Business Impact Analysis

S.V. Sunder Krishnan

29th November 2007

A Reliance Capital
Disaster
 Disaster is an event, often unexpected, that seriously disrupts your usual operations or
processes and can have long term impact on your normal way of life or that of your
organization
 Here is a sample list disasters:
Loss of Utility and Services Equipment Service Failure
Environmental
Building Collapse Internal Power Failure
Fire
Communication Breakdown AC Failure
Earthquake
Electric Short Circuits Equipment Failure
Heavy Rains
Electricity / UPS Failure IT System Failure
Flooding
Transportation Strike Server Hang
Lightning Surge Telecommunications Vendors Power Surge
Severe Weather Organized Deliberate Info Security Incident Virus
Epidemics Terrorism Attack
Tsunami War Cyber Crime
Hurricane Riots Hacking
Others Sabotage Dos attack
Legal Problem Labor Disputes SPOF breakdown
Vendor Breakdown Data Center Theft System Corruption

2 of 48 A Reliance Capital
3 of 48 A Reliance Capital
 The Fatal Impact!

Disasters could cause an organisation to suffer:

• Inability to maintain critical customer services
• Damage to market share, reputation or brand
• Failure to protect the company assets including
intellectual properties and personnel
• Business control failure
• Failure to meet legal or regulatory requirements

4 of 48 A Reliance Capital
WHAT IS - BUSINESS CONTINUITY PLANNING?

 BCP is about identifying and, where appropriate, reducing your internal and
external business risks & exposures and implementing an affective business
recovery strategy

 BCP ensures that you can provide an acceptable level of service to your clients /
customers and other business ‘stakeholders’ regardless of any events or
incidents that occur

 BCP should be an integral part of your business risk management strategy BCP
addresses the whole business continuity management process from risk &
business impact analysis through strategy & plan development to
implementation, testing and ongoing change control

5 of 48 A Reliance Capital
Why Have a Business Continuity Plan?
Recovery or Failure
Fully Tested
A Effective
INCIDENT Plan

B
Level of
No Plan –
Managed
Business Short-term Lucky
Interruption Escape

C No Plan –
Possible
Outcome

Critical Time
Recovery
Point
 Ensure that you can provide an acceptable level of service to your clients, customers
and other business partners regardless of any events or incidents that occur

 BCP is not a ‘box ticking’ exercise to satisfy the regulators it is about ensuring
continuity of your business

 Effective BCP is in the interest of all staff at all levels. This requires you to take
ownership of BCP for your business unit

6 of 48 A Reliance Capital
WHAT IS - BUSINESS CONTINUITY PLANNING?

1. Analyse
your
Business
 Analyse your Business

Business Impact Analysis

 Analyse the Risks
4. Test & 2. Analyse Business Continuity Risk
Update the Risks Assessment
 Develop Recovery Strategy
Business Continuity Plan
 Test & Update
Periodically test and update
3. Develop BCP
Recovery
Strategy

BCP is the responsibility of the Business it is not just an IT issue!

BCP encompasses a DRP (Disaster Recovery Plan) which is an IT plan
7 of 48 A Reliance Capital
How do you develop a Business Continuity Plan?

 Development of a Business Continuity plan is not ‘rocket science’ – it’s really just
common sense

 Essentially, it consists of:

 identifying tasks which your team may need to perform if an incident occurs

 documenting those tasks

 organizing the tasks logically by phase and activity

 compiling team contact info and any other supporting documentation

8 of 48 A Reliance Capital
What assumptions should you make?
In developing your business unit’s plan, you should make the following
assumptions:

 The incident may occur at the worst possible time

 The incident may be a ‘worst case’ scenario, or it may be a lesser incident (e.g. loss of
computer systems, temporary loss of access to the facility, telecommunications failure)

 Some or many of your staff may be unavailable for work following the incident

 An alternate location would be available for your critical business unit within 4 hours of
an incident, with the number of workstations specified

 The alternate location would be within driving distance

 The Business Enterprise has a formal Business Continuity Team structure in place,
consisting of a Business Continuity Coordinator, a ‘Corporate Crisis Management Team’
(CCMT) and support teams (in addition to the business unit teams)

 Only the BCP Coordinator and CCMT can authorize teams to activate their Business
Continuity plans

