product A Product B Product A Product X Product Y

Process 1 Process 1 Process 1 Process 1 Process 1

Process 2

Process 3

Process 2

Process 3

Process 4

Process 2 Process 2

Process 3

Subprocess1

Subprocess1

Subprocess1

Subprocess1

Subprocess1

Subprocess2

Subprocess2

Subprocess2

Figure 1.2 Work breakdown structure (WBS).

Activity 1 Activity 2

Businessfunction

Subactivity1

Subactivity2

Subactivity3

Figure 1.3 Factoring of processes.


we are doing the BIA at the behest of top management, and the intent of top man-agement can be easily read in existing vision, mission, and policy documentation (Figure 1.4).

Generally, the objects clause present in the Memorandum of Association (com-pany formation documents) of the company designates the boundary of business that may be conducted by the organization. Vision and mission statements throw light on the long-term proposed planning and management foresight in relation to the business. The team leader (TL) will be able to grasp the tone at the top and plan his or her activities accordingly.

A mission statement expresses the organization’s purpose in a manner that solic-its support and continuous commitment. It lays a basis to set the tone of the com-pany and to outline its concrete goals.

Let us have a few examples of published mission/vision statements:

1. Nike: “To bring inspiration and innovation to every athlete in the world.” 2. Starbucks: “To inspire and nurture the human spirit—one person, one cup,

and one neighbourhood at a time.” 3. eBay: “Provide a global trading platform where practically anyone can trade

practically anything.” 4. Oxfam: “A just world without poverty.”

Vision statements on the other hand are short one liners that outline the primary goals of the company. When you go through the vision, mission, and objectives, it will answer a few vital questions:

1. What are the opportunities and needs that the organization wants to address?

2. What is the current business of the organization? Does it address the needs outlined in the mission statement? In the case of Starbucks, it is to have a cof-fee chain in every neighborhood.

3. How does the organization address change in the mission or vision as origi-nally drafted?

4. What levels of service are being provided?

Vision

Miss

ion

Policie

s

Objecti

ves

Proce

dures SO

P

Figure 1.4 Understanding mission, vision, and policies.


5. What are the underlying principles that guide the business? In the case of Nike, it is to cater to the needs of athletes. In case of Oxfam, a nonprofit-making organization, it is striving to fight poverty.

A statement should express the organization’s purpose in a way that inspires sup-port and ongoing commitment. It is up to the mission statement to set the tone of the company and to outline concrete goals. A good mission gives employees some-thing to bind them together in terms of common goals and, at the same time, helps brand building to influence public perception of the enterprise.

The TL who initiates the business impact analysis determines whether the mission and vision are duly exhibited and communicated to all key stakeholders: management, staff, suppliers, partners, customers, and outsourced vendors. According to a recent study conducted by Harvard Business Review, up to 70% of employees do not understand their company’s strategy. Communicating the mission/vision can serve to guide employ-ees/executives in taking day-to-day decisions. A comparison chart shown in Table 1.1 depicts the significance of the mission and vision projected by the enterprise and throws light on why it is advantageous to start with examining them when performing a BIA.

Table 1.1 Queries on Vision-Mission Statements

Vision Statement

Questions Addressed by

Vision StatementMission

Statement

Questions Addressed by

Mission Statement

Denotes purpose and value of business

Where do you want to be?

States primary objectives for customer needs and corporate values

How do you want to get where you want to be?

It is futuristic It helps answer the question why you are working here

It talks of present leading to future, it can form the base for long-term planning

Where do we aspire to be say in the next five years?

It influences how the world views your organization, it is image building

It helps prospective customers to decide whether they will like to do business with you

It gives direction to middle management and employees to carry on day-to-day activities of business

Why do we do things? What for and for whom?


Policies are high-level statements; they are directive controls formulated by top management. Resultant procedures are an outline of boundaries, giving clear rules of authority and delegation of responsibility and accountability. For instance, a pol-icy can be as follows: “The entire office area on first and second floors will remain a nonsmoking zone.” Workplace policies deal with operational practices and ongo-ing management and administration. It removes doubts and misunderstanding in respect of work and provides transparency and consistency at work.

