Implementing a Successful BIA Process · Implementing a Successful BIA Process BarryCardoza ... But...
100
Implementing a Successful BIA Process BarryCardoza@BarryCardoza com Session W4 BarryCardoza@BarryCardoza.com
Transcript of Implementing a Successful BIA Process · Implementing a Successful BIA Process BarryCardoza ... But...
What is a Business Impact Analysis?The Federal Financial Institutions Examination Council (FFIEC) has thisThe Federal Financial Institutions Examination Council (FFIEC) has this to say about a BIA:“A business impact analysis (BIA) is the first step in the business continuity planning process and should include the:continuity planning process and should include the:• Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis;.• Identification of the potential impact of business disruptions resulting from uncontrolled, nonspecific events on the institution's business functions and processes;• Identification of the legal and regulatory requirements for the institution's business functions and processes;• Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; andfunctions and processes; and• Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path.
2
What is a Business Impact Analysis?International Standards Organization ISO 22301 says this about a BIA:g yThe organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. The business impact analysis shall include the following: ) d if i i i i h h i i f d da) Identifying activities that support the provision of products and services; b) Assessing the impacts over time of not performing these activities; c) Setting prioritized timeframes for resuming these activities at ac) Setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; andunacceptable; and d) Identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.p
3
What is a Business Impact Analysis?International Standards Organization ISO 22301 says this about a BIA:g yThe organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services. The business impact analysis shall include the following: ) d if i i i i h h i i f d d
At this time, ISO is in the process of creating a new standard, ISO 22317,
a) Identifying activities that support the provision of products and services; b) Assessing the impacts over time of not performing these activities; c) Setting prioritized timeframes for resuming these activities at a
which will focus specifically on the Business Impact Analysis.
c) Setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; andunacceptable; and d) Identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.p
4
What do they have in common?
They refer to a process that identifies and measures potential Quantifiable Impact and Qualifiable Impact.
They refer to identifying impact, as opposed to the source of the impact.
They refer to identifying the dependencies of the critical business processes.
They refer to a process from which management will have the information required to make continuity planning decisions.q y p g
5
Why do a Business Impact Analysis?• Business Impact Analysis (BIA) is now recognized as one of the first• Business Impact Analysis (BIA) is now recognized as one of the first steps in a comprehensive Business Continuity Program, as referenced in most every Business Continuity guideline/standard/regulation.
R l (if i i f ll d l i h f• Regulators (if your organization falls under any regulations that refer to Business Continuity) may be requiring that you do a BIA.
• Internal and external auditors who are aware of Business Continuity guidelines may be expecting you to do a BIA.
• Internal Risk Management may expect you to do a BIA as a part of overall enterprise risk management.overall enterprise risk management.
• Increasingly, we are seeing clients requiring proof that their vendors (you?) have done a BIA as a part of their vendor risk management.
• Senior Management, aware of any or all of the above, will most likely expect you to do a BIA.
6
Why do a Business Impact Analysis?Even more importantly the hard and soft dollar costs of performing aEven more importantly, the hard and soft dollar costs of performing a BIA are OVERWHELMINGLY eclipsed by the value to your organization:
Identifying the organization’s most critical Business Processes.
Identifying the most critical dependencies of critical Business Processes including:
People/expertise dependencies People/expertise dependencies
Technological dependencies
Vendor/Service Provider dependenciesVendor/Service Provider dependencies
Etc.
Focusing hard and soft dollar resources on the most critical areas.g
The BIA can save your organization considerable money by applying resources where the are needed and notwhere they are not needed.
7
A businessA business continuity plan that is not predicated on or guided by the results of a business impact analysis (BIA) is
Eugene Tucker, CPP, CFE, CBCPRisk Analysis and the Security Surveyanalysis (BIA) is
at best guesswork, is incomplete, and
Risk Analysis and the Security SurveyButterworth‐Heinemann, Copyright 2006
may not function as it should during an actual recovery.
Graphic by Richard Cardoza8
Tools and Examples
At the end of this workshop you willworkshop you will receive a CD that
contains various tools you can use toward
developing or henhancing your own Business Impact
Analysis (BIA) processAnalysis (BIA) process.
9
So, what is the purpose of a Business Impact Analysis?
• Business Impact Analysis (BIA) identifies the criticality of the various business processes within your organization.
