CBCP业务连续性管理专家培训材料_Area3.ppt

1,Business Continuity Management Course for Advanced Professionals Introduction,2,Subject Area 3: Business Impact Analysis,3,Lesson Overview,What is a BIA? Objectives of a BIA Benefits of a BIA Recovery Time Objective ( RTO) Disruption or Disaster? Phases of a BIA Results of a BIA,4,Professional Practices for Business Continuity Professionals,Project Initiation and Management Risk Evaluation and Control Business Impact Analysis Developing Business Continuity Strategies Emergency Response and Operations Developing and Implementing Business Continuity Plans Awareness and Training Programs Maintaining and Exercising Business Continuity Plans Crisis Communications Coordination with External Agencies,5,Objectives,Identify the impacts resulting from disruptions and disaster scenarios that can affect the organization and techniques that can be used to quantify and qualify such impacts. Establish critical functions, their recovery priorities, and interdependencies so that recovery time objective(s) and recovery point objective(s) can be set.,6,The Professionals Role (1/2),Identify Knowledgeable Functional Area Representatives for the BIA process Identify Organization Functions including information and resource (people, technology, facilities, etc.) Identify and Define Criticality Criteria Obtain Management Approval for Criteria Defined Coordinate Analysis,7,The Professionals Role (2/2),Identify Interdependencies (internal and external to the organization) Define Recovery Objectives and Timeframes Define Report Format Prepare and Present Final BIA to Management,8,The Planning Process,Objective evaluate the critical operations for the organization and determine timeframes, priorities, resources, & interdependencies Some key tasks Determine the scope of the analysis Identify key business processes Gather and verify information Analyze and present the results Some key deliverables A list of outages and probability of occurrence The costs of loss versus the costs of prevention Recovery priorities- RTO, RPO, & interdependencies,Project Management,Risk Assessment & Analysis,Business Impact Analysis,9,What is a BIA?,A process designed to Identify critical business functions and workflow, Determine the qualitative and quantitative impacts of a disruption, and Prioritize and establish recovery time objectives,10,Senior Management Commitment,Establishes the BIA as a concern of the entire organization Involves all business units and departments Coordinates the process ensuring its effectiveness within the organization Identifies and establishes a project sponsor,11,Business Impact Analysis,Identify, categorize & prioritize Critical functions Critical/Vital records Required resources, personnel & equipment,12,Business Impact Analysis,Assess impacts and effects of disruptions over time Determine loss exposure over time,13,Business Impact Analysis,Identify business processes Interrelationships Dependencies Validate information,14,Purpose of a BIA,To provide the business rationale for a Business Continuity Plan To provide a factual, understandable, and informative set of findings that management can use to provide direction for development of the Business Continuity Program To communicate the inherent vulnerabilities of the business units, business processes and systems that comprise the organization,15,Purpose of a BIA,To identify which business processes an assets require the highest level of protection To provide information that assists in the identification of strategies and alternatives To provide financial data to help select appropriate levels of investment for protection To establish the recovery objectives and time line,16,Objectives of a BIA,Identify Essential business functions and operations Potential financial exposures and impacts Qualitative or operational exposure and impacts Determine when exposures and impacts begin Determine resources needed Technology Infrastructure Personnel Vendor Support,17,Objectives of a BIA,Assess impact (s) of disruption over time Determine time criticality of Business functions Business processes Departments Work areas as related to total organization function Identify interdependencies Identify legal and regulatory requirements,18,Objectives of a BIA,Determine recovery timeframes and minimum resource requirements Critical functions based on level of criticality Determine order of recovery Determine minimum resource requirements Establish the organizational value of each business unit as they relate to the functioning of the total organization,19,Recovery Time Objective,The period of time within which systems, applications, processes, or functions must be recovered after an outage RTO s are often used as the basis for Establishing