Organization may have different types of policies. It may include the following:

1. Code of conduct policy for employees 2. Communication policy 3. Health and safety policy 4. Staff recruitment policy 5. Termination of employment policy 6. Nondisclosure policy, which may include employees signing a Nondisclosure

Agreement (NDA) at the time of joining the organization 7. IT security policy, e-mail policy, social media policy, and so on

Please note the above is not a comprehensive list. Organizations may make policies for the following two reasons:

1. Necessitated by legislative or regulatory requirement. For instance, in many countries, BCM is mandated by regulators, and hence organizations need to have the BCM policy and procedures in place.

2. Policies for running the administration of the company and forming a frame-work for business planning.

Policy is a top-down control, and all procedures in line with these policies will be strictly adhered to and will be interwoven into the work culture of the organization. TL should determine that the policies and procedures are clear and concise and are actually communicated to appropriate recipients either through e-mail, through posters, or through the intranet of the company.

A well-documented set of policies and procedures serves as a good assurance tool to determine compliance and assess performance. Benefits from initial reference to policies and procedures are that the uniformity in organizational procedures is made visible, and it serves as a benchmark to check compliance to organizational values and legislation.

The TL has to ascertain that policies deal with ongoing management and administration, and it should

◾ Be clear and concise. ◾ Be communicated to all employees. ◾ Delineate clear responsibilities for tasks.


◾ Indicate the means of solving new problems. ◾ Give framework for business planning.

Illustration: During audit of a hotel chain, it was discovered that branch outlets were stacking old machines without scrapping them. When the site manager was questioned, it was learned that he or she was not aware of the procedure and of the person to whom he or she was supposed to escalate this matter. The impact was that there was a cost of storage of nonfunctional assets as well as the burden of insuring those assets. These factors had been overlooked.

Look for SOPs (Standard Operating Procedures): As policies are high-level state-ments and hence crisp and short, a set of operating procedures can be developed that delineates how to follow the policy by giving end-to-end procedures for each business process. These are referred to as standard operating procedures (SOPs) and give a clear indication of the origin and the end of the procedure and the authorities for approving and validating the respective procedures. TL should ask for SOPs if the organization has them, and this will help them study the end-to-end flow of operations. Use of data flow diagrams (DFDs) will save a lot of time in the study of organizational processes.

A point to note for the TL here is that many times, the team for operational excellence/quality assurance within the organization is already maintaining DFDs of processes for monitoring performance because they must adhere to prespecified turnaround times (TATs), and obtaining a copy of these documents for reference will save a lot of time and will stop the TL from reinventing the wheel! In the absence of documented SOPs, a TL can use DFDs to document processes from end to end. DFD can be drawn using any one or combination of the symbols shown in Figures 1.5 and 1.6.

But in reality, modern organizational processes are complex, diverse, interlinked, and wearing a global cap. People working with long workflows themselves have little knowledge of the start–finish of the processes of which they are also a part. Business process workflows may originate from the entry at an outsourced vendor’s installation through different locations and then may join the organizational

Function

File/database

Input/output

Flow

Figure 1.5 DFD symbols.


network to complete a task. Hence procedure documentation may be a difficult task involving intrabusiness and intradepartmental interchange of information in order to complete the task.

Understanding of Organization StructureEvery organization has its unique structure, and it is important that the TL delves into the structure and get to the “who-is-who” of the organization. This helps deter-mine the authority–responsibility relationships and understand the span of control. It will further help identify the people whom you want to interview during the BIA exercise. Basically an organization structure is a hierarchy of people and its functions.

Input

Input Input

Data storeD2

Data storeD1Description

Process 0

Description

Process 1

Description

Process 2

Description

Process 4

Description

Process 3

Figure 1.6 Example of a dataflow diagram.


Business continuity is organization wide; it has to be embedded into the culture and practiced continuously. Hence it is imperative for a practitioner to understand organizational structure since it will help him or her to study the values and bond-ing within the organization. It is possible that a big and diversified organization may have different structures for different lines of business or different products, and this diversity has to be understood in the beginning of the project.