Th ll i i i f• That allows you to prioritize your resources so you can focus on your most critical processes first when doing planning or actual business process recovery during a crisis.
For instance:
• A company may have a process that supplies equipment over a very long delivery timeline. Being unable to function for a few days may not impact client satisfaction, if the client is even aware of the delay.
• On the other hand, a process operating a 24/7 support line might see significant client dissatisfaction if unable to function for only a few hours. Recovery of that process is likely to be a higher priority.
10
So, what is the purpose of a Business Impact Analysis?
A comprehensive Business Continuity Program has many processes, including BIA, Threat Analysis, Business Unit recovery planning, IT recovery planning plan exercises crisis notification and crisis responserecovery planning, plan exercises, crisis notification and crisis response, vendor management, etc.
Understanding what a BIA is not (and what is usually part of a separate BCP process) can be as important as understanding what a BIA is.
What I see most often is confusion about the purpose of a BIA (identification/ranking /prioritization of Business Processes and their dependencies) and Recovery Planning which (based on the priorities we learn from the BIA) is all about how we protect the Critical Processes.
11
BIA is not Threat AnalysisEvaluating specific natural or man made threats in terms of their potentialEvaluating specific natural or man‐made threats in terms of their potential
breadth, duration, and probability to prioritize mitigation efforts.
BIA determines the criticality of a business process being unable to function for any reason regardless of the cause.
12
BIA is not Operational Risk Analysis
• Identifies day‐to‐day operational risks, as opposed to impact caused by a disaster.
D fi l i i h i h i k• Defines controls to mitigate those inherent risks.
• Monitors residual risk that remains after the controls have been put into place.
• Prompts for initiatives to further reduce the impact or likelihood of the day‐to‐day risks of doing business.
Regarding Inherent Risk vs. Residual Risk….
•However, I do believe that a Business Continuity Program, and the BIA within it, should be a part of Enterprise Risk Management.
• The focus of the BIA is to determine the criticality of a process being y p gcompletely unable to function for any reason.
• That information can be very valuable to overall Enterprise Risk ManagementManagement.
13
For instance:
Inherent (original) Risk: Financial and reputational loss could occur as a result of a Vendor X being unable to provide goods and/or servicesgoods and/or services.
Control 1: We have evaluated Vendor X’s contingency plans d f d h bl
Control 2:
and find them acceptable.
We have established alternative sources for the goods and services.
Residual (remaining) Risk: Vendor X could still experience some service disruptions and goods/services may take longer to receive from alternative sourcesmay take longer to receive from alternative sources.
14
BIA is not Facility Analysis
Business unit managers aren’t the best people to ask about the potential cost of facility impact or loss.
They can certainly speak about how facility impact would affect their business processes, but not about what damage to or loss of a f ilit ld t th i ti
For that, one would need to speak with the people who can estimate th t d th t ld b bl i l l t t l
facility would cost the organization.
those costs, and that would probably involve real estate people, engineers, technology resources, records managers, and many other people both inside and outside the institution who have expertise in their own specific areastheir own specific areas.
15
Business Impact Analysis
The BIA measures the potential quantifiable and qualifiable impact that could occur if any business process was unable to operate for a period of time for any reason.
That measurement becomes the basis on which we prioritize our effortsThat measurement becomes the basis on which we prioritize our efforts in building an efficient Business Continuity Plan (BCP).
Once we have identified our critical Business Processes, we will also want to identify their critical internal and external dependencies.
Dependency identification, and a review of the support capabilities of those dependencies, can be one of the most valuable benefits of a BIA.
16
Include Stakeholders in the Planning Process
• Regulators
• Compliance
• Risk Management
• Audit, both internal and external
• Senior operational area managers
• Executive Management
If they are not happy with the results, you won’t be happy either.
17
Define the High‐Level Goals
Goal #1: Identify the impact that any individual Business Process could have on the institution if it was unable to function for any reason.
Goal #2: For any Business Process determined to be critical (at least) identify the critical dependencies.
Goal #3: Have a final deliverable that will satisfy Goal #1 in clear andGoal #3: Have a final deliverable that will satisfy Goal #1 in clear and understandable language.
Goal #4: Make the process as easy as possible for the p y pDepartments/people you need to involve.
