Presentation is loading. Please wait.

Presentation is loading. Please wait.

Business Impact Analysis #122 Richard Archer, CISA, CIA Partner KPMG LLP April 25, 2005.

Published byPhebe Neal Modified over 8 years ago

Similar presentations

Presentation on theme: "Business Impact Analysis #122 Richard Archer, CISA, CIA Partner KPMG LLP April 25, 2005."— Presentation transcript:

1 Business Impact Analysis #122 Richard Archer, CISA, CIA Partner KPMG LLP April 25, 2005

2 2 Key Points Learning Objectives Overview BIA defined BIA key components and approaches Major inputs, sources, and analytics Methods of gathering and assimilating risk information Tools and techniques Formats for reporting and presentation of results Use and implications for IT audit Resources

3 3 Learning Objectives 1.The key components and approaches to the BIA process. 2.The major inputs, sources of information, and analytics suggested for a complete BIA. 3.Methods of gathering and assimilating risk information during the BIA process. 4.Tools and techniques for performing the BIA. 5.Formats for reporting and presenting the results of the BIA.

4 4 Overview This session will address the major components, approaches, tools & techniques, and presentation formats for dealing with a Business Impact Analysis. The linkage of a BIA to IT audit uses and the risks identified will be discussed. Information sources, tools, and techniques that can be used during the course of a BIA will be identified and practical examples of each will be presented. In addition, a framework for analysis of the information accumulated and the risk analysis will be discussed. Finally, examples of BIA report and presentation formats will be presented.

5 5 Overview of Business Continuity (BC) Utilizing risk management to improve operational reliability and performance, and to protect business resources. Our Objectives – To help organizations –Maintain chosen availability levels –Effectively manage and control operational reliability –Minimize downtime To meet the ever increasing demands of business on an end-to- end continuous basis. Focus –Both risk reduction and improved infrastructure operations

6 6 Identify disruption risks and potential impacts of disruptions, due to –Technology risks, and –Other potential disruptions or disasters Design strategies, plans, processes and infrastructures to –Minimize potential for disruption –Plan for continuity or restoration of critical business functions Business Continuity Planning, Enterprise High Availability, and Service Level Management –Enabling continuous BCM evolution, to meet competitive, customer service, and compliance requirements of a leading organization Overview of Business Continuity

7 7 Value Layers in BC Framework I can recover my information systems in the event of a disaster. I can recover my critical operations in the event of a disruption/disaster. I’m always there for my customers. My business services exceed my customers’ expectations. My data architecture offers scalable information delivery when customers need it. How I manage information is a competitive advantage.

8 8 An Approach to Managing Business Continuity Business Continuity Management is a lifecycle process Monitor and Test (Measure) Develop Strategy, Architect Solution Assess Risk Organizational Strategy/ Core Business Functions People Implement Change ProcessTechnology

9 9 Phase 1: Assess Risks –Business Impact Analysis Identify impacts resulting from events/disruptions Quantify and qualify such impacts Establish critical functions and priorities Identify interdependencies between processes, businesses, systems Establish recovery time objectives or availability requirements An organization needs to understand how it relies on its people, processes and technology, as well as its relationships with customers, suppliers, and other contributors to its value chain An Approach to Managing Business Continuity

10 10 BIA Objectives –Establish the value of each unit or resource as they relate to the function of the total organization –Provide the basis for identifying the critical/time-sensitive resources required to develop a business recovery strategy –Establish an order of priority to restoring the function of the organization in the event of an unplanned event

11 11 BIA Objectives –Threats that could potentially impact critical functions –Prioritized list of risks (risk=likelihood of failure event x impact) –Technology recovery capabilities and identified Key Points of Failure –Process maps for critical functions with interdependencies –Minimum resource requirements At Time of Disaster (ATOD) –Identify for each critical function RTOs - Recovery Time Objective RPOs - Recovery Point Objective MTOs - Maximum Tolerable Outage SDOs - Service Delivery Objective –Gap analysis of “as-is” and “to-be” states –Recommended risk strategies to minimize risk