9 of 48 A Reliance Capital
BCP RISK ANALYSIS – BUSINESS IMPACT
 Four Variables that affect the Level of Business Exposure and Impact:
 Likelihood of risk occurring
 Vulnerability to the risk
 Severity of risk
 Time taken to recover

 Time taken to recover relates to the Severity of the Risk:

 Short-term impact (up to 1 working day) resulting from denial of access to place of
work / data (e.g. due to power failure)

 To:
 Long-term impact (several weeks / months) resulting from total destruction of place of
work / staff / data (e.g. 9/11)

 Quantifying Risk - how do we Prioritise the Risk? :

 Risk Weighting = Business Impact Assessment x Degree of Vulnerability x Likelihood
of each Threat

10 of 48 A Reliance Capital
 BCP RISK ANALYSIS – LIKELIHOOD / IMPACT CHART
High Impact

War
Pandemic
Major Fraud Confidentiality Breach

Plane Crash Terrorism

Major Fire
Major IT Failure
Epidemic
Virus
Low High
Likelihood Likelihood
Supplier Failure Limited IT Failure
Minor Fire
Water Leak Minor Fraud

Theft
Power Failure

Four Variables that affect the Scale of Business Impact:

Likelihood of risk occurring
Vulnerability to the risk
Severity of risk
Time taken to recover Low Impact

11 of 48 A Reliance Capital
Business Process Criticality Definition
 A Company’s revenue generating ability and corporate image are supported by the timely
execution of its business processes. However, the degree of criticality that some business
processes carry are more than others on account of their importance to the business
operations either in terms of their revenue generation capability or their ability to sustain
the corporate image.
 Provided below are guidelines, which have been considered at the time of assigning
criticality to RLIC’s business processes:
­ Critical (High)

Inability to perform this process within the indicated cycle time would significantly affect revenue-
generating capability and / or the operating effectiveness of the other business processes.

­ Important (Medium)

Inability to perform this process on a timely basis would affect revenue-generating activities and / or the
operating effectiveness of the other business processes. These processes normally support the
execution of critical processes, but are not directly part of the critical business process itself.

­ Minor (Low)

Inability to perform this process for a significant period of time in excess of the indicated cycle time
would impact the efficiency of other business processes and affect revenue-generating activities.

12 of 48 A Reliance Capital
Factors to be considered for determining the criticality

 Financial Factors  Non Financial Factors

­ Delay / loss of revenues ­ Corporate Image

­ Delay in recognition of revenues ­ Customer Confidence

­ Fines for regulatory non compliance ­ Employee Morale

­ Lost interest / interest paid on borrowed ­ Shareholder / Investor confidence

funds
­ Resumption Expenses ­ Legal Contractual obligation

­ Penalties for delayed processing ­ Competitive Advantage

­ Lost Opportunity

13 of 48 A Reliance Capital
The generally observed classification
Criteria Critical (High) Important (Medium) Minor (Low)

 Impact on revenue Long term Medium / Short term

X

Effect on business Severe Moderate Affects efficiency only

processes

Contractual Breached
X X
obligations
Competitive Immediate loss Loss over a period of
X
advantage time

Regulatory Non­compliance Non­compliance Non­compliance

Compliance
Loss of goodwill and Loss of goodwill and Reputation loss
X
customer confidence customer confidence

14 of 48 A Reliance Capital
BCP – Invocation Flowchart / Call Tree

Recovery INCIDENT
CALL OUT
DETECTED • EMERGENCY SERVICES
Timescales (Security Alerted)
CALL OUT
Incident Alert • BCP PLAN
INCIDENT ALERT to • RECOVERY SITE
INVOKE • VOICE DIVERT - TO MESSAGE
0 to 2 BCP Team
hrs • BCP WEBSITE MESSAGE
UPDATE
CALL OUT
• STAFF MESSAGE LINE UPDATE