When designing your BIA process, never forget the very important Goal #4. What can you do to make the process easier for others?y p
18
Determine What You Need to Learn
Where could critical Quantifiable (like financial) Impact occur and what is the potential amount of the impact?
Where could critical Qualifiable (like reputational/brand) Impact occur and how quickly could it occur?
“Where” can mean two very different and equally important things. Do we mean within which department,
or do we mean within which geographic region?
When would critical impact occur and what is the effect of the impact over a timeline?
19
Define “Critical Impact”
The definition of critical impact needs to be based upon something measured, proven, and dynamic enough to change as your organization changes.your organization changes.
You won’t know the appropriate definition of critical impact until you have implemented a BIA process that can compare the criticalityyou have implemented a BIA process that can compare the criticality across the organization and keep up with changes.
What is considered non‐critical today could become critical tomorrow.
Note that the “A” in “BIA” stands for “Analysis,” not “Assumption.” It is importantthat we remove as much subjectivity as possible.j y p
20
One Potential Definition of “Critical” Impact
“Critical Impact is any hard dollar or reputational loss that could endanger the survival of the company.
“To determine what is critical, the impact represented by every area of the company must be compared to the company as a whole.
“We won’t have documentation showing what is truly critical until we have performed a BIA.
“The BIA provides the measurements to determine what is critical at any given time.”at any given time.
21
Bottom‐up or Top‐down? The Right Approach to Y BIA
Intuitively, we know that we must include an evaluation of individual B i P i h BIA
Your BIA
Business Processes in the BIA.
But will the BIA actually be done at the Business Process Level or at the But will the BIA actually be done at the Business Process Level or at the Departmental level?
A Department can have many Business Processes and those Business A Department can have many Business Processes, and those Business Processes can span across Departments.
Corporate management tends to think in terms of “Departments” because that is how the management structure is aligned.
22
You could do your analysis by Department, including all of the Business Processes within each Department, and
then identify the Dependencies of each Business Processthen identify the Dependencies of each Business Process. 23
It’s a Process, Not a Project
If you plan your BIA as a project that is going to happen every so many months or years, two things will happen:
First, you will be “dinged” by everyone who reviews/audits your BIA because they will say your data is out of date.
Second, you’ll need to admit they’re right! The BIA needs to be a continuous process that will keep your data up to date and notcontinuous process that will keep your data up‐to‐date and not overwhelm you.
24
It’s a Process, Not a Project
The “BIA project” is to create an ongoing “BIA process.”
Make sure that you will have a continuous flow of current data regarding the status of your Departments and Business Functions.
Establish a cycle in which the Departments will review and update their data on an annual or (preferably) more frequent basis.
Stress to your departments that the first time around is the hardest. After that, it’s just about a periodic review to note what may have changed j p y gin their business environment.
25
Define Impact Categories That Are Appropriate for the Particular OrganizationParticular Organization
Impact can occur within different Departments or Business Processes inImpact can occur within different Departments or Business Processes in different ways.
iff f i h diff bl b d f Different types of impact can have different measurables to be used for determining the extent of potential impact.
Defining Impact Categories can make it easier for a Department to respond because they have a “prompt” to consider various potential types of impact.yp p
26
Quantifiable Impact Categories for afinancial institution might include:financial institution might include:
Inability to collect or receive payments
Inability to process and record paymentsy p p y
Inability to invest funds
Inability to set up new customers
Inability to make price, structure, or rate changes
Regulatory/contractual impact
Inability to meet federal processing deadlines
Penalties for delayed tax filings
Penalties for failure to meet regulatory deadlines
Liability for failure to meet agreements with customerscustomers
27
Quantifiable Impact Categories for aretail company might include:
I bili d l Inability to record sales
Inability to accept returns
Inability to process credit cards checks gift cards certificates Inability to process credit cards, checks, gift cards, certificates
Inability to replenish merchandise
Inability to move merchandise between locations Inability to move merchandise between locations
Inability to respond to customer communications
Inability to advertisey
28
Quantifiable Impact Categories for af t i i ht i l dmanufacturing company might include:
Inability to receive materials
Inability to assemble materials
Inability to advertise products
Inability to process orders
Inability to ship products
Inability to collect payment
None of these examples are by any means comprehensive orNone of these examples are by any means comprehensive or “boilerplate.” Every company needs to define the measurables
and categories that are relevant to them.