12 12 Core Business Function(s) STEP #1 BIA Workshop STEP #2 Functional Leaders and champions complete questionnaire(s) on critical business processes functions (Collect Data) STEP #3 Functional Leaders and champions analyze process flows and BIA dependencies/impacts for critical processes/functions (Analyze Data) STEP #4 Functional Leaders and champions review financial / capacity / time-dependent attributes for critical business processes/functions (Review Data) STEP #5 Functional Leaders and champions level-set process/function against benchmark to determine if additional drill-down into sub-processes is needed, if “Yes”, sub-process goes through cycle (Level-set Data) The BIA: It’s an Iterative Process

13 13 Risk Strategies At the highest level, there are four things that can be done with Risk: MitigateInsurePlanAccept Types of Risk to be consideredComplianceFinancialOperationalStrategicTechnical Contractual (penalties assessed by customers) Lost or Deferred Revenue People (key historical and process knowledge) Marketshare (competitors with capacity to take business away) Infrastructure Failure RegulatoryOpportunityProductionCustomer and Partner Relationships Loss of Intellectual Property Service Level Agreements (Formal and informal customer expectations) Shareholder Equity Supply Chain (single sources and long lead time to delivery) Reputation (brand name and image) Disruption (virus)

14 14 BIA Process Business Impact Analysis is a broad term for efforts to identify business impacts resulting from a disruption. There are several kinds of risk: –Financial, –Operational, –Technology, –Environmental, –Competitive

15 15 Key Terminology RTO – Recovery Time Objectives MTO – Maximum Tolerable Outage RPO - Recovery Point Objective SDO – Service Delivery Objective ATOD – At Time of Disaster

16 16 Inputs to the BIA Information used as input to the BIA process can include: –Financial reports –Supply chain analysis / vendor spend –Analysis of key customers –Cost analysis

17 17 BIA Information Identified Quantitative Impact –Losses identified in quantities, percentages, or factor of standard that can de described in monetary terms –Sales, market share, penalties, assets, revenue, income –Actual or order of magnitude

18 18 Qualitative Impact –Operations impact causing intangible losses that can not be directly quantified in monetary terms –Losses with financial impact that can not be quantified –Efficiency, satisfaction, control, inter/intra- departmental –Order of magnitude BIA Information Identified

19 19 BIA Information Identified –Determine Loss Exposure Quantitative Property loss Revenue loss Fines Cash flow Accounts receivable Legal liability Human resources Additional expenses/increased cost of working Loss of investment income

20 20 Questionnaire Gathering information can be done using a questionnaire Questionnaires can take many forms Advantages of questionnaires are ease of use and availability Disadvantages are lack of clarification and consolidation of data

21 21 Analysis Once all data is gathered, analysis must be applied to identify key threads Qualitative Quantitative Critical point analysis

22 22 Analysis Trends, Summaries and Validation Look for trends that pointed toward potential impacts and exposures. Information was summarized into operational and intangible severity impact ratings, and department units were ranked by criticality. Rankings were determined by considering the relative importance of operational and financial impact factors, weighted by severity over time. Ultimately, the BIA Provides: the validation of recovery priorities and time frames the conversion of data into meaningful information a tool for management to facilitate the decision process for a sensible recovery strategy

23 23 Gap Identification Identification of current capabilities Initial analysis of potential needs Where do these two match up

24 24 Recovery Time Objectives

25 25 High Dependence on Systems + High Business Impact = Shorter Recovery Time Objective (RTO) –Business functions with high business impact and high dependence on on-line processing cannot sustain lengthy outages. These functions require immediate recovery. –Business functions with moderate dependence on on-line processing can sustain outages for several days Going Out of Business Major Business Losses Disruption Inconvenience Hours Days Weeks Months Impacts/ Costs Length of Outage

26 26 Shorter Recovery Time Objectives Generally Result in More Expensive Recovery Solutions High availability architecture Hot Site and Vital Record Strategy Cold Site (Recover in New Location Recover in Place Hours Days Weeks Months Plan Costs Lengths of Outage

27 27 Tools and Techniques Software tools to assist in the process JAD style approach Electronic meeting Surveys and data gathering

28 28 Reporting Formats The reporting of analysis is critical Proper presentation is the key Graphs and charts provide a quick summary Don’t over kill on analytics Know your audience

29 29 Reporting Formats

30 30 Reporting Formats

31 31 Recovery Time Objective (RTO) by Business Function or Process The table summarizes the identified RTO’s for key business functions and processes. Functions deemed to be non-critical to business continuity during a crisis (while important for Company growth during normal periods) are shown in the detailed report. In accordance with the company definitions, RTO within: Red = up to 2 days; Yellow = between 3 days and 2 weeks; Green = over 2 weeks.

