Business Impact Analysis and Risk Assessments, they are not the same thing. As we continue our series on Business Continuity Planning (BCP) let’s take a detailed look at the differences and expectations for each one. Business Impact Analysis
As we mentioned in our first article, once responsibility is determined, the Business Impact Analysis (BIA) is the next step in completing your BCP. When starting a BIA, the first consideration will be to identify and prioritize each business function. A flow chart of the entire organization should be completed. The flow chart should also document any dependencies between areas. This level of detail will help prevent oversight of a key function.
After each business function has been identified and prioritized it is time to look at the effect an event could have on each function. The design of the analysis is to look at the impact, rather than the event itself. However, consideration should be given where unusual or unique events/circumstance may be involved. The event occurs. What is affected? How is the organization affected from a legal and regulatory standpoint? Were employees affected? Was the office or facility damaged?
Now, recovery begins. What are the critical needs? Consideration for immediate and future needs should be assessed for each process in the organization. Who are the critical employees for the process? Is there a back-up? What equipment, software, network and/or internet is needed? What are the organization’s critical vendors? Consideration should be given to physical supplies and employee needs. We will discuss this a little further below, but back-ups to critical vendors are also important.
While assessing critical needs, downtime and recovery time should be considered. You may have backup equipment stored off site; however, if power and internet cannot be restored quickly this will significantly delay your recovery process. Another consideration is the time needed to bring systems back up. Many of your vendor contracts will provide a guaranteed recovery time, depending on the event. The timing noted in contracts should be included in the impact analysis.
The BIA can really be an eye opener, especially for small companies. I recently had dinner with a friend and learned her company didn’t have a back-up for payroll. Interestingly they had a large payroll and were in multiple states. Even Human Resources (HR) is important when it comes to your BCP. We can’t stress enough that all aspects of the organization need to be considered. Risk Assessment
I know it seems like we have a risk assessment for the risk assessment. We assess the risk of everything and your business continuity plan is no exception to the rule. Institutions are required to assess the risk of an event and the strength of your plan for continuity. As mentioned above, it is critical to ensure you have included your entire organization. Now that we have our BIA completed, we are going to consider it in the risk assessment as we move through various threats.
At a minimum, the risk assessment should consider the threat based on the institution’s location(s), staffing, financial considerations, vendor and service providers, along with recovery/continuation of systems for the products and services offered. When we think of an event, we often think of weatherrelated threats. However, it is important to consider other possible events, such as cyber-attacks and pandemic events. While the assessment should consider various threats, it should also focus on the severity of the impact the event will have enterprise wide. In addition, the risk assessment should consider customer risk and the local and national market impact.
Vendor risk should also be assessed during the risk assessment phase. Do you have critical vendors in the local area? While this can be great, it could also create a challenge if the event impacted a large area. Another consideration is the risk of alternative vendors used to resume quickly. For example, if your vendor is not available and another is selected for restoration purposes, this should be included in the assessment. A gap analysis should be performed when wrapping up the risk assessment.
A gap analysis compares the weaknesses between the risk assessment and what is present in a non-event environment. In assessing the risk present, the gap analysis exposes the areas where the organization is lacking a control to assist in recover. For example, consider the story above about the payroll position. The risk is significantly elevated for areas where there is not a back-up or written procedures in place.
As we conclude this section of the Business Continuity Plan series, we strongly recommend the IT Examination Handbook, the Federal Financial Institutions Examination Council (FFIEC) publishes. They include a section for the areas that should be considered in the development of the impact analysis. And it also provides guidance for the completion of the risk assessment. https://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/introduction.aspx
Stay tuned for the next article as we walk through monitoring and testing.