Post on 11-Apr-2020
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED.
Getting the BS out of the BIA
How to make BIAs as efficient and painless as possible.Sponsored by MHA Consulting
May 2017
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 1
MHA CONSULTING, INC.
• An 18-year proven track record of
applying industry standards and
best practices across a diverse
pedigree of clients.
• A simple mission: Ensure the
continuous operations of our
clients’ critical processes.
• Services include Business
Continuity, Crisis Management,
Disaster Recovery, IT Best
Practices and Physical Security.
• SaaS tools include BCM
Compliance and Residual Risk.
SENIOR LEADER
KEY FACTS
SAASCompliance
and risk tools.
CAPABLEComprehensive suite of services.
15Average years
industry experience.
Years inoperation.
GLOBALDiverse, global
client base.
18
Richard LongPractice LeaderPhoenix, Arizona www.mha-it.com
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 2
HEALTHCARE EDUCATION FINANCIAL INSTITUTIONS
CONSUMER PRODUCTS INSURANCE TRAVEL & ENTERTAINMENT GOVERNMENT/UTILITY
SERVICES
DIVERSE, GLOBAL CLIENT BASE
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 3
• Business Recovery Strategies
• Data Center Recovery Strategies
• Current State Assessment
• Business Impact Analysis
• Threat & Risk Assessment
• BCMMETRICSTM
Compliance Confidence (C2)
• BCMMETRICSTM
Residual Risk (R2)
• BCMMETRICSTM BIA On-Demand (BIAOD)
• Training & Awareness
• Mock Disaster Exercises
• Plan Functional Walkthroughs
• Alternate Worksite Exercises
• Crisis Management
• Business Recovery
• IT Disaster Recovery
• Update Recovery Plans
• Update Current State Assessment
• Update Business Impact Analysis & Threat Assessment
COMPREHENSIVE SOLUTIONS PRACTICES
EXERCISES MAINTAIN & IMPROVE
ASSESS THE CURRENT
ENVIRONMENT
RECOVERY STRATEGIES/ SOLUTIONS
RESPONSE & RECOVERY PLANS
3
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 4
• Planning for the BIA
• Who should participate
• How to perform the BIA
P e r f o r m i n g a n
EFFECTIVEB U S I N E S S I M PA C T A N A LY S I S
THE CLASS
H o w t o
LEVERAGE & USEB I A I N F O R M AT I O N
• Dependencies between processes and departments
• Technology requirements
• RTO vs. RTA
• Critical vendors
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 5
THE BIG PICTURE
Risk
Resilience
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 6
Recovery Time Objective
• Desired state – business requirements.
Recovery Time Actual
• Current capability provided by IT.
R E C O V E R Y T I M E
OBJECTIVE VS.ACTUAL
T I M E T O R E C O V E R E N V I R O N M E N T
DEFINITIONS
R E C O V E R Y P O I N T
OBJECTIVE VS.ACTUAL
A C C E P TA B L E D ATA L O S S
Recovery Point Objective
• Desired state – business requirements.
Recovery Point Actual
• Current capability provided by IT.
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 7
• Process-based assessment, not an application- or technology-based assessment.
• Determine what a process needs to be functional following an outage event.
• This is a time-sensitivity measurement, not an importance to the organization measurement.
• Determine dependencies, both internal and external.
• Determine technology used to support the process.
• Determine manual processes which could be used when technology is not available.
• Determine state of hardcopy-based documentation or records.
W H AT I S A
BUSINESS IMPACT ANALYSIS?
BUSINESS IMPACT ANALYSIS
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 8
• Formal interview: typically 1 – 2 hours per department
• Informal interview: typically < 1 hour
• Questionnaire
• Hybrid of questionnaire and informal interview
D I F F E R E N T
BIA STRATEGIES
BUSINESS IMPACT ANALYSIS
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 9
• Something is better than nothing.
• What is the organization’s tolerance of time and effort?
• When was the last BIA?
DETERMINE TYPE OF BIA
BIA PREPARATIONS
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 10
• Do not make too many.
• Focus RTO/RPO on recovery strategies.
• Can always determine more refined strategies as needed.
DETERMINE RTO & RPO
BIA PREPARATIONS
RTO Business Impact Analysis – Criteria
RTO 0
# hours or less
Business activity and/or computer system is mission critical to the operations of the organization. Catastrophic impact to revenue production, customer service, and/or brand image.
RTO 1
# hours or less
Business activity and/or computer system is critical to the organization. Significant impact to revenue production, customer service, and/or brand image.
RTO 2
# hours or less
Business activity and/or computer system is urgent to the organization. Significant impact to revenue production, customer service, and/or brand image.