Types of Organizational Structures 1. Flat organizational structure: In many small organizations (generally 20

employees or less), a flat structure with a few levels of management exists; executives, analysts, secretaries, and lower level employees are in close coordi-nation with management. It facilitates quick decision making (Figure 1.7).

2. Bureaucratic structures: In well-organized organizations that are sizable, a bureaucratic structure may exist. The characteristics of such an organization are

a. The use of standard methods and procedures for performing work. b. A high degree of control to ensure standard performance. c. Existence of tall structure or hierarchies (Figure 1.8). They maintain strict hierarchies of positions and form a tall structure.

Bureaucratic organizations tend to be slightly standardized, and the postbu-reaucratic structures reflect some flexibility and modern ideas and methodolo-gies. It may introduce a total quality management (TQM) system within it.

3. Functional structure: This is based on job functions such as marketing, research and development, and finance (Figure 1.9).

Small companies should use a functional organization when they want to arrange their organizational structure by department. For example, a small company may have a director, two managers, and two analysts in the market-ing department. The director would likely report to the chief executive officer (CEO), and both managers would report to the director. In addition, each man-ager may have an analyst reporting to him or her. A functional organizational structure works well when small companies are heavily project focused. Directors can assign certain projects to managers, who can then divide tasks with their analysts. The department can then more effectively meet their project deadlines.

Board

Operations

Admin

HRIT

Figure 1.7 Flat organization structure.


4. Divisional structure: This is generally used in large organizations that are widespread over geographical locations having different types of products or market areas. To illustrate, an engineering company can have a projects division, a products division, and many subdepartments within each divi-sion. Again, each division may have a domestic business and international

Board of directors

Chairman and managingdirectors

CEO COO CFOCTO

Chiefprogrammer

Vice president(projects)

Vice president(marketing)

Vice president(finance)

Manager taxation

Manager MIS

Manager MIS

Applicationprogrammer

Systemsanalyst

Figure 1.8 Bureaucratic structure.

Functionalmanager

Functionalmanager

Functionalmanager

Staff

Staff

Staff

Staff

Staff

Staff

Staff

Staff

Staff

CEO

Figure 1.9 Functional structure.


business. The advantage is the ease of administration, but employees do not interact between divisions, and sometimes the optimum use of resources can-not be made (Figure 1.10).

A disadvantage of divisional structure is that it is costly because of its size and scope. Small businesses can use a divisional structure on a smaller scale, having different offices in different parts of the city, for example, or assign-ing different sales teams to handle different geographic areas. Divisions can be formed on geographical basis, product/service line basis, or on any other criterion deemed fit by the management.

5. Matrix organization: A matrix organizational structure is a company struc-ture in which the reporting relationships are set up as a grid, or matrix, rather than in the traditional hierarchy. In other words, employees have dual reporting relationships—generally to both a functional manager and a product manager. It is a hybrid of functional and divisional structures. In a team-based architecture, teams are based on functions or projects. The matrix organizational structure divides authority both by function and by project.

In a matrix structure, each employee reports to two immediate supervisors: one functionally and another administratively. The best talent required from each divi-sion is sought for the purpose of working on projects with common objectives. An advantage is the deployment of optimum resources from within the organization to work on organizational projects (Figure 1.11).

In a BIA, it is necessary to understand the current organization structure. It will make administering BIA and collecting information from each section simpler. One thing to note would be that interdependencies exist in every organization. Any part of the organization needs other parts in order to function smoothly.

Division productX

R&D

Marketing

Finance

R&D

Marketing

Finance

R&D

Marketing

Finance

Division productY

CEO

Division productZ

Figure 1.10 Divisional structure.


Understanding the People Culture

Associated with every organization structure are the people who fill those structures. A practitioner’s experience of people in different organizations they visit is varied. There is one lot that is not so knowledgeable but that respects the practitioner’s sub-ject expertise and is willing to learn. There is one lot that is indifferent and does not want to go beyond its normal duties. There is one section who readily answers your queries and another section that is tight lipped and does not reveal much. Amid all these different mind-sets, a practitioner has to conduct an organization-wide exercise.

A first assessment of culture and a few handshakes will make him or her ready for what lies ahead; it will help him or her frame approach roads and methodol-ogy for using his further steps. Knowledge of who-is-who matrix sets the stage for persons to contact during the BIA, and it saves on time by enabling prescheduling of meetings and interviews or for circulation of a questionnaire.

