Agenda. Perform a BIA. Introduction. What is a Business Impact Analysis? 3/27/2014. Stacy Gardner (MBCI) Managing Consultant Avalution Consulting

Transcription

1 Perform a BIA the ISO Way Stacy Gardner (MBCI) Managing Consultant Avalution Consulting Agenda Introduction What is a Business Impact Analysis (BIA)? How ISO Approaches BIAs Differently Components Needed to Align to ISO How Aligning to ISO Drives Enhanced Preparedness Question and Answer Introduction Stacy Gardner, Managing Consultant Avalution Consulting (8 years) Worked in business continuity industry for 10+ years BCI US Chapter Board Member (2013 Present) Conference and Association Planning Committee Marketing Committee What is a Business Impact Analysis? ISO defines a BIA as the process of analyzing activities and the effect that a business disruption might have upon them Section Business Impact Analysis: The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives, and targets. This process shall include assessing the impacts of disrupting activities that support the organization s products and services. The business impact analysis shall include the following: Identifying activities that support the provision of products and services; Assessing the impacts over time of not performing these activities; Setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and Identifying dependencies and supporting resources for these activities, including suppliers, outsource partners, and other relevant interested parties. 1

2 ISO PDCA Model What is a Business Impact Analysis? Similar concept to other standards, but ISO requires specific (arguable unique) management involvement prior to and following the BIA ISO emphasizes: Understanding Critical Products and Services Involving Management in Scoping (Based on Products and Services) Justifying Exclusions in the Scope Defining Time, Capability and Quality Requirements Receiving Management Approval of Requested Recovery Objectives Even if you have a mature BIA, you can still execute ISO activities to confirm and appropriately structure your BIA Understanding Critical Products and Services Top down perspective on priorities Focus less on the org chart and more on what drives your business What are your value adding outcomes? How/why do customers depend on your work? What organizational factors influence need to meet expectations? Regulatory oversight? Environment? Impacts on customers for failure to deliver? Approach helps relate business continuity concept to how leadership views organization and gives FOCUS Involving Management in Scoping Leadership s forest perspective can help ensure business continuity program goals reflect organizational goals (by defining critical product and service specific downtime tolerances) Scope should support achievement of these goals by: Aligning departments, activities and resources to critical products and services Defining common criteria to determine criticality/prioritization Process allows for high level identification of obligations Scope of the program should equal scope of BIA 2

3 Justifying Exclusions in Scope ISO requires management to actively define scope exclusions and provide justifications Ensures scope limits are thoughtfully considered, documented, periodically assessed, and re confirmed (or modified) Exclusions must not affect or prevent the organization s ability to meet its committed objectives Defining Time, Capability, Quality Requirements TIME: How quickly must SOME capacity exist CAPABILITY: What capabilities must be recovered and to what level (how much) QUALITY: Will normal quality levels be met or are adjustments necessary ISO emphasizes only recovering what needs recovering to: Focus priorities Minimize requirements Define acceptable changes to normal state practices Receiving Management Approval of Recovery Objectives ISO approach enables connecting businessrequested recovery objectives to management defined products and services Management can then evaluate any discrepancies between their expectations and the business requests Linking requests to products and services provides support and justification for any necessary investment Key Point: Products and Services is How Management Thinks Presenting Requirements In This Manner will Increase Support Components That Enable Alignment to ISO Upfront management involvement Defined critical products and services with maximum downtimes Link between departments/activities and resources and the products/services they support Management review of BIA derived business continuity requirements FYI: The ISO guidance document will provide detailed content to support aligned and effective BIA outcomes 3

4 How Aligning to ISO Drives Enhanced Preparedness Gets management perspective and buy in from the beginning Gives boundaries and guidance for the business to support or push back on Enables validation of recovery times, but also capability to deliver and quality of the outcome Enables metrics and reporting on capability to deliver products and services, which is how management sees the organization Product / Service Service #1 Product #1 Product #2 Measuring True Capability with Metrics Maximum Downtime 4 Hours 96 hours 1 week Departments Directly Involved in Delivery Departments Indirectly Supporting Delivery Source of Validation Description of Strategy Validation Customer Service IT Date: Procurement Finance IT Date: Operations Shipping / Receiving Procurement Finance IT Date: Operations Shipping / Receiving Alignment to Capability Expectation? Define Critical Products and Services Research your website and marketing materials Assess your organization s vision/mission statement and other goal oriented declarations Connect with other groups (e.g. risk management) to assess if any past analysis assesses and categorizes customer deliverables Develop a products and services list and present it to executive leadership for feedback, then work with them to define maximum downtime tolerances for each Involve Management in Scoping (Based on Products and Services) Use Products and Services to develop scope statement Clarify management s commitment (or expectations) regarding downtime, capability and quality Identify the resources necessary to deliver in scope products and services Facilities, people, technology, equipment and suppliers Remember, the scope can change if BIA produces (and justifies) alternate requirements 4

5 Justify Exclusions in the Scope If management opts to exclude departments and resources from the program scope, work with them to justify and formally document the exclusion Capture exclusions within governance documents (policy or SOP) Review exclusions periodically to ensure continued accuracy Receive Management Approval of Requested Recovery Objectives Following performance of the BIA, analyze outcomes and identify if business recovery objectives are lower than or exceed products and services requirements Present business justifications to management and assess if adjustments need made to scope or BIA results Following approval, assess strategy effectiveness and identify gaps ISO 22301: Conclusion Requires management involvement at multiple stages to guide and confirm outcomes Supports the presentation of data in form to which management relates Helps validate true recoverability Can improve the effectiveness and value of existing BIAs Upcoming Resource: ISO 3317 Societal Security Business Continuity Management Systems Business Impact Analysis guidance document Question and Answer Thank you! Stacy Gardner