BCDRP Impact Analysis Survey
Write a Business Impact Analysis to Fight Cybersecurity Vulnerabilities
Create a Business Impact Analysis for your BCDRP
A Business Impact Analysis (BIA) and risk assessment requirements of the Business Impact Analysis must be completed before you write a Business Continuity and Disaster Recovery Plan (BCDRP).
Large corporations already have created their BCDRP using, among other planning tools, a BIA. Every small- and medium-sized business needs to write a BCDRP and BIA as well. The BIA is one of several critical support documents you must create and fold into the BCDRP.
Again, these are just suggested guidelines. YOU must fill in the blanks for each category in the tables. Each business is unique. Undertake this BIA Survey as it applies to your business, not anyone else’s.
The Fortune 500 companies can afford first-rate BIA’s and BCDPRP’s and hire pros to do so. Therefore, they all have sophisticated BIA’s and BCDRP plans. I have helped write them. To help those without those large corporate resources, I offer the business process and planning tools below so you can write your own.
Why Create a BIA for the BCDRP
For the same reason you have a health plan, a car insurance plan, or a home owner’s policy...to prepare for, respond to, and successfully overcome a disaster, especially a cyberattack. If you experience a major disaster, and man-made and natural disasters happen daily, having a BIA and BCDRP may make the difference between your business surviving or going out of business.
As importantly, having one may mean the difference between who lives and who dies. Think of it as life insurance YOU write that helps ensure that you, your loved ones, your employees, and your business go on.
What follows are some of the major parts of any BIA. It is only a guide. Every BIA must be custom written and tested to your unique needs and circumstances. Use this plan for ideas of how to create yours. Make sure you create a plan that reflects your needs.
NOTE: In the original document, I have beautiful tables that list categories along with their supporting information. Unfortunately, these tables will not copy into this Substack so you will have to create your own tables. Just use the listed headings provided in the top line of your table and the categories provided as column headings and you should be good.
Table of Contents
Business Impact Analysis Phase_ 2
Business Continuity Assessment 3
Business Continuity Criticality Classifications 3
Business Continuity Assessment Categories 5
Adverse Public Image (Reputation) 6
Legal, Regulatory, Contractual 7
Regulatory Fines and Penalties 7
Business Impact Analysis Requirements 7
Risk Assessment Requirements 8
Business Continuity Assessment Categories 9
Business Impact Analysis Requirements 10
Business Continuity Criticality Classifications 10
Business Impact Analysis and Risk Assessment Survey 11
Table of Tables
Table 2: Criticality Classification/Business Impact Targets and Requirements. 3
Table 3: Process/Application MAD, RPO and RTOs. 7
Table 4: Financial, Operational, and Dependencies and Integration Impacts. 9
Table 5: Business Impact and Risk Survey. 13
Table 1: Contact List
Name
Title
Phone
Business Impact Analysis Phase
This report meets the Business Impact Analysis (BIA) and risk assessment requirements of the Business Impact Analysis phase of the BCDRP. Where appropriate, this document uses industry best practices and government regulations, such as the following:
1. NIST – National Institute of Standards and Technology
2. ISO – Institute Organization of Standardization
3. DRI – Disaster Recovery Institute
4. NIMS – National Incident Management System
5. Various risk organization guidelines
Company Policy References
1. Code of Conduct
2. Business Disruption Risk Policy
3. Group Business Continuity Guidelines
4. Information Security Standards – Information Security Aspects of Business Continuity Management
Business Continuity Phases
Business continuity management is divided into three phases.
Assessment Phase
Business Impact Analysis Phase
Business Continuity Assessment Phase
These three phases and their supporting requirements are addressed below.
Assessment Phase
Identification of processes and support resources critical to business operations, and assessment of risks that could interrupt those processes includes identification and prioritization of your critical business processes, applications, and definition of preliminary business requirements and objectives for process and function continuity.
Business Impact Analysis
The BIA identifies threats, vulnerabilities, and risks, along with the appropriate remediation that can lessen the impact or likelihood of an event like a cyberattack. (Risk Assessment)
Business Continuity Assessment
The Assessment Phase is a recognized subset of Business Continuity Management. It is the method of identifying those business processes most critical to the business and understanding the most likely impacts to those business processes.
The goal of the Assessment Phase is to ensure that you assume the correct level of impact analysis, since not all impacts can be totally eliminated or controlled.
