Download Article

It is no secret that a Business Continuity Plan is an important document to have in your arsenal, especially when responding to events, such as natural disasters or cyber attacks, that may interrupt or halt business operations. Since a Business Continuity Plan (BCP) is so important, more value is placed on the successful creation of your own plan, which means that you will want to make sure you’re building a well-rounded and valuable BCP.
 

One of the messages you’ll hear over and over again from SBS is that your information security processes should always start with a risk assessment. Unsurprisingly then, your Business Continuity Planning process should begin with a Business Impact Analysis (BIA). The purpose of the BIA is to help you prioritize your business processes and tell you where to start when beginning your response. When creating a BIA, there are going to be three (3) main components that you should address to get the best results, including 1) Impacts, 2) Timeframes, and 3) Dependencies. This article will cover each of these BIA components, along with a little information on your business processes themselves.

Where to Start

As with many of the processes within your Information Security Program, your Business Impact Analysis should be based on your size and complexity; the larger and more complex the institution is, the more detailed the list of business processes you should be reviewing in your BIA. For example, where a smaller institution may address the “Administrative” function as one business process, a larger, more complex institution may cover the same items by breaking the function out in more detail. For example, a larger institution might break out a smaller institution’s “Administrative” process out into several processes, such as “Accounts Payable,” “Human Resources,” and “Payroll.” While both methods work, you will want to make sure that you are choosing the correct route for your institution, neither oversimplifying the process nor overcomplicating it. Examples of standard business processes include the following:

• Administrative
• Investment
• Trust
• Back-Office
• Customer Service
• Information Technology
• Accounting
• Lending
• Marketing
• Compliance
• Retail

Prioritizing Your Processes

Now that you have your business processes established, it’s time to discuss the information you want to enter or review to determine the priority of each process. Let’s begin with Impacts. If you take a quick look at what is expected from the FFIEC, you will need to identify potential Impacts from “uncontrolled, non-specific events on the institution's business functions and processes.” The Impacts that we cover at SBS include Customer, Financial, Legal / Regulatory, and Required Recovery Resources. To properly assess your Impacts, you will not only want to set a ranking system for each Impact (Examples: low to high or 1 to 5), but you will also want to specifically define what each of those rankings mean, which will help others reviewing the BIA reach a similar conclusion when reviewing other business processes. Consistency is going to be extremely important, not only when reviewing Impacts, but also when reviewing Timeframes and Dependencies. 
 

The next BIA component to discuss is your Timeframes for recovery. In the same way you have established your Impacts for each of identified process, you will need to establish your Timeframes for recovery. The three (3) Timeframes that every BIA should identify include:

• Recovery Point Objective (RPO) - The maximum tolerable period in which data might be lost due to a major incident. RPO is typically identified by the timeframe between data backup increments. RPO can be measured in minutes, hours, or days.
• Recovery Time Objective (RTO) – The amount of time in which business processes can be feasibly restored in the event of a disruption. RTO is typically defined by the length of time it would take you to restore a system or process from backup. RTO can be measured in minutes, hours, or days.
• Maximum Allowable Downtime (MAD) – The absolute maximum time in which a business process can be unavailable without significant ramifications to the institution. MAD should also include the time it would take to restore a business process to full operation once the backup has been restored, including the time it would take to recreate any lost data and test the restored data for integrity. MAD can be measured in minutes, hours, days, or weeks.
   

Each of these Timeframes should also have an impact on your identified process’ priority. For example, the shorter your RPO for a process, the higher the impact will be to your institution. Your RTO and MAD might be addressed by comparing the difference between them. For example, if you have an RTO of 24 hours and a MAD of 48 hours, this leaves you with 24 hours of separation, providing you some, but not a lot, of room for error to fully restore a business process. If your business process were to have a similar RTO of 24 hours but with a MAD of 24 hours, you would have no room for error, resulting in a more impactful ranking. Business processes with shorter recovery timeframes and less room for error should rank higher in your recovery priority.
 

The last item to discuss, but certainly not least, is your Dependencies. Dependencies are the items that your business processes require to restore the process to full operational capacity, including vendors, IT systems, and other business processes. Dependencies will allow you to identify the necessary IT Assets that you need to restore in order to get a business process functioning (Examples: Core Banking System, Workstation, Firewall, etc.), along with the vendors you will need to restore that process (Examples: Core Banking Provider, IT Vendor, Internet Service Provider, etc.). You also want to consider other business process dependencies; for instance, if one business process relies upon another business process being operational to function, you should be taking this dependency into account during your prioritization. Overall, the number of Dependencies each business process has will also impact your rankings. A business process that has more business processes relying on it to be functional (dependencies) will rank higher in the priority listing for recovery. 
 

Your Results

In an ideal BIA, you will follow a consistent risk management methodology, such as the methodology listed above, in order to get consistent results across your organization. Consistency is the key to a risk assessment that will help you to make decisions. Utilizing this methodology, business processes that have higher Impacts, shorter recovery Timeframes, and more Dependencies will bubble to the top of your recovery priority listing. You can use this business process prioritization (your BIA) to build out specific recovery procedures in your Business Continuity Plan and improve your BCP testing processes. An overview of your BIA (as shown below) will not only highlight the priorities of your business processes, but the values that were used in determining that ranking. A similar but more detailed version of the BIA may be reserved for inclusion within your BCP, listing out the dependencies in detail rather than showing the number of dependencies assigned to each process. 

Written by: Cole Ponto

Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

• A good Business Impact Analysis is critical to developing a Business Continuity Plan that is valuable, comprehensive, and will actually be useful for your institution. SBS’ online risk management software – TRAC – contains a BCP module that includes Business Impact Analysis, BCP plan generation, and tabletop testing scenarios and documentation. If you’re looking to build out a BIA and BCP that help you prioritize the recovery of business processes, you can learn more here.
• A key piece to any Information Security Program is a high-quality Business Continuity Plan (BCP). Let SBS help create and test a comprehensive BCP to better prepare your organization for a disaster. Learn more.
• {Blog} Three Considerations for Upgrading Your Business Continuity Plan: Often, updating our Business Continuity Plan can appear more daunting than beneficial. Here are 3 quick and easy wins that can take any BCP to the next level.

Related Certifications

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
   

Sources

• https://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/business-impact-analysis.aspx