29
Define Your DeliverablesReport #1:Report #1:Compared to other Business Processes in the company, each Business Process’ criticality is this.
Report #2: Based on when a Business Process could cause Quantifiable (e.g., financial) Impact, its Recovery Time Objective (RTO) would be this.
Report #3:Based on when a Business Process could cause Qualifiable (e.g., reputational/brand) Impact its RTO would be thisreputational/brand) Impact, its RTO would be this.
Report #4:Identification of critical dependencies of the critical Business Processes.
You can’t perform your analysis until you have collected your data. So, isn’t it reasonable to assume that the final
analysis is the last thing you will need to plan?analysis is the last thing you will need to plan?30
DATA COLECTIONCART
CHICKEN
REPORT DESIGN
HORSE
Whi h fi t ?Which comes first…….?EGG
31
Actually, the Analysis Phase and the designing of the final reports are the FIRST things you need to consider.
You won’t know what data to collect until youdata to collect until you know what must be included in the finalincluded in the final reports.
32
Decide what the final deliverable willinclude and what it will look likeinclude and what it will look like.
33
Let’s take a look at the data elements in this l d t il t f B i F tisample detail report for a Business Function.
34
We’re showing the department’s daily volume in dollars so we know that we will need to collectdollars, so we know that we will need to collect
that information.
35
We’re showing the department’s daily volume in number of transactions so we will need tonumber of transactions, so we will need to
collect that information.
36
We’re showing the department’s ability to process a t f b kl d b th i lpercentage of backlog, over and above their normal
daily volume.
37
And, of course, we’re asking for the potential dollar impact if this unit cannot function for any reasonimpact if this unit cannot function for any reason.
38
That’s all of the data elements.4^Everything else in this report is a
calculation or notation.
HoweverHowever…. 39
If we wanted a report that would also show potential Qualifiable Impact (like Reputationalpotential Qualifiable Impact (like Reputational Impact), then we would need to ask about that
type of impact as well.type of impact as well.
Note that we are looking for when Qualifiable ImpactNote that we are looking for when Qualifiable Impact could occur, rather than trying to measure the amount
of Qualifiable/Reputational impact.40
Tools and Examples
How much would it cost to buy or develop a system that would
produce the detail reports you have just seen?you have just seen?
Nothing. There is a Microsoft ® Access®
database on the CD you will be receiving thatwill be receiving that will produce those
reports.41
reports.
No matter how much analysis we do,it is impossible tomeasureit is impossible to measure
Qualifiable Reputational impact.
Here’s why….42
Let’s say that:
A critical business process was unable to function for a period of time.
A major client has said that they did not experience any Quantifiable Impact as a result, but they have lost confidence in
bili h ( lifi bl / i l )your ability to serve them. (Qualifiable/Reputational Impact.)
The client is moving their business to one of your competitors.
You might be tempted to measure the Reputational g p pImpact as the dollar value of the business that this client had done with you over a period of time.
43
There are too many unknown variables: To whom might this client express dissatisfaction with your service, causing you to lose relationships with an unknown number of other clients?
How many of those other clients might cause you to lose additional clients?
What if the client’s real reason for leaving was better pricing from a competitor, meaning that Reputational Impact wasn’t even the true cause of the loss of theImpact wasn t even the true cause of the loss of the relationship?
We already know that Reputational/Brand Impact can y p pdamage or even destroy a company. So, the question becomes, “what could cause severe Reputational/Brand Impact and how quickly?”
44
So, we’ve based our analysis on:
Daily Volume in Dollars
Daily Volume in Number of Transactions Daily Volume in Number of Transactions
Backlog Processing Capability
l i l ifi bl Total Potential Quantifiable Impact
Potential Qualifiable / Reputational Impact
Hey….that’s 5 data elements…!yI promised we could do this with only 4.
45
We’re showing the department’s daily volume in number of transactions so we will need toin number of transactions, so we will need to
collect that information.Or, do we…?
The number of transactions is interesting to have, but is probably not particularlyprobably not particularly useful to the analysis.
46
These are detailed reports that will be valuable to you and Business Unitvaluable to you and Business Unit Management, but not what Executive Management will usually want to see.
Executive Management will want a few “ ” h“summary” charts or reports.
You just have to be ready to provide more You just have to be ready to provide more detail if they ask for it.
Once you have the BIA data, summary reports are very easy to do. For example….
