MHA Getting the BS out of the BIA - Webinar (1)...Payroll PeopleSoft, Internet Laser Printer, Fax...

© 2017 MHA CONSULTING. ALL RIGHTS RESERVED.

Getting the BS out of the BIA

How to make BIAs as efficient and painless as possible.Sponsored by MHA Consulting

May 2017

© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 1

MHA CONSULTING, INC.

• An 18-year proven track record of

applying industry standards and

best practices across a diverse

pedigree of clients.

• A simple mission: Ensure the

continuous operations of our

clients’ critical processes.

• Services include Business

Continuity, Crisis Management,

Disaster Recovery, IT Best

Practices and Physical Security.

• SaaS tools include BCM

Compliance and Residual Risk.

SENIOR LEADER

KEY FACTS

SAASCompliance

and risk tools.

CAPABLEComprehensive suite of services.

15Average years

industry experience.

Years inoperation.

GLOBALDiverse, global

client base.

18

Richard LongPractice LeaderPhoenix, Arizona www.mha-it.com


HEALTHCARE EDUCATION FINANCIAL INSTITUTIONS

CONSUMER PRODUCTS INSURANCE TRAVEL & ENTERTAINMENT GOVERNMENT/UTILITY

SERVICES

DIVERSE, GLOBAL CLIENT BASE


• Business Recovery Strategies

• Data Center Recovery Strategies

• Current State Assessment

• Business Impact Analysis

• Threat & Risk Assessment

• BCMMETRICSTM

Compliance Confidence (C2)

• BCMMETRICSTM

Residual Risk (R2)

• BCMMETRICSTM BIA On-Demand (BIAOD)

• Training & Awareness

• Mock Disaster Exercises

• Plan Functional Walkthroughs

• Alternate Worksite Exercises

• Crisis Management

• Business Recovery

• IT Disaster Recovery

• Update Recovery Plans

• Update Current State Assessment

• Update Business Impact Analysis & Threat Assessment

COMPREHENSIVE SOLUTIONS PRACTICES

EXERCISES MAINTAIN & IMPROVE

ASSESS THE CURRENT

ENVIRONMENT

RECOVERY STRATEGIES/ SOLUTIONS

RESPONSE & RECOVERY PLANS

3


• Planning for the BIA

• Who should participate

• How to perform the BIA

P e r f o r m i n g a n

EFFECTIVEB U S I N E S S I M PA C T A N A LY S I S

THE CLASS

H o w t o

LEVERAGE & USEB I A I N F O R M AT I O N

• Dependencies between processes and departments

• Technology requirements

• RTO vs. RTA

• Critical vendors


THE BIG PICTURE

Risk

Resilience


Recovery Time Objective

• Desired state – business requirements.

Recovery Time Actual

• Current capability provided by IT.

R E C O V E R Y T I M E

OBJECTIVE VS.ACTUAL

T I M E T O R E C O V E R E N V I R O N M E N T

DEFINITIONS

R E C O V E R Y P O I N T

OBJECTIVE VS.ACTUAL

A C C E P TA B L E D ATA L O S S

Recovery Point Objective

• Desired state – business requirements.

Recovery Point Actual

• Current capability provided by IT.


• Process-based assessment, not an application- or technology-based assessment.

• Determine what a process needs to be functional following an outage event.

• This is a time-sensitivity measurement, not an importance to the organization measurement.

• Determine dependencies, both internal and external.

• Determine technology used to support the process.

• Determine manual processes which could be used when technology is not available.

• Determine state of hardcopy-based documentation or records.

W H AT I S A

BUSINESS IMPACT ANALYSIS?

BUSINESS IMPACT ANALYSIS


• Formal interview: typically 1 – 2 hours per department

• Informal interview: typically < 1 hour

• Questionnaire

• Hybrid of questionnaire and informal interview

D I F F E R E N T

BIA STRATEGIES

BUSINESS IMPACT ANALYSIS


• Something is better than nothing.

• What is the organization’s tolerance of time and effort?

• When was the last BIA?

DETERMINE TYPE OF BIA

BIA PREPARATIONS


• Do not make too many.

• Focus RTO/RPO on recovery strategies.

• Can always determine more refined strategies as needed.

DETERMINE RTO & RPO

BIA PREPARATIONS

RTO Business Impact Analysis – Criteria

RTO 0

# hours or less

Business activity and/or computer system is mission critical to the operations of the organization. Catastrophic impact to revenue production, customer service, and/or brand image.

RTO 1

# hours or less

Business activity and/or computer system is critical to the organization. Significant impact to revenue production, customer service, and/or brand image.

