Business Impact Analysis
A business impact analysis (BIA) is the first step in the business continuity planning process and should include the:
- Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis;
- Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes;
- Identification of the legal and regulatory requirements for the institution's business functions and processes;
- Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and
- Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path.
The institution's first step in the business continuity process is the development of a BIA.Refer to Appendix F: "Business Impact Analysis Process" for additional information. The amount of time and resources needed to complete the BIA will depend on the size and complexity of the financial institution. The BIA should include a work flow analysis that involves an assessment and prioritization of those business functions and processes that must be recovered. The work flow analysis should be a dynamic process that identifies the interdependencies between critical operations, departments, personnel, and services. The identification of these interdependencies, as part of the BIA, should assist management in determining the priority of business functions and processes and the overall affect on recovery timelines.
Once business functions and processes have been assessed and prioritized, the BIA should identify the potential impact of uncontrolled, non-specific events on these business functions and processes. Non-specific events should be identified so that management can concentrate on the impact of various disruptions instead of specific threats that may never affect operations. At the same time, management should never ignore potential risks that are evident in the institution's particular area. For example, financial institutions may be located in flood-prone areas, near fault lines, or by areas subject to tornados or hurricanes.
In addition to identifying the impact of non-specific events on business functions and processes, the BIA should also consider the impact of legal and regulatory requirements. For example, management should assess the impact of compromised customer data, which can result in regulatory concerns and a loss of public confidence.Refer to the "Information Security Booklet" included in the Federal Financial Institutions Examination Council IT Examination Handbook for additional information. By identifying the potential impact of this issue, management may have a better idea of the business functions and processes that could potentially be affected. Management should consider the regulatory requirement regarding notification to the institution's primary federal regulator when facilities are relocated.Refer to the "Policy Statement of the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision Concerning Branch Closing Notices and Policies," Volume 64 Federal Register, page 34844 (June 29, 1999); "Establishment and Relocation of Domestic Branches and Offices," Board of Governors of the Federal Reserve System, 12 CFR Part 208.6; Federal Deposit Insurance Corporation, 12 CFR Part 303.44; Office of the Comptroller of the Currency, 12 CFR Part 5.30; and Office of Thrift Supervision, 12 CFR Part 545.95.
The BIA should also estimate the maximum allowable downtime for critical business functions and processes and the acceptable level of losses (data, operations, financial, reputation, and market share) associated with this estimated downtime. As part of this analysis, management should decide how long its systems can operate before the loss becomes too great and how much data the financial institution can afford to lose and still survive. The results of this step will assist institution management in establishing RTOs, RPOs, and recovery of the critical path, which represents those business processes or systems that must receive the highest priority during recovery. These recovery objectives should be considered simultaneously to determine more accurately the total downtime a financial institution could suffer due to a disaster. In addition, these recovery objectives require management to determine which essential personnel, technologies, facilities, communications systems, vital records, and data must be recovered and what processing sequence should be followed so that activities that fall directly on the critical path receive the highest priority. One of the advantages of analyzing allowable downtime and recovery objectives is the potential support it may provide for the funding needs of a specific recovery solution based on the losses identified and the importance of certain business functions and processes.
Personnel responsible for the BIA should consider developing uniform interview and inventory questions that can be used on an enterprise-wide basis. Uniformity can improve the consistency of responses and help personnel involved in the BIA phase compare and evaluate business process requirements. This phase may initially prioritize business processes based on their importance to the institution's achievement of strategic goals and the maintenance of safe and sound practices. However, this prioritization should be revisited once the business processes are modeled against various threat scenarios so that a comprehensive BCP can be developed.
When determining a financial institution's critical needs, all functions, processes, and personnel should be analyzed. In documenting the mission critical functions performed, each department should consider the following questions:
- What critical interdependencies exist between internal systems, applications, business processes, and departments?
- What specialized equipment is required and how is it used?
- How would the department function if the mainframe, network and/or Internet access were not available?
- What single points of failure exist and how significant are those risks?
- What are the critical outsourced relationships and dependencies?
- What are the required responsibilities of the institution and the third-party service provider as defined by the service level agreement?
- What critical operational or security controls require implementation prior to recovery?
- What is the minimum number of staff and amount of space that would be required at a recovery site?
- What special forms or supplies would be needed at a recovery site?
- What equipment would be needed at a recovery site to communicate with employees, vendors, and customers?
- What is the potential impact if common recovery sites serve multiple financial institutions?
- Have employees received cross training, and has the department defined back-up functions/roles that employees should perform if key personnel are not available?
- Are the personal needs of employees adequately considered?
- What are the critical cash management/liquidity issues?
Once the BIA is complete, it should be evaluated during the risk assessment process and incorporated into, and tested as part of, the BCP. The BIA should be reviewed by the board and senior management periodically and updated to reflect significant changes in business operations, audit recommendations, and lessons learned during the testing process. In addition, a copy of the BIA should be maintained at an offsite location so it is easily accessible when needed.
Business Continuity Planning Process