Understanding the IT Infrastructure of the OrganizationInformation technology is all pervasive and penetrates each and every segment of the organization. The rapid pace of business and technology changes coupled with increasing performance expectations from customers, employees, and management applies constant pressure on IT infrastructures and supporting teams to provide around-the-clock availability and to minimize planned and unplanned disruptions. Enterprises are now adopting technologies that enable high-availability systems, real-time communications, and faster recovery times while minimizing IT cost. Technology is a dynamic function in every organization.

Productionstaff

Productionmanager

R&Dmanager

COO

R&Dexecutive

Marketingexecutive

Financeexecutive

Productionstaff

R&Dexecutive

Marketingexecutive

Financeexecutive

Productionstaff

Project manager(project X)

Project manager(project Y)

Project manager(project Z)

R&Dexecutive

Marketingexecutive

Financeexecutive

Marketingmanager

Financemanager

Figure 1.11 Matrix organization.


Information technology can be broadly divided into the following:

1. IT infrastructure 2. IT applications

IT infrastructure is in the form of the hardware, telecommunications, and other infrastructure necessary to house information assets of the organization, and this should be flexible to accommodate growth and expansion of the organization. A customized IT control infrastructure fulfills the following objectives:

1. Internal control 2. Business continuity needs 3. Compliance to best practices/standards 4. Scope for self-assessments and continuous improvement 5. Reduction in security incidents/downtime/disruptions 6. Release of resources for productive business purposes 7. Ease of audits

A clear understanding of IT infrastructure is as important as understanding the business that the organization is into. IT is an enabler, a service department within the business environment. Every organization has an IT profile with a blend of IT infrastructure, services, and applications that govern the day-to-day business of the organization. Assessing IT infrastructure at the onset facilitates planning for ITDR at a later stage.

As a practitioner, a round with IT generally involves a probe into the following areas:

1. Hardware infrastructure and viewing where the information assets are placed (the network diagram, Figure 1.12).

2. Applications used by different departments and sections and utilities deployed to ease operations.

3. Location of data center and server rooms, UPS, storage of backups, and whether there exists a process for offsite or online transfer of data to backup site, if any.

4. Existence of program development within the organization and segregation of environments.

5. Modes for telecommunication and connectivity including remote connectiv-ity to enterprise systems.

Increasing demands on storage, data protection, processing priorities, and report-ing have brought in applications of emerging technologies (virtualization, cloud computing, mobile devices, and social networks) that have introduced new chal-lenges, risk, and opportunities that must be either addressed or exploited.


Advances in telecommunications, user-friendly technology, improved data storage solutions, cost-effective virtualized envi-ronments, and cloud computing are enabling enterprises to increase data storage capabilities, to become agile, and to improve business resilience. They can also be mobilized to serve the busi-ness continuity objectives of an organization. Technology can provide a vehicle for channelizing business at alternate locations. Mobile devices and social networks can provide channels for communication in a crisis. There is always a need to interact and collaborate with customers, suppliers, employees, government agencies, and peers during a business disruption.

To adapt and respond to such demands under both normal and adverse conditions, the enterprise is incorporating robust technology that supports policies and procedures and recovery solutions that are tested peri-odically as part of the BCM program. IT as an enabler has to support complex business relationships, multifarious products, and diverse business interests that change as per opportunities and have a heavy pressure on the IT infrastructure and applications to give support and timely modification.

IT applications that run the business, the application development process, where they are maintained from, change management process, compatibility with other applications, computing environment, and all other associated factors have to

Server

183.15.1.254/2 183.15.5.254/2

C32

C33

C34

C35C31

S1

R1

R2

R3

R4

R5

S10

Figure 1.12 Illustrative network diagram.


be considered in order to ascertain the accuracy, reliability, and authenticity of the information systems existing in the organization.

Data storage facilities are revolutionized, and data vaulting, backup to disk, deduplication, and so on are used for backup and data controls. Advances in tele-communication and lowering of cost of facilities that enable higher bandwidth have enabled organizations to increase data storage and replication. This gives the disaster recovery a boost by electronically replicating data and programs offsite.