priorities Developing strategies As a determinant as to whether or not the event is a disruption or a disaster,20,Recovery Time Objective (RTO),The time within which Business Functions or Application Systems must be Restored to Acceptable Levels of Operational Capability to Minimize the Impact of an Outage,Time,Recovery Time Objective,Business Processes Functional,Point of Disruption,Recovery Of Operations (Business Or Data Processing),Business Functions Or Application Systems Operational With Current & Accurate Data,Is the time between the point of disruption and the point at which BUSINESS FUNCTIONS or APPLICAATION SYSTEMS must be operational AND updated to current status.,Craphic 2006 FAIRLAMB and Associates, Inc.,21,Recovery Point Objective,Potential lost transactions Manual processes Interim operational competencies Last available data backup Target recovery point in time Tolerable data loss Inventory and backlog issues,22,Disruption or Disaster?,Disruption Event RTO Impacts are limited and controlled Disruption $,Disaster Event RTO Impacts are extensive and outside of control Disaster $,23,Identify BIA Participants,Represent all business functions Appropriate organizational level Consistent organizational level Credible representative,24,Determine Approach,Interview Questionnaire Workshop session Combination,25,Define BIA Focus Areas,Business processes Impact factors: qualitative & quantitative Critical dependencies Resource requirements Legal/Regulatory issues Alternate processes, workarounds, interim operations, &manual processes Vital record & documentation,26,Question Design,Good questions result in Listing all business functions, operations and processes Showing quantitative and qualitative exposures over time by Process Function Department Service Identification of critical time frames and recovery priorities,27,Process Questions,Identify processes Interrelationships between processes Process dependencies,28,Impact Questions,Identify impact factors Operational Financial Regulatory reporting requirements Outage timing Quantitative Qualitative,29,Impact of Disruptions on Organization,Financial Customer Public relations Legal Regulatory Market share,Environmental Operational Personnel Other resources Contractual,30,Financial Exposures & Impacts,Lost revenue Lost interest on “float” Fines and penalties Contractual Legal (Could we be sued?) Regulatory (ISO, Federal, State, County, Local, Industry related) Interest paid on loans Lost opportunity costs Lost trade discounts,31,Document Business Processes,Interrelationship between processes Process dependencies Intra-department Inter-department Technology Processes,32,Document Critical Dependencies,Support requirements Intra-departmental Inter-departmental Critical external Time sensitivity,33,Categorize by Criticality,Define criticality parameters Develop levels or categories of criticality Identify critical functions Identify vital records to support business continuity and restoration Categorize qualitative findings by high/medium/low,34,Group by Category,List business functions by criticality and time sensitivity Prioritize critical business functions Consolidate and group recovery times with the organization,Key Interfaces,Recovery Priorities,Critical Business Processes,35,Recovery Timeframes,Determine RTO or recovery windows for critical business functions Determine the order of recovery based on level of criticality Determine the RPO,36,Resource Requirements,Determine minimum resource requirements for recovery and resumption of critical functions and support systems Determine resource replacement times Internal & external resources Owned versus non-owned resources Existing resources Additional resources required,37,Resource Restoration Schedule,Milestone 1.Restore System A Milestone 2.Restore Business Process B Milestone 3.Restroe Business Process C,RTO - C,RTO -B,RTO - A,Increasing Time,Critical functions or processes operating at pre-defined minimum levels,*RTO=Recovery Time Objective,38,Alternatives & Work-Arounds,Existing procedures and practices Manual interim processes Defer or suspend Backlog and inventory impacts Backlog resolution and catch up strategies Alternative strategies,39,Results of a BIA,Identification of Potential financial exposures and impacts Potential unbudgeted/ unplanned expenses When exposures and impacts begin and how quickly they escalate Required resources Internal and external dependencies Magnitude of operational impacts,40,What is Your Cost of Downtime?,Revenue Direct loss Compensatory payments Lost future revenues Billing losses Investment losses,Financial Performance Revenue recognition Cash flow Lost discounts (A/P) Payment guarantees Credit rating Stock price,Productivity Num