32 32 Reporting Formats

33 33 Implications for IT Audit The BIA is an important source of information for IT Auditors BIA will show critical components of the areas analyzed The risk assessment information can identify areas of vulnerability for future audits The gap analysis can identify SPF’s

34 34 Internal Audit can also provide valuable input into the BIA process Importance of a valid, timely BIA to the business continuity program BIA provides the basis for any continuity plan Implications for IT Audit

35 35 Resources www.drii.org – Disaster Recovery Institute Internationalwww.drii.org www.contingencyplanning.com - Continuity Planning and Managementwww.contingencyplanning.com www.drj.com - Disaster Recovery Journalwww.drj.com www.disasterlinks.com - Disaster Links – Information on physical threatswww.disasterlinks.com www.disaster-resource.com - Resources for DRP/BCPwww.disaster-resource.com www.madra.org - MidAtlantic Disaster Recovery Associationwww.madra.org www.thebci.org - Business Continuity Institutewww.thebci.org www.cpeworld.org - Continuity Planning Exchangewww.cpeworld.org www-1.ibm.com/services/us/index.wss/it/bcrs/a1000411 – IBM www.strohlsystems.com - Strohl Systemswww.strohlsystems.com www.availability.sungard.com - SunGardwww.availability.sungard.com www.fema.org - Federal Emergency Management Agencywww.fema.org

36 36 For More Information: Richard Archer Partner KPMG LLP rearcher@kpmg.com 412-232-1590

37 Thank you!

Download ppt "Business Impact Analysis #122 Richard Archer, CISA, CIA Partner KPMG LLP April 25, 2005."

Similar presentations

A BPM Framework for KPI-Driven Performance Management

A BPM Framework for KPI-Driven Performance Management
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
BUSINESS CONTINUITY MANAGEMENT THROUGH STANDARDS AND BEST PRACTICES Jasmina Trajkovski, CISA, CISM.

BUSINESS CONTINUITY MANAGEMENT THROUGH STANDARDS AND BEST PRACTICES Jasmina Trajkovski, CISA, CISM.
CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (www.cioassist.in)www.cioassist.in

CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (
Introduction to Business Continuity Planning An Introduction to the Business Continuity Planning Process Including Developing your Process and the Plans.

Introduction to Business Continuity Planning An Introduction to the Business Continuity Planning Process Including Developing your Process and the Plans.
Supply Chain Management

Supply Chain Management
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
Chapter 3: The Internal Organization: Resources, Capabilities, Core Competencies and Competitive Advantages Overview: Importance of understanding internal.

Chapter 3: The Internal Organization: Resources, Capabilities, Core Competencies and Competitive Advantages Overview: Importance of understanding internal.
Fundamentals of Information Systems, Second Edition 1 Electronic Commerce and Transaction Processing Systems.

Fundamentals of Information Systems, Second Edition 1 Electronic Commerce and Transaction Processing Systems.
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Electronic Commerce and Transaction Processing Systems

Electronic Commerce and Transaction Processing Systems
Business Performance Management (BPM)

Business Performance Management (BPM)
Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.

Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.
IT Governance: Simultaneously Empowers and Controls Source: IT Governance, Chapter 1.

IT Governance: Simultaneously Empowers and Controls Source: IT Governance, Chapter 1.
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Chapter 5: Supply Chain Performance Measurement and Financial Analysis

Chapter 5: Supply Chain Performance Measurement and Financial Analysis
McGraw-Hill/Irwin © 2005 The McGraw-Hill Companies, Inc. All rights reserved. 13 - 1 13 Chapter The Future of Training and Development.

McGraw-Hill/Irwin © 2005 The McGraw-Hill Companies, Inc. All rights reserved Chapter The Future of Training and Development.
Topic of Session Disaster Recovery Planning Who Am I Joe Noll Founder and President of RKL eSolutions LLC Partner at Reinsel Kuntz Lesher LLP Microsoft.

Topic of Session Disaster Recovery Planning Who Am I Joe Noll Founder and President of RKL eSolutions LLC Partner at Reinsel Kuntz Lesher LLP Microsoft.
John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.

John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.
Enterprise Architecture

Enterprise Architecture

Similar presentations

Ads by Google