Charlotte NC Chapter Wednesday, May 12, 2004 Welcome Hosted by:

Charlotte NC ChapterWednesday, May 12, 2004

Welcome

Hosted by:

Presented byDave Shimberg, CBCP

Based on materials from:Ken Jaunais, KPMG

May 14, 2004May 14, 2004

The Business Impact AnalysisThe Business Impact Analysis

Agenda

1.The Business Impact Analysis

a. Why do I have to do this? – the Goals

b. Now that I’ve taken my time to do it, what’s in it for me and my organization – the Objectives?

c. Sounds easy, how do I do it – the Process?

2. Questions and Answers

BIA: The Goals

Two Primary Objectives

1) Information Gathering

– Establish the value of each unit or resource as they relate to the function of the total organization

– Provide the basis for identifying the critical/time-sensitive resources required to develop a business recovery strategy

– Establish an order of priority to restoring the function of the organization in the event of an unplanned event

2) Sell / Justify BCP program

BIA: The Objectives

• Assess the impact(s) of an outage

• Determine time criticality of business processes, functions, departments, and work areas as related to total organization function

– Risk Analysis (threat – impact – likelihood of occurrence)

• Determine time critical applications systems, data, and telcom

• Determine required availability time(s) for functional departments

• Determine interdependencies between processes

• Determine recovery resource requirements

– People, work area, equipment, supplied, applications, other

The BIA - Phases

1. Project Planning

2. Data Collection

3. Data Analysis

4. Reporting Findings

5. Approval for Next Phase

The BIA Phases – Project Planning

1. Objectives

- identify critical business functions and dependencies, impact of disruptions and resources

2. Scope

- departmental, facility/complex, region, organization

- At what level will BIA and planning be carried out?

- Department Function

- Process (based on process owner, may cross departments or other boundaries)

The BIA Phases – Planning (cont.)

What are you trying to analyze?

- Mission

- Service Objectives

- Dependencies

- Impacts over time – SLA, Financial, Legal or Regulatory, Customer Service, Market Share . . .


Reference Materials?

- Business unit or Corporate Mission Statement

- SLAs

- Org Charts

- Policies and Procedures

- Annual Reports


How are you going to collect the data?

- Questionnaire

– Variety of tools, documents, applications

- Interview

- Combination

The BIA Phases – Data Collection

End user should be able to provide:

- Potential impact of mitigation

- Critical time periods

- Legal, regulatory, contractual requirements

- Financial impact

- Operational impact

The BIA Phases – Data Analysis

Quantitative Impact

• Losses identified in quantities, percentages, or factor of standard that can de described in monetary terms

• Sales, market share, penalties, assets, revenue, income

• Actual or order of magnitude

– Quick Risk Rating tool may help

Effort Priorities are set by Risk and Impact•Threat is something that poses a danger•Risk is the probability that a threat will materialize measured in impact $

The BIA Phases – Data Analysis (cont.)

Qualitative Impact

• Intangible losses that can impact operations but that can not be quantified in monetary terms

• Losses with financial impact that can not be quantified

• Reputation, public image, moral, others?

• Efficiency, satisfaction, control, inter/intra-departmental

• Order of magnitude

The BIA Phases – Reporting Findings

• Who’s the audience

• Policy and procedures

• Keep it Simple

• Graphical or narrative

The BIA – Sample BIA Results

The next several slides are for informational purposes

The BIA Phases – Sample BIA Results

d

The BIA Phases – Sample BIA results

a

The BIA Phases – Sample BIA results

The BIA: It’s an Iterative Process

SME, and/or whomever, complete questionnaire(s) on

critical business processes/functions

(Collect Data)

Core Business Function(s)

BIA Workshop

SME, and/or whomever, analyze process flows and BIA dependencies/impacts

for critical processes/functions

(Analyze Data)

SME, and/or whomever, review

financial/capacity/time-dependent attributes for

critical business processes/functions

(Analyze/report Data)

SME, and/or whomever, level-set process/function against

benchmark to determine if additional drill-down into sub-processes is needed, if “Yes”,

sub-process goes through cycle (Report/approval of Data)

The BIA – Questions and Answers

That’s all folks

The BIA – Focus Areas

The following slides represent traditional focus areas of the BIA

We can entertain discussing these slides as time permits

BIA: Focus Areas

• Section 1 – Critical Functions

• Section 2 – Cyclical Processing

• Section 3 – Processing Profile

• Section 4 – Service Level Agreements

• Section 5 – Estimated Personnel Requirements

• Section 6 – Business Relationships

BIA: Focus Areas (continued)

• Section 7 – Vital Records Identification

• Section 8 – Infrastructure Requirements

• Section 9 – Operational Impacts

• Section 10 – Financial Exposure Due to Loss of Function

• Section 11 – Operational Procedures

• Section 12 – Previous Disruptions

• Section 13 – Other issues and/or concerns

The BIA: Section 1, Critical Functions

Define the functions that are most important to your business. What triggers the function to start, and how do you know that the function has been successfully completed?

Manufacturing Financial Services

Operations

supply planning, processing (cleaning, filling, packaging, warehousing, quality control, etc.) . . .

payments made, files sent . . .