47
48
49
50
Impact & RTO: About How Much or When?
And the answer is...it depends on what you want to know.
If you want to know which Departments are the most critical, a report such as this one should provide the answer. However…
51
If you want to establish recovery goals/priorities, then this report (over a timeline) would be a better representation of the potential impact.
Which departments need to recover first to avoid impact?
52
Identifying Dependencies
System/technology dependencies
Vendor dependencies
Supporting internal department dependencies
Other dependencies Other dependencies
Dependency identification can be one of the most valuable benefitsDependency identification can be one of the most valuable benefits of doing a Business Impact Analysis.
53
Functions/Processes vs. Tasks
Tasks are not Processes/Functions
Process/Function: A series of actions that provide a business service or product.
Task: Within every Business Process/Function there can be many Tasks or steps that have to be performed in order to provide a business service or productservice or product.
Don’t get caught up in burrowing in too low into the Tasks.For instanceFor instance….
54
Example: A MailroomProcesses/Functions vs TasksProcesses/Functions vs. Tasks
TASKS: Reroute and deliver interoffice mail Receive incoming mail from post office Sort the postal mail Distribute the postal mail Receive outgoing postal mail from departments Apply postage Deliver the mail to post office Etc.
THE PROCESS/FUNCTION COULD BE SUMMARIZED AS:Process interoffice mail Process interoffice mail
Process external mail
55
Downstream Dependencies
Department A Department B
Clearly isn’t critical overall.
BUT they produce one little
In turn, provides things that are needed by other departmentsthing that is crucial for
critical Department B .
D ’t th t k t l t
departments.
That’s downstream impact.
A b k h lDoesn’t that make at least one of their Business Processes critical?
A break anywhere along the chain can have critical impact.
56
The Data Collection Phase
You have options regarding the way you collect your BIA data:
Distribute a survey
Meet with individual Department managers
Gather groups of managers into a room for a workshop Gather groups of managers into a room for a workshop
Any combination of the above
A d bi i i b bl h b hAnd, a combination is probably the best approach:
You need the standard data points provided by a survey to be able to compare BIAs across the enterprise.
However, in‐person meetings can increase involvement and allow people to ask questions before and during the BIA.
57
Asking the Right People
Who should you ask to get the BIA information you need from individual Departments?
The best approach is probably to start as high on the organizational chart as possible, and then drill down.
If high‐level management decides it is appropriate to delegate, that’s OK, and it also means you should have their support in getting responses.
But even if the work is delegated, your contact should be at the g ymanagerial level. Someone needs to “sign off” on the data that is being provided.
58
Asking the Right Questionsin the Right Wayin the Right Way
Put a box around your questions so they cannot possibly be misinterpreted and options for answers are limited.
For example, don’t ask “what is your daily volume?”
misinterpreted and options for answers are limited.
Volume on what day?
Are we asking for an average?
If so, over what time period?
How else might a manager interpret this question?
Instead ask, “what was the volume in dollars on the busiest day of last year” (or other period) if that is what we really want to know.
59
Asking the Right Questionsin the Right Wayin the Right Way
State up‐front that you are looking for the “worst case scenario.”
fi ll d if hi k k Define all terms and acronyms, even if you think everyone knows the definitions.
Be careful how you structure the questions. Some companies choose to offer ranges of numbers, rather than asking for specific numbers. However….
60
Be careful because this….
…could become this.
61
These look about the same, but what have you just done to your analysis capabilities? What number would you use when youanalysis capabilities? What number would you use when you wanted to add up all of the impact for Category #1 across all of the departments in the company?
62
You’re going to want some automation of theBIA Process to:
Collect the data
Analyze the data
Produce reports
Make the process easier for you
And, just as important:
Make the process easier for the business units.
But, that doesn’t have to be complicatedor even cost you anything.
63
A spreadsheet can collect data for each unit, and perform calculations on the data within that unit.perform calculations on the data within that unit.
But you still need to compile your data across your institution.64
Notice that this spreadsheet also has a “data” tab for another spreadsheet within the workbook.
65
Because the second spreadsheet in the file compiles the data into a format that could be used to import it into another spreadsheet or a database for analysis, along with the data from other business units.
66
If you are in love with dropdowns(or that’s all your system supports….)
Consider allowing them to select one number (rather than a range of numbers) and asking the question as,
“Based on last year’s volume, what is the maximum amount of potential impact in this time range?”
