Service Design – Section 4.5 Service Continuity Management

Business Impact Analysis provides basic input for continuity and recovery strategies, plans and responses. CMMI Level 5 Continuity Mgmt Integrated continuous service processes are proactive, self-adjusting, automated and self-analytical and take into account benchmarking and best external practices. Continuous service plans and business continuity plans are integrated, aligned and routinely maintained. Buy-in for continuous service needs is secured from vendors and major suppliers. Global testing occurs and test results are fed back as part of the maintenance process. Continuous service cost effectiveness is optimized through innovation and integration. Gathering and analysis of data is used to identify opportunities for improvement. Redundancy practices and continuous service planning are fully aligned. Management does not allow single points of failure and provides support for their remedy. Escalation practices are understood and thoroughly enforced.

Service Design – Section 4.5 Service Continuity Management BIAs identify the potential operational and financial impact of uncontrolled, non-specific events on a company’s essential business processes. They provides the basis for formulating Disaster Recovery (DR) strategies. An organization-wide operational impact assessment is required to develop and implement an appropriate Disaster Recovery program. BIAs serve to provide critical information about the organization both to the DR program and to the Business Continuity Management Program. BIAs identify the potential operational and financial impact of uncontrolled, non-specific events on a company’s essential business processes. They provides the basis for formulating Disaster Recovery (DR) strategies. strategies. An organization-wide operational impact assessment is required to develop and implement an appropriate Disaster Recovery program. BIAs BIAs serve to provide critical information about the organization both to the DR program and to the Business Continuity Management Program.

Service Design – Section 4.5 Service Continuity Management Each Business Unit identifies those services that are required to continue business operations Management review the submitted listing and assesses their relative importance to the Business Each Business Unit identifies those services that are required to continue business operations Management review the submitted listing and assesses their relative importance to the Business

Service Design – Section 4.5 Service Continuity Management 1.Critical Dates and Impact Timeline - critical dates when the business process must be functional and how long it would take to feel the impact of a failure 2. Operational and Financial Impacts - any financial costs associated with this function not being performed 3. Dependencies - the components the process relies on Upstream Dependencies - external processes that the process relies upon Downstream Dependencies - external processes that rely on the process and will be affected by its failure 4.Recovery Time Objectives - a goal you set for the amount of time it should take to restore the service 5.Work-around Procedures – Techniques for temporarily by- passing the service 1.Critical Dates and Impact Timeline - critical dates when the business process must be functional and how long it would take to feel the impact of a failure 2. Operational and Financial Impacts - any financial costs associated with this function not being performed 3. Dependencies - the components the process relies on Upstream Dependencies - external processes that the process relies upon Downstream Dependencies - external processes that rely on the process and will be affected by its failure 4.Recovery Time Objectives - a goal you set for the amount of time it should take to restore the service 5.Work-around Procedures – Techniques for temporarily by- passing the service

Service Design – Section 4.5 Service Continuity Management 1.Determine Business Units (BUs) for review For each BU 2.Identify essential business processes (EBPs) For each EBP 3.Estimate the costs of failure 4.Determine attributes (HR, facilities, equipment, support) 5.Establish the minimum resources required to operate 6.Prioritize EBPs 7.Evaluate alternative backup/recovery solutions (ROI) 8.Establish Backup and Business Recovery Strategies 1.Determine Business Units (BUs) for review For each BU 2.Identify essential business processes (EBPs) For each EBP 3.Estimate the costs of failure 4.Determine attributes (HR, facilities, equipment, support) 5.Establish the minimum resources required to operate 6.Prioritize EBPs 7.Evaluate alternative backup/recovery solutions (ROI) 8.Establish Backup and Business Recovery Strategies The BIA Report typically contains:

Service Design – Section 4.5 Service Continuity Management Scale of Business Operations Scale of Business Operations Business Functions and their Value Business Functions and their Value Impact of Unavailability Impact of Unavailability Scale of Business Operations Business Functions and their Value Impact of Unavailability The BIA Report is organized by sections:

Service Design – Section 4.5 Service Continuity Management The number and diversity of Business Units in the organization The number and diversity of Business Units in the organization The complexity of the application infrastructure The complexity of the application infrastructure The appropriate level(s) of approval for the BIA results The appropriate level(s) of approval for the BIA results Formal indication that the appropriate level(s) have reviewed and approved the BIA results. Formal indication that the appropriate level(s) have reviewed and approved the BIA results. The The number and diversity of Business Units in the organization complexity of the application infrastructure appropriate level(s) of approval for the BIA results Formal Formal indication that the appropriate level(s) have reviewed and approved the BIA results. Scale of Business Operations:

Service Design – Section 4.5 Service Continuity Management The impact analysis should concentrate on those scenarios where the impact on critical business processes is likely to be greatest. It will include: 'Hard' impacts - financial loss, breach of law, regulations, or standards, failure to achieve agreed service levels, increased costs of working 'Hard' impacts - financial loss, breach of law, regulations, or standards, failure to achieve agreed service levels, increased costs of working 'Soft' impacts - political, corporate or personal embarrassment, loss of competitive advantage, loss of credibility. 'Soft' impacts - political, corporate or personal embarrassment, loss of competitive advantage, loss of credibility. The impact analysis should concentrate on those scenarios where the impact on critical business processes is likely to be greatest. It will include: 'Hard' 'Hard' impacts - financial loss, breach of law, regulations, or standards, failure to achieve agreed service levels, increased costs of working 'Soft' 'Soft' impacts - political, corporate or personal embarrassment, loss of competitive advantage, loss of credibility. Business Functions and their Value

Service Design – Section 4.5 Service Continuity Management A scale for quantifying the operational impacts should be established in order to ensure all process/functions are measured the same. For example, a scale of 1 – 4 could be used with the following definitions: 1 = no impact, 2 = moderate impact, 3 = serious impact and 4 = severe impact. A scale for quantifying the operational impacts should be established in order to ensure all process/functions are measured the same. For example, a scale of 1 – 4 could be used with the following definitions: 1 = no impact, 2 = moderate impact, 3 = serious impact and 4 = severe impact. Impact of Unavailability

Service Design – Section 4.5 Service Continuity Management