Understanding the critical business processes and their associated threats, vulnerabilities, and risks will help protect against unanticipated losses that could significantly affect personnel, property, revenues, and the ability to fulfill responsibilities to customers, employees, and the public.
The Assessment Phase consists of two elements: Business Impact Analysis, and Risk Assessment.
A Business Impact Analysis is the determination of the financial and operational impacts that may result from a disruption to a business process.
Business Continuity Risk Assessments are performed, and information is stored in both at headquarters and the Enterprise Modernization Center.
Business Continuity Criticality Classifications
To understand the relative importance of business processes and to qualify their criticality to your business, Business Continuity Criticality Classifications have been established.
Classification is the classification of business processes and supporting components by their criticality to continued operations collected in the BIA process. It provides the information necessary for you to determine the criticality of your business processes and components.
The criticality classifications to be used to conduct BIAs and to classify business processes/processes and components are found in the Business Continuity Management Program in Table 1.
Table 2: Criticality Classification/Business Impact Targets and Requirements
Criticality Classification
Business Impact/Target MAD/Or RTO
Test Minimum Requirements
Highly Critical – Level 1/(ORM equivalent – Very High Risk)
Crucial to the survival of the business. Loss would be immediate and severely damaging. No alternatives available; normal business transactions would be impossible. Failure would result in one or more of the following:
Severe and immediate financial loss
Extensive customer loss
Extensive and immediate Corporate reputation impact
Resume operation within 4 hours of an event/disaster.
Business Processes: Once every 12 Months
Applications: Once every 24 Months
Critical – Level 2/(ORM equivalent – High Risk)
Vital to the survival of the business. Loss would be extremely damaging. No efficient alternatives available; normal daily business transactions would be impossible. Failure would result in one or more of the following:
Significant financial loss
Significant customer loss
Significant Corporate reputation impact
Resume operation within 36 hours (1 ½ days) of an event/disaster
Business Processes: Once every 12 Months
Applications: Once every 24 Months
Priority – Level 3/(ORM equivalent – Medium Risk)
Essential to the survival of the business. Loss would be damaging. Some alternatives available; normal daily business transactions would be hampered. Failure would result in one or more of the following:
Potential significant financial loss
Customer complaints and potential loss
Corporate reputation impact
Resume operation within 72 hours (3 days) of an event/disaster
Business Processes: As Appropriate or every 3 Years
Applications: As Appropriate or every 3 Years)
Required – Level 4/(ORM equivalent – Low Risk)
Important to the business. Loss would be moderately damaging. Several alternatives are available. Normal daily business transactions would be inconvenienced. Failure would result in one or more of the following:
Potential financial loss
Potential customer complaints and dissatisfaction
Potential Corporate reputation impact
Resume operation within 10 days of an event/disaster
Business Processes: As Appropriate or every 4 Years
Applications: As Appropriate or every 4 Years
* Target Maximum Allowable Downtime (MAD)
* Target Recovery Time Objective (RTO)
Business Continuity Assessment Categories
To ensure consistency across the Company, the following Assessment Categories are required for use in measuring the effect of a business process being disabled for a period of time.
Financial Impacts
The Financial Impacts qualify the level of financial impact overtime considering the following factors.
Money Management
You will find the complete scoring guide attached to the end of this document. For now, we will simply identify the categories included in Money Management.
Lost Clients – New or Current
Loss of Key Distribution or Sales Channels (e.g. Banks, Wire Houses)
Money Management – Money coming in or going out (includes Accounts Payable, etc.)
Gain/Loss – Investment Opportunities
Expense Management
You will find the complete scoring guide attached to the end of this document. For now, we will simply identify the categories included in Productivity Loss/Efficiency Loss.
Transactional Processing – Paper and Electronic
Payroll cost for idle employees
Operational Impacts
The Operational Impacts assess the operational (ability to perform) impacts of a process disruption Service Quality. You will find the complete scoring guide attached to the end of this document. For now, we will simply identify the categories included in service quality, such as taking care of existing customers or commitments.
Adverse Public Image (Reputation)
You will find the complete scoring guide attached to the end of this document. For now, we will simply identify the categories included in Adverse Public Image: Impact on Reputation.
Dependencies/Integration
You will find the complete scoring guide attached to the end of this document.