That gives you a specific number you can use in your analysis.67
IN SUMMARY
If you have a smaller organization, a simple spreadsheet and manual analysis and reportingspreadsheet and manual analysis and reporting may be all you need. (Why make things more complex?)
But, a larger organization will probably need to collect data in a way that will provide for automated analysis.
Samples of the spreadsheet tools are included on your CD.
68
In‐house or Outsource; Buy or Build?
Do you have the resources you need or will you need to bring in some assistance?
D h h i h i d l “ l”
bli h d l d bj i d
Do you have the in‐house expertise to develop a “tool” to manage, analyze, and report on the data?
Have you established your Goals and Objectives For a BIA and defined the deliverables?” If not, stop here before considering a service or a product.
If you don’t know what you want to accomplish with a BIA, you won’t know if what is being offered will satisfy your needs.
69
How well will the product fit into your environment both in terms of technologyenvironment both in terms of technology
and your company’s culture?
Can you collect data using this tool, or will you need an additional tool for data collection?
Can you group data by the impact categories that are meaningful to you, or will you be forced to use the product pre‐conceived hierarchy?hierarchy?
Can you measure impact over a timeline that is meaningful to you (maybe minutes) or are you forced to use another timeline (maybe(maybe minutes) or are you forced to use another timeline (maybe hours or days)?
70
Can you analyze data to your satisfaction using tools within the product or will you need an additional tool?
Can you generate the reports you want from within the tool, or
product, or will you need an additional tool?
will you need an additional tool for reports?
h h d h f i hi h Can you generate the charts and graphs you want from within the tool, or will you need an additional tool?
If you need an additional tool for any of these things, can the product being offered export and import data into the additional tools?tools?
71
Speaking of data export/import, can the product use data you already have?product use data you already have?
Can the product import and use departmental data you may already have, including department manager information?
Can the product import and use Business Process data you may already have?
If not, you may end up manually entering data into this system that you already have in other systems.
72
What are the hard dollar costs?
Software purchase price and/or licensing.
Additional vendor charges for installation.
Additional vendor charges for customization.
Support costs.
g
Additional equipment required.
Additional staff required Additional staff required.
Training materials.
73
What are the hard dollar costs?
Will you need to purchase additional hardware?
Will you need to purchase development tools?
If so, will there be on‐going licensing and/or support costs for those
Do you have in‐house development expertise or will you need to contract hi l ith th t ti ?
, g g g / pptools?
or hire people with that expertise?
Do you have in‐house training resources or will you need to contract or hire l d i i ?people to do training?
In any case, all of the training and associated travel expense will fall on you.74
What are the soft dollar costs?
Your staff’s time in installing the product.
Your staff’s time for customization/integration of the product.
Your staff’s time for any required changes to your existing systems or
Y t ff’ ti f t i i b th t t ff d b i li f
Your staff’s time for any required changes to your existing systems or process flow.
Your staff’s time for training both support staff and business line users of the product.
For that matter, who will actually do the training? With a “train‐the‐trainer” strategy, your staff may be spending considerable time and travel expense.be spending considerable time and travel expense.
75
What are the soft dollar costs?
How much time will your staff need to spend on development?
How much time will your staff need to spend on training?
How much longer will it take to implement the tool than if you
Are you taking any additional regulatory risks by building a tool
How much longer will it take to implement the tool than if you had purchased a tool?
Are you taking any additional regulatory risks by building a tool rather than purchasing one that has already been tested over time?
What will be your long term commitment to support of the tool What will be your long‐term commitment to support of the tool you have developed?
76
Could you build a tool in a spreadsheet?
Spreadsheet advantageswould include:
Very little technical expertise is required. You probably won’t need professional programmers.
Development costs would be lower than with the use of more sophisticated methodologies.
Development time should be shorter.
If you need to make changes to the tool later on the changes If you need to make changes to the tool later on, the changes would be less complex and could be made more quickly.
77
Could you build a tool in a spreadsheet?
Spreadsheet disadvantageswould include:
Less sophisticated means of importing existing data.
Less sophisticated user interface.
Less sophisticated mean of exporting data into other tools.
Less sophisticated means of doing automatic data validation.
Less sophisticated reporting capabilities.
78
Could you build a tool in a database?