RTO 3
# hours or less
Business activity and/or computer system is important to the organization. Less significant impact to revenue production, customer service, and/or brand image.
RTO 4
# days or less
Business activity and/or computer system is deferrable and can be recovered as needed with little to no impact to the organization.
RTO 5
Greater than # days
Business activity and/or computer system is low priority and can be recovered as needed with little to no impact to the organization.
RPO DescriptionRPO 0
No data lossBusiness activity is mission critical and has no tolerance for data loss in the core systems and applications it relies on to perform the activity.
RPO 1# hours or less
Business activity is mission critical and has minimal tolerance for data loss in the core systems and applications it relies on to perform the activity.
RPO 2# hours or less
Business activity can tolerate up to a 12 hour loss of data in the core systems and applications it relies on to perform the activity.
RPO 3# hours or less
Business activity can tolerate up to a 24 hour loss of data in the core systems and applications it relies on to perform the activity.
RPO 4Greater than # hours
Business activity can tolerate more than 24 hours of loss of data in the core systems and applications it relies on to perform the activity.
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 11
• What are the dollar and non-dollar impacts to your organization?
• What is the relative importance of each category?
• What is the relative range for the scores?
- Dollar ranges
- Non-dollar ranges
DETERMINE SCORING CATEGORIES AND RANGES
BIA PREPARATIONS
QUANTITATIVE BIA IMPACT CATEGORIES
Category Description
Loss of Current Revenue Loss of the business process will result in a loss of revenue.
Increased Operating Costs
Loss of the business process will increase the organization’s day-to-day operating costs (e.g., overtime, temporary staff).
Non-Performance Penalties
Loss of the business process will result in non-performance fines and/or penalties (e.g., FDA, other).
Delay in Billings and Payments
Loss of the business process will delay the administration of billing and/or payments.
QUALITATIVE BIA IMPACT CATEGORIESQualitative (Non-$) Description
Degraded Customer Service
Loss of the business process will impact service to customers, employees, vendors, etc.
Legal/Regulatory Requirements
Loss of the business process will impact the business unit’s ability to meet legal and/or regulatory requirements (e.g., FDA, other).
Degraded Corporate Image
Loss of the business process will impact the corporate image and the trust in the organization.
Employee and Customer Safety & Security
Disruption of the business process (activity) will impact the safety and security of employees and customers.
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 12
• Identify critical departments for BIA.
- Consider formal BIA for critical departments, and informal for others.
• Work with departments to identify the participants.
- Groups should include both management and individual contributors.
- Must be able to understand how processes fit in the organization.
- If management tends to restrict open communication, consider having a separate discussion with them.
DETERMINE DEPARTMENTS AND PARTICIPANTS
BIA PREPARATIONS
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 13
• Create a questionnaire to gather as much info as possible prior to the interviews.
• Review and identify potential inconsistencies in the information.
DEVELOP QUESTIONAIRE FOR PRE-INTERVIEW DATA
GATHERING
BIA PREPARATIONS
EXAMPLEOFCOMPLETEDPRE-WORKSHEET
DepartmentName: FinancialServicesDepartmentDescription: FinancialServicescoreresponsibilitiesinclude,butarenotlimitedto,payrollprocessing,purchasing,accounting
administrationandpurchasing.
DepartmentManager: JohnDoe EmailAddress: jdoe@abc.com ContactNumber: (123)123-4567BIAInterviewee: MirandaPriestly EmailAddress: mpriestly@abc.com ContactNumber: (123)123-4567BIAInterviewee: DonDraper EmailAddress: ddraper@abc.com ContactNumber: (123)123-4567
CriticalBusinessProcesses
CriticalProcess
SupportingSystems&Applications1
(e.g.,RiskMaster,FTPServer)
SupportingEquipment2(e.g.,laserprinters,
shredders)
RegulatoryRequirements
(e.g.,FDIC,OSHA,SLAs)
ManualWorkaround?
(Yes/No)
Payroll PeopleSoft,Internet LaserPrinter,FaxMachine IRSFilings,StatePayrollRequirements Y
Purchasing FMS,Concur,Sharepoint FaxMachine,Printer PurchaseOrders,SalesTax N
Accounting FMS,Concur,Sharepoint See2 IRSRecords,VendorContracts,PurchaseOrders N
RiskManagement RiskMaster,Concur LaserPrinter,See2 IndustrialCommission,CustomerSLAs Y
1Systems/ApplicationsRequiredforallkeyprocesses:Outlook,MSOfficeSuite,NetworkDrives2EquipmentRequiredforallkeyprocesses:Telephones,Laptop,WirelessDataCards
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 14
• Set expectations at the beginning.