NOTE: Any dependency identified in a series of processes will inherit the importance of the most critical process on which it depends. This is critical to the sequence in recovery providing the needed workflow required. For now, we will simply identify the categories included in Dependencies/Integration — Process effect on other downstream processes
Business Impact Analysis
The Business Impact Analysis (BIA) is the first step of the Assessment Phase and sets the foundation of all Business Continuity Management Planning. It specifies the linkages and dependencies between business processes and supporting infrastructure and identifies the financial and operational impacts that may result from a disruption.
The purpose of a BIA is to:
1. Identify and prioritize business processes based on qualitative and quantitative impacts to the business
2. Determine which processes require further analysis to ascertain their risk exposure based upon a formal risk assessment
3. Determine the Maximum Allowable Downtime (MAD) which addresses the timeframe in which a business processes must resume some level of service in order to prevent unacceptable financial or operational loss to the organization
4. Determine the Recovery Point Objective (RPO) which addresses the currency of the data after supporting business systems are recovered (i.e. the tolerance for lost data)
5. Analyze the relationship between the MAD and the Recovery Time Objective (RTO) which is the likely recovery time frame of supporting applications as identified by the organization’s IT group
Table 3: Process/Application MAD, RPO and RTOs
Process/Application/MAD/RPO/RTO
Business Processes A/24 Hours/4/N/A
Application A/NA/0/4
Business Process B/24 Hours/4/N/A
Application B/NA/0/4
Legal, Regulatory, Contractual
You will find the complete scoring guide attached to the end of this document. For now, we will simply identify the categories included in Legal Regulatory, Contractual.
External Party Contracts and Service Level Agreements – Agreements have verbiage that establishes financial obligations for non-compliance
Regulatory Fines and Penalties
Potential Lawsuits - Includes preparatory work, legal holds, external counsel, etc.
The output of the BIA is a priority listing of critical business processes, their MAD, RPO, and RTO. The BIA also includes the supporting infrastructure and resource components (applications, headquarters, Enterprise Modernization Center, etc.) for each business process.
Business Impact Analysis Requirements
A BIA must be conducted to assess the impact associated with the loss of the business processes and the components supporting that process. The BIA must be conducted annually and approved by the owner. A standard BIA process or methodology must be followed. Documentation of the Business Unit’s business critical products and services at a high level is re-evaluated and updated yearly.
A BIA must cover:
1. Identification of the business process functions performed
2. Resources needed to perform the functions, and the
3. Critical knowledge and skills required to perform the work
4. Chronological potential effect(s) of a breakdown of activities.
5. Definitions of expected overall RTO and MTO per product and service are updated yearly.
6. Impacts to the business process must be analyzed and measured using the required assessment categories - Financial and Operational.
7. All components and dependencies of the process, including infrastructure, must be considered in the BIA.
8. A Criticality Classification must be assigned to each business process.
9. The BIA must determine the business process’s Maximum Allowable Downtime (MAD), Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
BIA updates are carried out:
Following important (near miss) continuity related risk events
Prior to introductions of, changes to or phasing out of products, processes, systems or in the event of organizational changes
Material change to the business
Tools, Guides, and Reference Materials
Information Risk Management Program Document
Risk Assessment
A Risk Assessment is the second step of the Assessment Phase and should begin only after the completion of a BIA. The purpose of a Risk Assessment is three-fold:
To systematically identify risks that can impact a business function
To determine the risk exposure of a business function
To prioritize the process risks in order to determine a level of risk acceptance
Risk Assessment Requirements
1. An operational risk methodology or any other methodology consistent with OR methodology should be used to maintain a holistic management process.
2. Analysis of the continuity risk and measures to meet the overall high level RTO requirements is carried out yearly.
3. Significant Business Disruption Risks must be reported to BU Operational Risk Management for review and consideration to be included within their Risk Dashboard.
4. Control measures in place to mitigate the business disruption risk related to joint ventures or outsourcing arrangements.
5. Any (temporarily) accepted risk that has a critical impact on business activities is signed-off by Unit's CRO.
Tools, Guides, and Reference Materials
Information Risk Management Program Document
Business Continuity Assessment Categories
Complete all three sections of the Financial, Operational, and Dependencies/Integration Impacts Table below. Use the following three assessment categories so we can measure the financial, operational and dependencies/integration impacts of an interruption in our business operations.
Financial Impacts: Provide dollar amounts to quantify the level of financial harm of a service interruption in the financial section of the table below.