More sophisticated ability to import or even link to existing data
Database advantageswould include:
More sophisticated ability to import or even link to existing data in other systems.
More sophisticated data validation capabilities
More sophisticated analytical capabilities.
More sophisticated data validation capabilities.
More sophisticated reporting capabilities.
More sophisticated capabilities for the development of an intuitive user interface.
79
Could you build a tool in a database?
You may need professional developers. (Or, maybe not…. Some
Database disadvantageswould include:
You may need professional developers. (Or, maybe not…. Some desktop database applications are very intuitive.)
Development time could be considerably longer than using a
Development costs could be considerably longer than using a
spreadsheet.
spreadsheet, at least in terms of staff time.
If you need to make changes to the tool later on, it could take considerably longer than making changes to a spreadsheetconsiderably longer than making changes to a spreadsheet.
80
There’s always the other side of the coin….
WhatWhat What are your soft dollar
What are your hard dollar
costs to build a tool or
costs to build a tool or
purchase a tool?
purchase a tool?
Does “build” vs. “buy” really make sense? It might or might not based on all of the previous considerations.p
81
Kicking off the BIA
If your company has a regular line of communication from executive management in the form of a newsletter, internal web site announcements, a periodic statement from the CEO, or other, thatannouncements, a periodic statement from the CEO, or other, that could be a good place to announce the kickoff of a BIA initiative
If your company has a process for distributing policy changes, that publication may be a means of formalizing the requirements for accomplishing the BIA.
Again, in all of these communications, stress that the first time around is the most difficult.
After that, it’s just a periodic review to identify anything that may have changed.
82
Executive management usually likes summaries. One of the ways that they may want to see thoseOne of the ways that they may want to see those
summaries is in charts or graphs.
But, like your reports, those charts and graphs needBut, like your reports, those charts and graphs need to clearly communicate the pertinent information.
83
So, what are we trying to communicate?
It might be as few as two data points:
1. Amount of potential impact.p p
2. When that potential impact will hit.
84
Here is data that we have seen before. The report is clear enough.
85
If the same data was displayed like this would it be meaningful?
86
This is clearer, but only addresses “how much” and not “when.”
87
This is one clear way to show both “how much” and “when.”
88
This shows impact in four segments, but you’d need to add up the numbers for total impact.
89
Let’s make it really clear.
90
Data Validation No BIA “system” should ever be allowed to make managerial No BIA system should ever be allowed to make managerial decisions. There will always be some residual subjectivity.
The purpose of a BIA system is to give management the information
Review the data that has been provided by business units with
p p y g gneeded to make the decisions.
p ybusiness unit managers to ensure that you understand the true meaning of the information.
Review the results with more senior management to ensure that they are in agreement with the conclusions.
Only then would you want to actually make changes to your recovery strategies and priorities.
91
Have we met the high‐level goals ?
Goal #1: Identify the impact that any individual Business Process could have on the institution if it was unable to function for any reason.
Goal #2: For any Business Process determined to be critical (at least) identify the critical dependencies.
Goal #3: Have a final deliverable that will satisfy Goal #1 in clear and understandable language.
Goal #4: Make the process as easy as possible for theGoal #4: Make the process as easy as possible for the Departments/people you need to involve.
92
Have we produced the deliverables ?
Report #1:Compared to other Business Processes in the company, each Business Process’ criticality is thisProcess criticality is this.
Report #2: Based on when a Business Process could cause Quantifiable (e.g., Q f ( g ,financial) Impact, its Recovery Time Objective (RTO) would be this.
Report #3:Based on when a Business Process could cause Qualifiable (e.g., reputational/brand) Impact, its RTO would be this.
Report #4:Identification of critical dependencies of the critical Business Processes.
93
Impact Analysis for a Department
49‐72 hrs.
94
Departments and their Processes by Criticality
95
Impact by Impact Category
96
97
Dependency Identification
98
You will want to have a lot of differentviews of the dataviews of the data.
If you decide what you want for your final product FIRST ill h ll f h d id ALLFIRST, you will have all of the data to provide ALL
of these views.
And moreAnd more….
99
With the proper planning and process implementation we have what we need toimplementation, we have what we need to
accomplish our goals and objectives.Your thoughts and/or Questions?Your thoughts and/or Questions?
BarryCardoza@BarryCardoza comSession W4 [email protected]