- First process will take longer
- Not trying to develop solutions or workarounds
• Small snacks often help.
• Have the pre-work information updated and available in whatever tool used to gather data. Review the data before the session.
• Explain the categories, what they mean, how it fits in the process.
• Use an individual skilled at facilitation who can keep discussion appropriate and directed. Include someone to keep notes.
• Include IT representative(s) as a participant.
HOW TO MAKE THE INTERVIEW PROCESS
EFFICIENT
PERFORMING THE INTERVIEW
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 15
• Don’t gloss over or ignore dependencies.
- Internally - can show inconsistencies in RTO values
- Externally - can be critical to functional capability
• There are often more dependencies than initially identified.
• Data synchronization state.
• There are more hardcopy records than you know.
INTEGRATION/DEPENDENCIES
PERFORMING THE INTERVIEW
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 16
• BIAs are not about technology, but processes.
• Identify the technology and its criticality/importance to the processes.
• Process RTO will map to technology.
• RPO is the technology metrics – how much data loss for each application.
DON’T FOCUS ON TECHNOLOGY
PERFORMING THE INTERVIEW
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 17
• Review and identify gaps in the technology strategies for recovery.
- Business relocation
- Data center/application based
- RTO vs. RTA
- RPO vs. RPA
• IT should not determine application RTO/RPO.
TECHNOLOGYSTRATEGIES
NOW WHAT? HOW TO USE THE DATA?
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 18
• Review and identify gaps in the current BCPs.
- Do they meet the requirements?
- Are they based on outdated info or workarounds?
- What dependencies are assumed or needed?
- What technologies are required for the BCP that would not be available?
BUSINESS CONTINUITY PLANS
NOW WHAT? HOW TO USE THE DATA?
Table of Contents Section I. Department Overview ...................................................................................................... 3
Department Description ...................................................................................................... 3 Business Process Prioritization ........................................................................................... 4
Appendix A: Loss of Building or Geographic Region ....................................................................... 5 Appendix B: Loss of Technology, Telecommunications and Equipment ......................................... 9 Appendix C: Loss of Resources/Pandemic ................................................................................... 12 Appendix D: Loss of Critical Third Party Channel .......................................................................... 15 Appendix E: Technology, Equipment and Personnel Requirements ............................................. 18
Technology and Equipment .............................................................................................. 18 System and Application Recovery Point Objectives ......................................................... 20 Personnel .......................................................................................................................... 21 Relocation Site Considerations ......................................................................................... 21
Appendix F: Department Requirements and Reference ................................................................ 22 Deviations to Regulatory, Legal, or Service Level Requirements ..................................... 22 Standard Operating Procedures ....................................................................................... 23 Internal and External Dependencies ................................................................................. 24 Vital Records ..................................................................................................................... 26 Reports .............................................................................................................................. 27 Forms ................................................................................................................................ 28 Offsite Storage .................................................................................................................. 28 Standalone PCs ................................................................................................................ 29 Negotiable Items ............................................................................................................... 29
Appendix G: Plan Distribution and Maintenance ........................................................................... 30 Plan Exercise Tracking ..................................................................................................... 30 Change Control Tracking .................................................................................................. 31
Appendix H: Event Tracking & Reporting Forms ........................................................................... 32 Business Recovery Event Reporting ................................................................................ 32
Appendix I: Critical Contact Listings.............................................................................................. 33 Employee .......................................................................................................................... 33 Internal Dependencies ...................................................................................................... 33 Vendors and Service Providers – Contact Listing............................................................. 33
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 19
• Identify critical vendors.
• Perform a vendor analysis.
• Can they support you during a crisis event?
• What is their business continuity strategy and capability?
CRITICAL VENDORS
NOW WHAT? HOW TO USE THE DATA?
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 20
• When was your last BIA?
- If over 1 year, you should consider an update.
• Review current RTO/RPO by process.
- Are they correct or close based on current info?
WHAT DO WE DO NOW?H O W D O W E S TA R T O R C O N T I N U E ?
SO, WHAT ARE THE NEXT STEPS?
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 21
FINAL THOUGHTS
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 22
SUMMARY
• Determine type of BIA necessary.
• Preparation is key.
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 23
UPCOMING WEBINARS
• 21 Days to a Stronger, Fitter BCM Program, Michael Herrera
- WEDNESDAY JULY 12, 2017 AT 11:00 A.M. PDT
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 24
Richard LongMHA Consulting, Inc.
long@mha-it.comwww.mha-it.com
Office: (888) 689-2290 Mobile: (602) 370-1864