Operational Impacts: Record the potential operational (ability to perform) harm of a process disruption to service quality in the operational impacts section of the table below.
Dependencies/Integration: Identify any dependencies or integrations that impact our critical business processes, applications, and operations with a service interruption in the dependencies/integration section of the table below. Include any downstream impacts.
Table 4: Financial, Operational, and Dependencies and Integration Impacts
Business Processes
Financial Impact
Operational Impact
Dependencies/
Integration Impact
Business Processes
Applications
Operations
Hardware
3rd Party Dependencies
Business Impact Analysis Requirements
Our BIA requirements include:
Identification of the business process functions performed
Resources needed to perform those business functions
Critical knowledge base and skills required to perform the work
It establishes the chronological potential effect(s) of a breakdown of daily work activities. Impacts to the business process must be analyzed and measured using the required assessment categories - financial, operational and dependencies/integration impacts.
All components and dependencies of the process, including infrastructure, must be included as you complete this survey. A Criticality Classification must be assigned to each of your business process. In these columns determine and record the business process’s:
Maximum Allowable Downtime (MAD)
Recovery Time Objective (RTO)
Recovery Point Objective (RPO) in those columns
Definitions of expected overall RTO and MTO per product and service must be updated yearly.
Business Continuity Criticality Classifications
To understand the relative importance of business processes and to qualify their criticality for the BIA, we have established Business Continuity Criticality Classifications.
These classifications provide the information necessary to determine the criticality of our business processes and components if there is a major event (cybersecurity attack, hurricane, power outage, tornado, terrorist attack, and so forth).
Think of hardware, software, operations, and 3rd party dependencies that would impact your ability to do your daily work tasks. Areas to consider including in your criticality assessment include:
Cyber threats
Servers and other hardware
Grid engines
Data systems
Licenses
Production teams (people and processes)
Production support technology (technology team)
Any other programs, products, or applications you work on
Business Impact Analysis and Risk Assessment Survey
Complete the Business Impact Analysis and Risk Assessment Requirements Survey Table at the end of this for all those daily work tasks that would be negatively impacted by a service interruption.
To classify business processes and components for the BIA, complete the criticality classifications in the Business Impact Analysis and Risk Assessment Requirements Survey Table on the next page. To do so, complete the following columns in Table 5 using the guidelines below.
Identify the critical continuity business applications, components, or processes for your group.
Using the definitions below, rate each application, component, or process from 1 to 4 for how critical the loss of that area would for you to get your work completed each day.
Highly Critical Level 1 (Crucial to the survival of the business unit)
RTO — Resume in 4 hours
MAD — Resume in 4 hours
Critical Level 2 (Vital to the survival of the business unit.)
RTO — Resume in 36 hours
MAD — Resume in 36 hours
Priority Level 3 (Essential to the survival of the business unit.)
RTO — Resume in 72 hours
MAD — Resume in 72 hours
Required Level 4 (Important to the business unit.)
RTO — Resume in 10 days
MAD — Resume in 10 days
3. Quantify that loss using the Target Maximum Allowable Downtime (MAD), Recovery Point Objective (RPO), Target Recovery Time Objective (RTO) methodology.
Business Processes: Every 12 Months Applications: Every 24 Months
Business Processes: Every 12 Months Applications: Every 24 Months
Business Processes: Every 3 Years Applications: Every 3 Years
Business Processes: Every 4 Years Applications: Every 4 Years
4. In the Recovery Point Objective (RPO) column, identify the currency of the data after supporting business systems are recovered (the tolerance for lost data, for example).
5. Check Yes or No for how often (4, 36, 72 hours or 10 days) you test this business application, component, or process.
6. Use Comments to further explain the reason for your ratings.
Table 5: Business Impact and Risk Survey
Business Application/Criticality Classification
Target RTO
Target MAD
Target RPO*
Test Minimum Requirements/Comments
Fun Tip: I congratulate you for caring enough about the survival and prosperity of your business that you made it this far in this Substack. Now make the effort to create a BIA and a BCDRP. I raise a toast to your business acumen as you prepare to tame the cyber beasts. Often, you cannot prevent a cyberattack. But you can always prepare your business to survive and prosper after one. Godspeed!
Again, purchase EMP hardened water proof thumb drives for yourself and your employees to quickly back up your critical data.
Take a break from social media and enjoy Eamon playing Ashokon’s Farewell at Frey’s Brewing Company in Mount Airy, MD.