RTO 2

# hours or less

Business activity and/or computer system is urgent to the organization. Significant impact to revenue production, customer service, and/or brand image.

RTO 3

# hours or less

Business activity and/or computer system is important to the organization. Less significant impact to revenue production, customer service, and/or brand image.

RTO 4

# days or less

Business activity and/or computer system is deferrable and can be recovered as needed with little to no impact to the organization.

RTO 5

Greater than # days

Business activity and/or computer system is low priority and can be recovered as needed with little to no impact to the organization.

RPO DescriptionRPO 0

No data lossBusiness activity is mission critical and has no tolerance for data loss in the core systems and applications it relies on to perform the activity.

RPO 1# hours or less

Business activity is mission critical and has minimal tolerance for data loss in the core systems and applications it relies on to perform the activity.


Business activity can tolerate up to a 12 hour loss of data in the core systems and applications it relies on to perform the activity.


Business activity can tolerate up to a 24 hour loss of data in the core systems and applications it relies on to perform the activity.

RPO 4Greater than # hours

Business activity can tolerate more than 24 hours of loss of data in the core systems and applications it relies on to perform the activity.


• What are the dollar and non-dollar impacts to your organization?

• What is the relative importance of each category?

• What is the relative range for the scores?

- Dollar ranges

- Non-dollar ranges

DETERMINE SCORING CATEGORIES AND RANGES

BIA PREPARATIONS

QUANTITATIVE BIA IMPACT CATEGORIES

Category Description

Loss of Current Revenue Loss of the business process will result in a loss of revenue.

Increased Operating Costs

Loss of the business process will increase the organization’s day-to-day operating costs (e.g., overtime, temporary staff).

Non-Performance Penalties

Loss of the business process will result in non-performance fines and/or penalties (e.g., FDA, other).

Delay in Billings and Payments

Loss of the business process will delay the administration of billing and/or payments.

QUALITATIVE BIA IMPACT CATEGORIESQualitative (Non-$) Description

Degraded Customer Service

Loss of the business process will impact service to customers, employees, vendors, etc.

Legal/Regulatory Requirements

Loss of the business process will impact the business unit’s ability to meet legal and/or regulatory requirements (e.g., FDA, other).

Degraded Corporate Image

Loss of the business process will impact the corporate image and the trust in the organization.

Employee and Customer Safety & Security

Disruption of the business process (activity) will impact the safety and security of employees and customers.


• Identify critical departments for BIA.

- Consider formal BIA for critical departments, and informal for others.

• Work with departments to identify the participants.

- Groups should include both management and individual contributors.

- Must be able to understand how processes fit in the organization.

- If management tends to restrict open communication, consider having a separate discussion with them.

DETERMINE DEPARTMENTS AND PARTICIPANTS

BIA PREPARATIONS


• Create a questionnaire to gather as much info as possible prior to the interviews.

• Review and identify potential inconsistencies in the information.

DEVELOP QUESTIONAIRE FOR PRE-INTERVIEW DATA

GATHERING

BIA PREPARATIONS

EXAMPLEOFCOMPLETEDPRE-WORKSHEET

DepartmentName: FinancialServicesDepartmentDescription: FinancialServicescoreresponsibilitiesinclude,butarenotlimitedto,payrollprocessing,purchasing,accounting

administrationandpurchasing.

DepartmentManager: JohnDoe EmailAddress: [email protected] ContactNumber: (123)123-4567BIAInterviewee: MirandaPriestly EmailAddress: [email protected] ContactNumber: (123)123-4567BIAInterviewee: DonDraper EmailAddress: [email protected] ContactNumber: (123)123-4567

CriticalBusinessProcesses

CriticalProcess

SupportingSystems&Applications1

(e.g.,RiskMaster,FTPServer)

SupportingEquipment2(e.g.,laserprinters,

shredders)

RegulatoryRequirements

(e.g.,FDIC,OSHA,SLAs)

ManualWorkaround?

(Yes/No)

Payroll PeopleSoft,Internet LaserPrinter,FaxMachine IRSFilings,StatePayrollRequirements Y

Purchasing FMS,Concur,Sharepoint FaxMachine,Printer PurchaseOrders,SalesTax N

Accounting FMS,Concur,Sharepoint See2 IRSRecords,VendorContracts,PurchaseOrders N

RiskManagement RiskMaster,Concur LaserPrinter,See2 IndustrialCommission,CustomerSLAs Y

1Systems/ApplicationsRequiredforallkeyprocesses:Outlook,MSOfficeSuite,NetworkDrives2EquipmentRequiredforallkeyprocesses:Telephones,Laptop,WirelessDataCards


• Set expectations at the beginning.

