CBCP业务连续性管理专家培训材料Area3.ppt

1,Business Continuity ManagementCourse for Advanced Professionals Introduction,2,Subject Area 3:Business Impact Analysis,3,Lesson Overview,What is a BIA?Objectives of a BIABenefits of a BIARecovery Time Objective(RTO)Disruption or Disaster?Phases of a BIAResults of a BIA,4,Professional Practices for Business Continuity Professionals,Project Initiation and ManagementRisk Evaluation and ControlBusiness Impact AnalysisDeveloping Business Continuity StrategiesEmergency Response and OperationsDeveloping and Implementing Business Continuity PlansAwareness and Training ProgramsMaintaining and Exercising Business Continuity PlansCrisis CommunicationsCoordination with External Agencies,5,Objectives,Identify the impacts resulting from disruptions and disaster scenarios that can affect the organization and techniques that can be used to quantify and qualify such impacts.Establish critical functions,their recovery priorities,and interdependencies so that recovery time objective(s)and recovery point objective(s)can be set.,6,The Professionals Role(1/2),Identify Knowledgeable Functional Area Representatives for the BIA processIdentify Organization Functions including information and resource(people,technology,facilities,etc.)Identify and Define Criticality CriteriaObtain Management Approval for Criteria DefinedCoordinate Analysis,7,The Professionals Role(2/2),Identify Interdependencies(internal and external to the organization)Define Recovery Objectives and TimeframesDefine Report FormatPrepare and Present Final BIA to Management,8,The Planning Process,Objective evaluate the critical operations for the organization and determine timeframes,priorities,resources,&interdependenciesSome key tasks Determine the scope of the analysisIdentify key business processesGather and verify informationAnalyze and present the resultsSome key deliverables A list of outages and probability of occurrenceThe costs of loss versus the costs of preventionRecovery priorities-RTO,RPO,&interdependencies,ProjectManagement,RiskAssessment&Analysis,BusinessImpactAnalysis,9,What is a BIA?,A process designed to Identify critical business functions and workflow,Determine the qualitative and quantitative impacts of a disruption,and Prioritize and establish recovery time objectives,10,Senior Management Commitment,Establishes the BIA as a concern of the entire organizationInvolves all business units and departmentsCoordinates the process ensuring its effectiveness within the organizationIdentifies and establishes a project sponsor,11,Business Impact Analysis,Identify,categorize&prioritize Critical functions Critical/Vital records Required resources,personnel&equipment,12,Business Impact Analysis,Assess impacts and effects of disruptions over timeDetermine loss exposure over time,13,Business Impact Analysis,Identify business processes Interrelationships Dependencies Validate information,14,Purpose of a BIA,To provide the business rationale for a Business Continuity PlanTo provide a factual,understandable,and informative set of findings that management can use to provide direction for development of the Business Continuity ProgramTo communicate the inherent vulnerabilities of the business units,business processes and systems that comprise the organization,15,Purpose of a BIA,To identify which business processes an assets require the highest level of protectionTo provide information that assists in the identification of strategies and alternativesTo provide financial data to help select appropriate levels of investment for protectionTo establish the recovery objectives and time line,16,Objectives of a BIA,Identify Essential business functions and operations Potential financial exposures and impacts Qualitative or operational exposure and impactsDetermine when exposures and impacts beginDetermine resources needed Technology Infrastructure Personnel Vendor Support,17,Objectives of a BIA,Assess impact(s)of disruption over timeDetermine time criticality of Business functions Business processes Departments Work areas as related to total organization functionIdentify interdependenciesIdentify legal and regulatory requirements,18,Objectives of a BIA,Determine recovery timeframes and minimum resource requirements Critical functions based on level of criticality Determine order of recovery Determine minimum resource requirementsEstablish the organizational value of each business unit as they relate to the functioning of the total organization,19,Recovery Time Objective,The period of time within which systems,applications,processes,or functions must be recovered after an outageRTO s are often used as the basis for Establishing priorities Developing strategies As a determinant as to whether or not the event is a disruption or a disaster,20,Recovery Time Objective(RTO),The time within which Business Functions or Application Systems must be Restored to Acceptable Levels of Operational Capability to Minimize the Impact of an Outage,Time,Recovery Time Objective,BusinessProcessesFunctional,Point of Disruption,RecoveryOfOperations(Business Or Data Processing),Business FunctionsOr Application SystemsOperationalWith Current&Accurate