BUSINESS CORPORATE CRISIS OTHER

IT RECOVERY
RECOVERY COMMUNICATION MANAGEMENT LOCATIONS
TEAM (CMT) TEAM LEADERS

INVOK INVOKE INVOKE INVOKE INVOKE

E
DEPARTMENT BCP PLAN DEPARTMENT BCP CMT BCP PLAN IT BCP PLAN IMPACT ASSESSMENT
IMPACT ASSESSMENT PLAN BACKUP TAPE DELIVERY LOCAL BCP PLAN
CLIENT / PUBLIC ‘BATTLEBOX’ DELIVERY
RELATIONS VOICE DIVERT - TO RECOVERY SITE
Incident Invocation IA process STRATEGY - Incident / Damage & Salvage Assessment
- Invoke Recovery Site or put on Standby
2 to 4 - Call-out the CMT and Confirm Invocation
hrs - Invoke Voice Divert & Message Updates (Staff Line & BCP Website)
- Call-out Recovery Team Leaders or their Alternates
- Manage Invocation and IT / Services Recovery and Support
4 to 24
CMT - Liaise with IA teams and Confirm Invocation
hrs - Set-up Command Centre / Conference Call
- Conduct Business Impact Assessment & Determine Recovery Priorities
- Assume Ongoing Crisis Management Responsibility
Business RECOVERY - Team Leaders to Call-out Team Members & Invoke BCP Plan
Recovery Processes - Conduct Business Impact Assessment & Advise CMT
- Recover Business / IT / Service Functions

15 of 48 A Reliance Capital
Recovery Timeframes (RTO)
 Recovery timeframes refer to the period by which each business process needs to be
recovered / resumed to avoid disruption to business i.e. a business process may not be
critical at the time of disaster striking the organization.

 However if such process is not recovered within the stipulated period subsequent to the
disaster then such process may also become critical at the end of such identified period

 For e.g. process for payment of salaries if not resumed / recovered within 15 days
would become critical.

 There are two factors to be considered

­ Recovery time:
Refers to the time taken to ensure that key business processes are up and running
­ Currency of data:
Refers to the currency of data (i.e how latest the data should be – yesterday’s back up or
information keyed in two hours before the disaster or every SECOND! no data lost)

16 of 48 A Reliance Capital
Executive Summary

 Introduction 
 Essentials of BIA
 Incident Management
 Impact Analysis
 RTO / RPO
 Recovery Strategies / Alternatives
 Threat Scenarios and assumptions
 The teams
 Summing up

confidentia
17 of 48 A Reliance Capital
 BCP Process

Phases of the business continuity planning process

• Creation of a business continuity and disaster recovery policy

• Business impact analysis
• Classification of operations and criticality analysis
• Development of a business continuity plan and disaster recovery
procedures
• Training and awareness program
• Testing and implementation of plan
• Monitoring

18 of 48 A Reliance Capital
 The Essentials:
• Rigorous planning and commitment of resources
• Risk assessment to identify critical business processes
• Reduction of risk for unexpected disruption to critical
functions
• Assure continuity of minimum level of service for critical
operations
• Responsibility of senior management
• Address all functions and assets to continue as a viable
organization

19 of 48 A Reliance Capital
 BIA ­ Elements

 Disasters
­ Disrupt the operation of critical information processing
­ Adversely impact business operations
• Not all disruptions are disasters
• Causes of service disruption
­ Natural
­ Expected services no longer supplied
• BCP must take into account all types of events impacting IS
processing facilities and end users functionality

20 of 48 A Reliance Capital
 BCP Incident Management

 The management of incidents need be dynamic, proactive

and documented
 All types of incidents need to be categorized
­ Negligible: causing no significant damage
­ Minor: produce no negative material or financial impact
­ Major: cause negative material impact on business
processes
­ Crisis: serious material impact on the functioning of the
business

21 of 48 A Reliance Capital
 Business Impact Analysis

 Identifying the various events that could impact the continuity

of operations and their impact on the organization
 Issues to consider for BIA:
• Different business processes
• Critical information resources related to critical business
processes
• Critical recovery time period before significant losses are
incurred
• Systems risk ranking

22 of 48 A Reliance Capital
 Recovery Point Objective and Recovery Time Objective

 Recovery Point Objective (RPO)

­ Based on acceptable data loss
­ Indicates earliest point in time in which it is acceptable to recover
the data
 Recovery Time Objective (RTO)
­ Based on acceptable downtime
­ Indicates earliest point in time at which the business operations
must resume after a disaster

23 of 48 A Reliance Capital
 Recovery Point Objective and Recovery Time Objective
(continued)