- First process will take longer

- Not trying to develop solutions or workarounds

• Small snacks often help.

• Have the pre-work information updated and available in whatever tool used to gather data. Review the data before the session.

• Explain the categories, what they mean, how it fits in the process.

• Use an individual skilled at facilitation who can keep discussion appropriate and directed. Include someone to keep notes.

• Include IT representative(s) as a participant.

HOW TO MAKE THE INTERVIEW PROCESS

EFFICIENT

PERFORMING THE INTERVIEW


• Don’t gloss over or ignore dependencies.

- Internally - can show inconsistencies in RTO values

- Externally - can be critical to functional capability

• There are often more dependencies than initially identified.

• Data synchronization state.

• There are more hardcopy records than you know.

INTEGRATION/DEPENDENCIES



• BIAs are not about technology, but processes.

• Identify the technology and its criticality/importance to the processes.

• Process RTO will map to technology.

• RPO is the technology metrics – how much data loss for each application.

DON’T FOCUS ON TECHNOLOGY



• Review and identify gaps in the technology strategies for recovery.

- Business relocation

- Data center/application based

- RTO vs. RTA

- RPO vs. RPA

• IT should not determine application RTO/RPO.

TECHNOLOGYSTRATEGIES

NOW WHAT? HOW TO USE THE DATA?


• Review and identify gaps in the current BCPs.

- Do they meet the requirements?

- Are they based on outdated info or workarounds?

- What dependencies are assumed or needed?

- What technologies are required for the BCP that would not be available?

BUSINESS CONTINUITY PLANS


Table of Contents Section I. Department Overview ...................................................................................................... 3

Department Description ...................................................................................................... 3 Business Process Prioritization ........................................................................................... 4

Appendix A: Loss of Building or Geographic Region ....................................................................... 5 Appendix B: Loss of Technology, Telecommunications and Equipment ......................................... 9 Appendix C: Loss of Resources/Pandemic ................................................................................... 12 Appendix D: Loss of Critical Third Party Channel .......................................................................... 15 Appendix E: Technology, Equipment and Personnel Requirements ............................................. 18

Technology and Equipment .............................................................................................. 18 System and Application Recovery Point Objectives ......................................................... 20 Personnel .......................................................................................................................... 21 Relocation Site Considerations ......................................................................................... 21

Appendix F: Department Requirements and Reference ................................................................ 22 Deviations to Regulatory, Legal, or Service Level Requirements ..................................... 22 Standard Operating Procedures ....................................................................................... 23 Internal and External Dependencies ................................................................................. 24 Vital Records ..................................................................................................................... 26 Reports .............................................................................................................................. 27 Forms ................................................................................................................................ 28 Offsite Storage .................................................................................................................. 28 Standalone PCs ................................................................................................................ 29 Negotiable Items ............................................................................................................... 29

Appendix G: Plan Distribution and Maintenance ........................................................................... 30 Plan Exercise Tracking ..................................................................................................... 30 Change Control Tracking .................................................................................................. 31

Appendix H: Event Tracking & Reporting Forms ........................................................................... 32 Business Recovery Event Reporting ................................................................................ 32

Appendix I: Critical Contact Listings.............................................................................................. 33 Employee .......................................................................................................................... 33 Internal Dependencies ...................................................................................................... 33 Vendors and Service Providers – Contact Listing............................................................. 33


• Identify critical vendors.

• Perform a vendor analysis.

• Can they support you during a crisis event?

• What is their business continuity strategy and capability?

CRITICAL VENDORS



• When was your last BIA?

- If over 1 year, you should consider an update.

• Review current RTO/RPO by process.

- Are they correct or close based on current info?

WHAT DO WE DO NOW?H O W D O W E S TA R T O R C O N T I N U E ?

SO, WHAT ARE THE NEXT STEPS?


FINAL THOUGHTS


SUMMARY

• Determine type of BIA necessary.

• Preparation is key.


UPCOMING WEBINARS

• 21 Days to a Stronger, Fitter BCM Program, Michael Herrera

- WEDNESDAY JULY 12, 2017 AT 11:00 A.M. PDT


Richard LongMHA Consulting, Inc.

[email protected]

Office: (888) 689-2290 Mobile: (602) 370-1864

MHA Getting the BS out of the BIA - Webinar (1)...Payroll PeopleSoft, Internet Laser Printer, Fax...

Documents

Transcript of MHA Getting the BS out of the BIA - Webinar (1)...Payroll PeopleSoft, Internet Laser Printer, Fax...