Capability to access enterprise resources using laptops, tablets, and smart phones represents a significant advantage for employees who cannot travel to the physical location of the enterprise; use of VPN is rampant. It has led to saving in space and computing resources by advocating a work from home culture.

TL has to understand how the organization is enhancing its resilience by using server virtualization and cloud computing and moving applications to temporary environments during planned outages or system maintenance. Planning for business continuity is planning for disaster recovery. IT plays a pivotal role in providing for resources and alternate processing facilities in the form of ITDR.

ITDR requires immense resources, and, in order to achieve resource optimiza-tion, it will do good to identify existing resources that can be channelized toward ITDR activities. A simple VPN and work from home facility granted to your exec-utives can be a business continuity arrangement already tested and already live! In an era of strict budgetary constraints, looking at utilization of existing resources is always advantageous.

Study the Geographical Dispersion of BusinessWhenever we visit an organization for any type of consultancy/internal audit/other work, it is important to note the total expanse of business. Today organizations have gone global, with one leg in one continent and other leg in anther continent. In this case, scoping of work becomes difficult. It may not be possible to visit all locations or countries. Although it is excluded from scope, responsibility from iden-tification of risks to business arising from interdependencies existing between loca-tions cannot be absolved (Figure 1.13).

To illustrate, during one such BIA exercise, it was discovered that some of the applications used by the organization were controlled from an overseas location. On probing, it was discovered that the overseas location had no provision for IT DR, and hence there was a reverse risk that the organization faced; in the event of overseas location being down, the current location of the organization would be down till the overseas location was restored.

Transborder laws are applicable for the transfer of data from one country to another. Privacy laws are different, and there is no standard or global cyber law. The risk of breach of information security exists in the absence of controls, and hence understand-ing the laws governing all related locations is significant in the BIA exercise.


Understanding Applicable Compliance Requirements of the OrganizationListing of applicable global regulations, mandatory standards, and business specific regulations stipulated by regulators of the industry will serve the practitioner to cover the legal and regulatory risks faced by the organization. Information on the same can be gathered on the initial meetings and discus-sions with the client and confirmed by checking on the official web sites of the regulatory bodies.

Understanding Third-Party Service Providers

As part of the extended enterprise, third-party service providers hold organiza-tional dependencies, and hence it will be beneficial for the practitioner to look at service level agreements (SLAs) to check whether it contains a “right to audit clause,” which empowers the client organization to conduct an audit of the physical security and continuity arrangements at the provider’s installation to ensure the continued service from the provider even during a disaster or outage. Alternatively, receiving third-party audit independent reports, SSAE 16 audit or ISAE 3402, regularly will be the evidence of controls exercised at the provider’s installation.

Most common services outsourced are data center, payroll processing, data entry operators, and so on. The importance of each activity covered and the impact on nonreceipt of services from each such provider during a disaster need to be assessed, and hence preparation of a department-wise chart will ease out the BIA process. In the illustration in Table 1.2, the payroll-processing service is significant as employees’ morale is at stake, and furthermore many employees may have to pay off their monthly installments on housing loans, car loans, and so on.

D2

D3

D

D1

Figure 1.13 Business dispersion across the globe.


Tabl

e 1.

2 Q

uery

ing

for

Thir

d-Pa

rty

Serv

ices

Pro

vide

r

Nam

e o

f Se

rvic

e Pr

ovi

der

Dep

artm

ent(

s)

Uti

lizin

g th

e Se

rvic

eN

atu

re o

f Se

rvic

ePe

rio

dic

ity

of S

ervi

ce

SLA

Co

nta

ins

“Rig

ht t

o A

ud

it

Cla

use

?”Pr

ovi

der

has

IT

DR

in P

lace

?

Is S

ervi

ce C

on

sid

ered

to

be

Vita

l fo

r Org

aniz

atio

nal

C

on

tin

uit

y?

Asc

on

pay

roll

serv

ices

HR

/ad

min

Payr

oll

pro

cess

ing

Mo

nth

lyYe

sYe

sYe

s


Refer to Audit ReportsIn the present context, an organization undergoes manifold audits: some are man-dated by regulators, some by management, and some others by vendors. A quick look at the content or qualifying content can be useful for understanding the con-trols and the way of working of the organization.