 RPO and RTO are based on time parameters

 The lower the time requirements, the higher the cost of recovery
strategies
 Parameters to consider when defining recovery strategies:
­ Interruption window
­ Service delivery objective (SDO)
­ Maximum tolerable outages

24 of 48 A Reliance Capital
 Recovery Strategies

 Like all threats, the most effective action would be:

­ To remove the threat altogether
­ To minimize the likelihood and effect of occurrence
 A recovery strategy is a combination of preventive, detective and
corrective measures.
 The selection of a recovery strategy would depend upon:
­ The criticality of the business process and the applications
supporting the processes
­ Cost
­ Time required to recover
­ Security

25 of 48 A Reliance Capital
 Recovery Strategies (continued)

Recovery strategies based on the risk level identified for recovery

would include developing:
• Hot sites
• Warm sites
• Cold sites
• Duplicate information processing facilities
• Mobile sites
• Reciprocal arrangements with other organizations

26 of 48 A Reliance Capital
 Recovery Alternatives

Types of offsite backup facilities

• Hot sites ­ Fully equipped facility

• Warm sites ­ Partially equipped but lacking processing power
• Cold sites ­ Basic environment
• Duplicate information processing facility
• Mobile sites
• Reciprocal agreement
– Contract with hot, warm or cold site
– Procuring alternative hardware facilities

27 of 48 A Reliance Capital
 Recovery Alternatives (continued)

Procuring alternative hardware facilities

• Vendor or third­party
• Off­the­shelf
• Credit agreement or emergency credit cards

28 of 48 A Reliance Capital
What is a Potentially Disastrous
incident?

A potentially disastrous incident (hereafter

referred to as an ‘incident’) is any internal
or external incident which may cause an
unacceptable interruption in the
company’s critical and important business
processes.

29 of 48 A Reliance Capital
Threat scenarios
Threat Impact Scenario

Environmental Incidents Loss and Damage of records, premises Inaccessibility of premises

•Water Damage
•Earthquake

Fire Loss and Damage of records, premises Inaccessibility of premises

Power Outages Temporary disruption of services/operations Critical IT Systems non availability

Sabotage / Terrorist activity Loss, Damage Inaccessibility of premises

Civil Disturbances Loss, Damage Inaccessibility of premises

Loss or theft of key data Loss, Damage and disclosure of confidential Critical IT Systems non availability (due to
information disruption in the integrity of the data)

Failure of IT and/or Telecom Infrastructure Disruption of services Non availability of critical IT Systems

IT Security Incident Disruption of services, Non availability of critical IT Systems

Loss of data

Logistical failures for centralized operations Disruption of services Inaccessibility of premises

30 of 48 A Reliance Capital
What assumptions should you make?

 In developing your business unit’s plan, you

should make the following assumptions:
­ The incident may occur at the worst possible time
­ The incident may be a ‘worst case’ scenario, or it may be
a lesser incident (e.g. loss of computer systems,
temporary loss of access to the facility,
telecommunications failure)
­ Some or many of your staff may be unavailable for work
following the incident

31 of 48 A Reliance Capital
What assumptions should you make?

 You can also make the following assumptions:

­ An alternate location would be available for your critical
business unit within 4 hours of an incident, with the
number of workstations specified
­ The alternate location would be within driving distance
­ The Company has a formal Business Continuity Team
structure in place, consisting of a Business Continuity
Coordinator, a ‘Corporate Crisis Management Team’
(CCMT) and support teams (in addition to the business
unit teams)
­ Only the the BCP Coordinator and CCMT can authorize
teams to activate their Business Continuity plans

32 of 48 A Reliance Capital
 What is a
Business Continuity Team?

33 of 48 A Reliance Capital
What is a Business Continuity Team?

 A Business Continuity Team is a designated group of

individuals responsible, at time of incident, for:
­ determining which tasks need to be performed
­ coordinating the execution of those tasks
­ communicating and coordinating with other Business
Continuity Teams
 Each team must have a team leader and alternate(s), and an
appropriate number of members

34 of 48 A Reliance Capital
 Corporate Crisis
Management
Typical Business Team
Business Continuity
Continuity Team Coordinator

Structure Support Team Business Resumption Teams

Support Team
Critical Process 3
IT Team Critical Process 2
Critical Process 1

Local
Incident
Management
Teams

35 of 48 A Reliance Capital
 The Specific BCP Teams for Reliance Life Insurance
Company Limited
 
