Appendix F: Business Impact Analysis Process
Business Impact Analysis Goals
The purpose of a business impact analysis is to determine what impact a disruptive event would have on a financial institution. As such, a BIA has three primary goals:
- Determine Criticality-Every critical business function must be identified, and the impact of a disruption must be determined. While non-critical business functions and processes may likely warrant a lower priority rating, consideration should be given to the impact of interdependencies between various departments and functions before ultimately determining their criticality and priority.
- Estimate Maximum Downtime-Management should estimate the maximum downtime that the financial institution can tolerate while still maintaining viability. Management should determine the longest period of time that a critical process can be disrupted before recovery becomes impossible. In some instances, the BIA process may provide evidence that a business interruption can be tolerated for a shorter period of time than originally anticipated.
- Evaluate Resource Requirements-Realistic recovery efforts require a thorough evaluation of the resources required to resume critical operations and related interdependencies as quickly as possible. Examples of resources include facilities, personnel, equipment, software, data files, vital records, and third-party relationships.
There are generally four cyclical steps included in the BIA process:
- Gathering information;
- Performing a vulnerability assessment;
- Analyzing the information; and
- Documenting the results and presenting the recommendations.
The first step of the BIA is to identify which departments and business processes are critical to the recovery of the financial institution. The Business Continuity Planning Committee and/or Coordinator should review organizational charts, observe daily work flow, and interview department managers and employees to identify critical functions and significant interrelationships on an enterprise-wide basis. Information can also be gathered using surveys, questionnaires, and team meetings.
As information is gathered and critical operations are identified, business operations and related interdependencies should be reviewed to establish processing priorities between departments and alternate operating procedures that can be utilized during recovery.
Performing a Vulnerability Assessment
A vulnerability assessment is similar to a risk assessment; however, it focuses solely on providing information that will be used in the business continuity planning process. The goal of the vulnerability assessment is to determine the potential impact of disruptive events on the financial institution's business processes. Financial industry participants should consider the impact of a major disruption since they play a critical role in the financial system. As part of the vulnerability assessment, a loss impact analysis should be conducted that defines loss criteria as either quantitative (financial) or qualitative (operational). For example, quantitative losses may consist of declining revenues, increasing capital expenditures, or personal liability issues. Conversely, qualitative losses may consist of declining market share or loss of public confidence. While performing a vulnerability assessment, critical support areas and related interdependencies, which are defined as a department or process that must be properly functioning to sustain operations, should be identified to determine the overall impact of a disruptive event. In addition, required personnel, resources, and services used to maintain these support areas must also be identified. Critical support areas and interdependencies should include the following, at a minimum:
- IT departments;
- Transportation and delivery services;
- Shared physical facilities, equipment, hardware, and software;
- Third-party vendors; and
- Back-office operations, including accounting, payroll, transaction processing, customer service, and purchasing.
The steps needed to perform a vulnerability assessment include the following:
- List applicable threats that may occur internally and externally;
- Estimate the likelihood that each threat might occur;
- Assess the potential impact of the threat on employees and customers, property, and business operations; and
- Assess the internal and external resources available to deal with the identified threats.
Analyzing the Information
During the analysis phase of the BIA, results of the vulnerability assessment should be analyzed and interpreted to determine the overall impact of various threats on the financial institution. This analysis process should include an estimation of maximum allowable downtime (MAD) that can be tolerated by the financial institution as a result of a disruptive event. MAD estimates that may be used include the following:
- Nonessential- 30 days
- Normal- 7 days
- Important- 72 hours
- Urgent- 24 hours
- Critical- minutes to hours
Each business function and process should be placed in one of these categories so that management can determine applicable solutions to ensure timely recovery of operations. Management should then determine which business functions represent the highest priority for recovery and establish recovery objectives for these critical operations. The Business Continuity Planning Committee or Coordinator should discuss the impact of all possible disruptive events, instead of focusing on specific events that may never occur. For example, the impact of a disruptive event could result in equipment failure, destruction of facilities, data corruption, and the lack of available personnel, supplies, vendors, or service providers. Once the impact of a disruption is determined, management should estimate MADs.
After completing the data analysis, the results should be reviewed by knowledgeable employees to ensure that the findings are representative of the true risks and ultimate impact faced by the financial institution. If notable gaps are identified, they should be recognized and incorporated into the overall analysis.
Documenting the Results and Presenting the Recommendations
The final step of the BIA involves documenting all of the processes, procedures, analyses, and results. Once the BIA is complete, a report should be presented to the board and senior management identifying critical departments and processes, significant interdependencies, a summary of the vulnerability assessment, and recommended recovery priorities generated from the analysis.
Appendix E: Interdependencies
Appendix G: Business Continuity Plan Components