Data,Is the time between the point of disruption and the point at which BUSINESS FUNCTIONS or APPLICAATION SYSTEMS must be operational AND updated to current status.,Craphic 2006 FAIRLAMB and Associates,Inc.,21,Recovery Point Objective,Potential lost transactions Manual processes Interim operational competenciesLast available data backupTarget recovery point in timeTolerable data lossInventory and backlog issues,22,Disruption or Disaster?,DisruptionEvent RTOImpacts are limited and controlledDisruption$,Disaster Event RTO Impacts are extensive and outside of control Disaster$,23,Identify BIA Participants,Represent all business functionsAppropriate organizational levelConsistent organizational levelCredible representative,24,Determine Approach,InterviewQuestionnaireWorkshop sessionCombination,25,Define BIA Focus Areas,Business processesImpact factors:qualitative&quantitativeCritical dependenciesResource requirementsLegal/Regulatory issuesAlternate processes,workarounds,interim operations,&manual processesVital record&documentation,26,Question Design,Good questions result in Listing all business functions,operations and processes Showing quantitative and qualitative exposures over time by Process Function Department ServiceIdentification of critical time frames and recovery priorities,27,Process Questions,Identify processesInterrelationships between processesProcess dependencies,28,Impact Questions,Identify impact factors Operational Financial Regulatory reporting requirements Outage timing Quantitative Qualitative,29,Impact of Disruptions on Organization,FinancialCustomerPublic relationsLegalRegulatoryMarket share,EnvironmentalOperational Personnel Other resources Contractual,30,Financial Exposures&Impacts,Lost revenueLost interest on“float”Fines and penalties Contractual Legal(Could we be sued?)Regulatory(ISO,Federal,State,County,Local,Industry related)Interest paid on loansLost opportunity costsLost trade discounts,31,Document Business Processes,Interrelationship between processesProcess dependencies Intra-department Inter-department Technology Processes,32,Document Critical Dependencies,Support requirements Intra-departmental Inter-departmental Critical external Time sensitivity,33,Categorize by Criticality,Define criticality parametersDevelop levels or categories of criticalityIdentify critical functionsIdentify vital records to support business continuity and restorationCategorize qualitative findings by high/medium/low,34,Group by Category,List business functions by criticality and time sensitivityPrioritize critical business functionsConsolidate and group recovery times with the organization,Key Interfaces,Recovery Priorities,Critical BusinessProcesses,35,Recovery Timeframes,Determine RTO or recovery windows for critical business functionsDetermine the order of recovery based on level of criticalityDetermine the RPO,36,Resource Requirements,Determine minimum resource requirements for recovery and resumption of critical functions and support systemsDetermine resource replacement timesInternal&external resourcesOwned versus non-owned resourcesExisting resourcesAdditional resources required,37,Resource Restoration Schedule,Milestone 1.Restore System AMilestone 2.Restore Business Process BMilestone 3.Restroe Business Process C,RTO-C,RTO-B,RTO-A,Increasing Time,Critical functions or processes operating at pre-defined minimum levels,*RTO=Recovery Time Objective,38,Alternatives&Work-Arounds,Existing procedures and practicesManual interim processesDefer or suspendBacklog and inventory impactsBacklog resolution and catch up strategiesAlternative strategies,39,Results of a BIA,Identification of Potential financial exposures and impacts Potential unbudgeted/unplanned expenses When exposures and impacts begin and how quickly they escalate Required resources Internal and external dependencies Magnitude of operational impacts,40,What is Your Cost of Downtime?,Revenue Direct loss Compensatory payments Lost future revenues Billing losses Investment losses,Financial Performance Revenue recognition Cash flow Lost discounts(A/P)Payment guarantees Credit rating Stock price,Productivity Number of employees impacted hours out burdened hourly rate,Damaged ReputationCustomersSuppliersFinancial MarketsBanksBusiness Partners,etc.,Other ExpensesTemporary employees,equipment rental,overtime costs,extra shipping costs,travel expenses,etc.Source:Gartner Research,Know your downtime costs per hour,day,week,etc.,41,Presentation Objectives,Receive specific approval and direction regarding strategy development for mitigation of potential impactsObtain executive buy-in and acceptance of Relative ranking of functions and applications Timeframes for TROs and their implicationsMaintain executive involvement Executive Sponsor(s)Periodic status reports,42,Summary,The BIA is crucial in determining exactly where all critical information residesThe BIA provides management key information for making strategic decisions regarding business continuity and recoveryThe approach to your data collection process will help you to focus your questionsIt is important to validate your results,43,Sample BIA Results,44,Sample BIA Results,