Corporate Crisis
Management Team

Business
Continuity
Coordinator

Information Business
Support Team Technology Resumption
Team Team

36 of 48 A Reliance Capital
What is a Crisis Management Team?
 A Corporate Crisis Management Team (CCMT) is a designated group of
senior individuals responsible for overall management of a potentially
disastrous incident
 Typical responsibilities include:
­ Activation of Business Continuity and support teams
­ Coordination of all communication between teams
­ High level decision making (including ‘incident declaration’)
­ Prioritization of activities
­ De-activation of Business Continuity and support teams

37 of 48 A Reliance Capital
What are Support Teams?
 Support Teams are specialized groups that may be activated by
the CCMT to help manage the incident
 Typical support teams include:
­ Information Technology team - Systems and Application Support
Members and Communications and Infrastructure Support
Members
­ Support Team (including Facilities, Services, Finance, Functional
representatives (SPOCs), Corporate Communications and so on)

38 of 48 A Reliance Capital
What is the role of Information Technology
Teams?
 Typically, Information Technology Support Teams would
handle all of the ‘technology issues’ associated with a
potentially disastrous incident
 Responsibilities could include:
­ Recovering mainframe, mid-range, and server-based
systems at the alternate location(s)
­ Restoring data from latest off-site backups
­ Re-establishing voice and data communications
­ Commissioning employees’ desktop systems
­ Restoring technology at the original location
­ Activating connections from Alternate Operations Center

39 of 48 A Reliance Capital
What is the role of the Support Team?
 Typically, the support team provides the damage assessment following an
event, and assists with the site restoration process.
 Responsibilities would include:
­ Coordinating preparation of detailed damage assessments
­ Facility
­ Business Process and
­ Systems
­ Overseeing damage assessment and control activities
­ Coordinating site cleanup and salvage activities
­ The Support Team will provide the CCMT and the BCP Coordinator with a
comprehensive assessment of damage after disaster has occurred, including:
- Missing staff, injuries and loss of life;
- Extent of facility damage; and
- Damaged equipment (Computer Hardware, Network
Components, UPS, etc.)

40 of 48 A Reliance Capital
What is the role of Support Team?

 Handle all of the ‘public relations’ issues associated with a

potentially disastrous incident
 Responsibilities could include:
­ Preparing press releases and public announcements
­ Coordinating news conferences, interviews
­ Interfacing with media personnel
­ Issuing communiqués to employees and stakeholders
­ Managing the Company's image and reputation during
the crisis

41 of 48 A Reliance Capital
What is the role of Administration Personnel in
the Support Team?
 Handle all of the ‘facility issues’ associated with a potentially
disastrous incident
 Responsibilities could include:
­ Liaison with civil authorities
­ Damage assessment, salvage, and restoration
­ Preparing the alternate location(s) for occupancy
­ Physical security
­ Transportation of equipment and materials
­ Redirecting of mail and courier service
­ Management of interim phone systems

42 of 48 A Reliance Capital
What is the role of Human Resources
Department Personnel in the Support Team?
 Handle all of the ‘people issues’ associated with
a potentially disastrous incident
 Responsibilities could include:
­ Ensuring all employees are accounted for
­ Contacting employees’ families
­ Coordinating temporary relocation of staff, including travel and
accommodation arrangements
­ Hiring contract personnel
­ Providing assistance to individual employees
­ Ensuring continuance of salaries and benefits

43 of 48 A Reliance Capital
What is the role of Finance Department
Members in the Support Team?
 Handle all of the ‘accounting issues’
associated with a potentially disastrous
incident
 Responsibilities could include:
­ Authorizing and tracking expenditures
­ Ensuring appropriate accounting controls are
maintained
­ Identifying losses
­ Processing insurance claims

44 of 48 A Reliance Capital
 To sum up

The Phases in a Business

Continuity Plan

45 of 48 A Reliance Capital
The Five BCP Phases

Return
To Normal

Business
Resumption

Resource Recovery & Commissioning

Interim Contingencies

BUSINESS IMPACT ANALYSIS

Initial Response And Assessment

46 of 48 A Reliance Capital
Acknowledgement
 ISACA

47 of 48 A Reliance Capital
Thank you
November 29 2007

A Reliance Capital