1. Internal audit: The internal audit function takes care of all mandatory stan-dards, implementation, and audits that go on almost throughout the year. A risk-based approach to audit is beneficial in identifying control gaps and remedial measures to remove these control gaps. But even an internal audit team working within the organization has to understand different func-tions, business units, people, and so on in order to carry out the relevant audits effectively. These audit reports help practitioners to make a first over-view of operational risks and regulatory noncompliance issues faced by the organization.

Understanding which sector the business falls is important to deter-mine regulatory and compliance to standards and procedures as Policy and Procedures manual will also help determine rules and internal compliances. Sometimes it will pay to look at the existing documentation; for instance, at one place I found that business had a business excellence division where it had data flow diagrams of individual processes along with turnaround times (TATs), and this document can be used to determine the RTOs and list critical processes.

2. Management audits: For management audits, the focus is more on the plan-ning process and people process. At the onset, planning process involves setting of vision, mission, policies, and procedures. Auditors look at Policy Manual, Standard Operating Procedures manual, and other documents existing with the client and make a document review, which will assist them in further business impact analysis exercise.

The existence of policy documents and mission statements that express management philosophy must be coupled with employees being aware of mission, vision, policies, and procedures and having an understanding of their roles and responsibilities in the organizational setup. This can be wit-nessed by the inclusion of a presentation in the induction procedure and a sign off from individual employees, who after reading and understanding the documents have an undertaking to abide by them.

TL can assess job descriptions and supporting documents that relate to management communication and documentation of key result areas (KRAs) to understand the spread of the organization and the segregation of duties.


3. Operational audits: Auditors will assess revenue streams, inventory details, qual-ity stipulations, and turnaround time (TAT), inspection reports, third-party suppliers, third-party assurance (SSAE 16) reports, list of alternate suppliers in case of emergency, and so on. Auditors cover the procurement process, pro-duction process, distribution process, trading module, sales process, advertis-ing, promotion processes, and so on. TL doing a BIA needs to read industry publications, economic, regulatory environment, business trends, benchmark competitor products, and study standards set by the organization for opera-tional excellence.

4. Financial auditors: Financial auditors have assurance agenda over financial statements, budgets, cost variations, MIS, pay outs and income, and the fac-tors that impact the profitability of the organization. Elements to be assessed include the following:– Bookkeeping– Costing– Budgeting– Loans– Financial analysis

5. Technology auditors: This is emerging as an important field as technology is entwined into the fabric of every organization wherefrom it serves as a chief enabler to business and acts as a chief channel for communication and inte-gration among all business units. The major areas to see comprise

a. Chief applications that help run business. b. IT general controls that protect the applications. c. Interfaces and utilities used by the people. d. Network architecture and firewalls, IDS, and so on.

Compliance is an important business function and auditor to enlist the compli-ances required to be met by the organization and all supporting documentation, recent management assertions, and audit reports. Before initiating a BIA, it helps to get the audit points that may have bearing on the criticality analysis and the gaps to be identified in an attempt to treat risks that the organization faces.

Understanding the organizational context in terms of internal and external dependencies and listing down the vendors, suppliers, and service providers associ-ated with the organization lay a foundation for conducting the business impact analysis. A fair idea of business and the organization structure will help further activities in the process. Viewing the organization in extended form helps perform a comprehensive analysis of recovery objectives.

Information is the key to success in almost all fields, so doing proper groundwork, exploring external sources such as industry publications, trade journals, and annual reports, and gaining knowledge on the organization and the business conducted by


the organization are essential steps in initiating the BIA exercise. The Federal Financial Institutions Examination Council (FFIEC) has said that “the institution’s first step in building a business continuity plan (BCP) is to perform a BIA.”* To get the BIA right, we need to get our facts right! Authenticity of information is gained in its source and the effort that has gone in building up the information. In addition, well begun is half done; a good BIA results when the practitioner has a fair understanding of the organization and its complexity in terms of people, process, and technology.

* D. J. Cougias, Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook series.