Shared Services

invoicing, order entry, cash receipts, purchasing, human resources, global raw spice purchasing . . .

same

R&D product development, product creation . .

same

The BIA: Section 2, Cyclical Processing

Define during which months and weeks the performance of your functions are most important.


Operations

seasonal requirements, customer supply and demand cycle . . .

daily, weekly, monthly schedules . . .

Shared Services

quarter and year-end close, recruiting, growing seasons . . .

same

R&D new campaign cycles (internal and external) . . .

same

The BIA: Section 3, Processing Profile

Quantify the peak period daily production of your critical functions. Also, quantify, in dollars, the daily peak production of your critical functions in terms of cost and revenue


Operations

Pounds/#’s of product – cleaned, palletized, number of trucks loaded . . .

daily, weekly, monthly schedules . . .

Shared Services

quarter and year-end close, recruiting, number of orders processed – entered, invoiced, payments processed . . .

same

R&D number of projects in queue . . . .

same

The BIA: Section 4, Service Level Agreements

Identify who you have agreements with, what kind of agreements are they, and what are penalties for non-compliance.


Operations

purchasing, other Plants, 3rd Party warehouses, carriers . . .

clients, the Fed, vendors . . .

Shared Services

vendor, customer and employee master records . . .

same

R&D new product development support, product quality support . . .

.

same

The BIA: Section 5, Personnel Requirements

Quantify the total number of personnel required to perform each critical function (same day). Identify the staffing requirements to recover the critical functions over time. Consider that critical functions do not necessarily have to be fully staffed immediately.


Operations

to run the various lines, warehousing . . .

mainframe and distributed system recovery, scheduling . . .

Shared Services

to do invoicing, purchasing . . .

same

R&D to work on formulas, research . . .

same

The BIA: Section 6, Business Relationships

Identify who you support and how do you support them. What do you provide and how critical is it? What do others provide you and how critical is it to your processes?


Operations

different plants with raw and/or finished goods, on-site relationship managers, materials movement . . .

other banks, the Fed, clients . . .

Shared Services

invoicing, purchasing . . . same

R&D product management system, defect research . . .

same

The BIA: Section 7, Vital Records

Identify documents by type that you require to perform your processes, how long can you be without them, and what form they take?


Operations

product content, supply schedule, customer orders . . .

processing schedule, code . . .

Shared Services

I-9 forms, SLAs, contracts . . .

same

R&D research notes, library materials . .

same

The BIA: Section 8, Infrastructure

What infrastructure requirements do you need to perform your critical functions – phones, fax, imaging system, etc.?


Operations

ERP package, product Management System . . .

ERP package, scheduling software . . .

Shared Services

ERP package . . . Same

R&D ERP package, product Management System . . .

Same

The BIA: Section 9, Operational Impact

Quantify the impact that the loss of a critical business function would have over time?


Operations

loss of one production over another, shipping orders to external versus internal customers. . .

In-fight payments may have a more significant impact than evening runs . . .

Shared Services

loss of SAP may significantly impact cash flow after Day 3; but order entry may not be impacted until Day 5 . . .

Same

R&D loss of formula records/codes may have a significant impact on the same day; but defect research may only have a slight impact after Day 3 . . .

Same

The BIA: Section 10, Financial Exposure

If the current recovery time is 48 – 72 to restore data, what financial impact will this have on your processes over time?


Operations

missed production shifts causes other plants to miss deadlines, where you are the sole provider missed shipment times causes customer to seek additional sources . . .

missed payment penalties, SLA fines . . .

Shared Services

missed investment opportunity, missed payment terms increases cost of production . . .

Same

R&D inability to respond to defect inquiry causes customer to indefinitely pull product . . .

Same

The BIA: Section 11, Operational Procedures

Are procedures documented; when were they last updated; are there alternate procedures; have they ever been tested; do people know about them?


Operations

packaging line. Who’s in-charge? Which products use the line? Where is product located? How is it delivered? What happens if something breaks? Transportation - Who is responsible for the process? Where are materials stored? What are the storage requirements? What triggers movement? . . .

Schedules, who to contact regarding outage . . .

Shared Services

Purchasing - Who is responsible? How are purchase orders created? How are vendors created? What are acceptable terms? . . .

Same

R&D Formula/code generation. Who is responsible? Who needs to be informed? When and how? How is data collected? Where is the data stored? How is the data retrieved? . . .

Same

The BIA: Section 12, Previous Disruptions

Identify disruptions, such as hurricanes (Isabel), that have had an impact on your critical functions and what the impact was.


Operations

water main breaks, power spikes, icy roads . .

Same

Shared Services

network outages . . . Same

R&D Same as above . Same

The BIA: Section 13, Other Issues and Concerns

What hasn’t been addressed that you know will have an impact on your processes?

• Loss of intellectual property – internal and those entrusted to to you by your customers

• Other Single Points of Failure

Charlotte NC Chapter Wednesday, May 12, 2004 Welcome Hosted by:

Documents

Transcript of Charlotte NC Chapter Wednesday, May 12, 2004 Welcome Hosted by: