Transcript Slide 1

Business Impact Analysis
S.V. Sunder Krishnan
29th November 2007
A Reliance Capital company
Disaster


Disaster is an event, often unexpected, that seriously disrupts your usual operations or
processes and can have long term impact on your normal way of life or that of your
organization
Here is a sample list disasters:
Environmental
Fire
Earthquake
Heavy Rains
Flooding
Lightning Surge
Severe Weather
Epidemics
Tsunami
Hurricane
Others
Legal Problem
Vendor Breakdown
Loss of Utility and
Services
Building Collapse
Communication Breakdown
Electric Short Circuits
Electricity / UPS Failure
Transportation Strike
Telecommunications
Vendors
Organized Deliberate
Terrorism
War
Riots
Sabotage
Labor Disputes
Data Center Theft
2 of 48
Equipment Service
Failure
Internal Power Failure
AC Failure
Equipment Failure
IT System Failure
Server Hang
Power Surge
Info Security Incident
Virus Attack
Cyber Crime
Hacking
Dos attack
SPOF breakdown
System Corruption
A Reliance Capital company
3 of 48
A Reliance Capital company
The Fatal Impact!
Disasters could cause an organisation to suffer:
• Inability to maintain critical customer services
• Damage to market share, reputation or brand
• Failure to protect the company assets including
intellectual properties and personnel
• Business control failure
• Failure to meet legal or regulatory requirements
4 of 48
A Reliance Capital company
WHAT IS - BUSINESS CONTINUITY PLANNING?

BCP is about identifying and, where appropriate, reducing your internal and
external business risks & exposures and implementing an affective business
recovery strategy

BCP ensures that you can provide an acceptable level of service to your clients /
customers and other business ‘stakeholders’ regardless of any events or
incidents that occur

BCP should be an integral part of your business risk management strategy BCP
addresses the whole business continuity management process from risk &
business impact analysis through strategy & plan development to
implementation, testing and ongoing change control
5 of 48
A Reliance Capital company
Why Have a Business Continuity Plan?
Recovery or Failure
Fully Tested
Effective Plan
A
INCIDENT
B
Level of
Business
No Plan –
Lucky Escape
Managed
Short-term
Interruption
C
Critical
Recovery
Point
No Plan –
Possible
Outcome
Time

Ensure that you can provide an acceptable level of service to your clients, customers and
other business partners regardless of any events or incidents that occur

BCP is not a ‘box ticking’ exercise to satisfy the regulators it is about ensuring continuity
of your business

Effective BCP is in the interest of all staff at all levels. This requires you to take
ownership of BCP for your business unit
6 of 48
A Reliance Capital company
WHAT IS - BUSINESS CONTINUITY PLANNING?
1. Analyse your
Business
4. Test &
Update
2. Analyse the
Risks
3. Develop Recovery
Strategy

Analyse your Business
Business Impact Analysis

Analyse the Risks
Business Continuity Risk
Assessment

Develop Recovery Strategy
Business Continuity Plan

Test & Update
Periodically test and update
BCP
BCP is the responsibility of the Business it is not just an IT issue!
BCP encompasses a DRP (Disaster Recovery Plan) which is an IT plan
7 of 48
A Reliance Capital company
How do you develop a Business Continuity Plan?
 Development of a Business Continuity plan is not ‘rocket science’ – it’s really just
common sense
 Essentially, it consists of:
 identifying tasks which your team may need to perform if an incident occurs
 documenting those tasks
 organizing the tasks logically by phase and activity
 compiling team contact info and any other supporting documentation
8 of 48
A Reliance Capital company
What assumptions should you make?
In developing your business unit’s plan, you should make the following
assumptions:

The incident may occur at the worst possible time

The incident may be a ‘worst case’ scenario, or it may be a lesser incident (e.g. loss of
computer systems, temporary loss of access to the facility, telecommunications failure)

Some or many of your staff may be unavailable for work following the incident

An alternate location would be available for your critical business unit within 4 hours of
an incident, with the number of workstations specified

The alternate location would be within driving distance

The Business Enterprise has a formal Business Continuity Team structure in place,
consisting of a Business Continuity Coordinator, a ‘Corporate Crisis Management Team’
(CCMT) and support teams (in addition to the business unit teams)

Only the BCP Coordinator and CCMT can authorize teams to activate their Business
Continuity plans
9 of 48
A Reliance Capital company
BCP RISK ANALYSIS – BUSINESS IMPACT
 Four Variables that affect the Level of Business Exposure and Impact:

Likelihood of risk occurring

Vulnerability to the risk

Severity of risk

Time taken to recover
 Time taken to recover relates to the Severity of the Risk:

Short-term impact (up to 1 working day) resulting from denial of access to place of
work / data (e.g. due to power failure)
 To:

Long-term impact (several weeks / months) resulting from total destruction of place of
work / staff / data (e.g. 9/11)
 Quantifying Risk - how do we Prioritise the Risk? :

Risk Weighting = Business Impact Assessment x Degree of Vulnerability x Likelihood
of each Threat
10 of 48
A Reliance Capital company
BCP RISK ANALYSIS – LIKELIHOOD / IMPACT CHART
High Impact
War
Pandemic
Major Fraud
Confidentiality Breach
Plane Crash
Terrorism
Major Fire
Major IT Failure
Epidemic
Virus
Low
Likelihood
Supplier Failure
Minor Fire
Water Leak
High
Likelihood
Limited IT Failure
Minor Fraud
Theft
Power Failure
Four Variables that affect the Scale of Business Impact:
Likelihood of risk occurring
Vulnerability to the risk
Severity of risk
Time taken to recover
Low Impact
11 of 48
A Reliance Capital company
Business Process Criticality Definition


A Company’s revenue generating ability and corporate image are supported by the timely
execution of its business processes. However, the degree of criticality that some business
processes carry are more than others on account of their importance to the business
operations either in terms of their revenue generation capability or their ability to sustain
the corporate image.
Provided below are guidelines, which have been considered at the time of assigning
criticality to RLIC’s business processes:
-
Critical (High)
Inability to perform this process within the indicated cycle time would significantly affect revenuegenerating capability and / or the operating effectiveness of the other business processes.
-
Important (Medium)
Inability to perform this process on a timely basis would affect revenue-generating activities and / or the
operating effectiveness of the other business processes. These processes normally support the
execution of critical processes, but are not directly part of the critical business process itself.
-
Minor (Low)
Inability to perform this process for a significant period of time in excess of the indicated cycle time
would impact the efficiency of other business processes and affect revenue-generating activities.
12 of 48
A Reliance Capital company
Factors to be considered for determining the criticality

Financial Factors

Non Financial Factors
- Delay / loss of revenues
- Corporate Image
- Delay in recognition of revenues
- Customer Confidence
- Fines for regulatory non compliance
- Employee Morale
- Lost interest / interest paid on borrowed
funds
- Shareholder / Investor confidence
- Resumption Expenses
- Legal Contractual obligation
- Penalties for delayed processing
- Competitive Advantage
- Lost Opportunity
13 of 48
A Reliance Capital company
The generally observed classification
Criteria
Critical (High)
Important
(Medium)

Long term
Medium / Short term

Effect on business
processes
Severe
Moderate

Contractual
obligations
Breached

Competitive
advantage
Immediate loss
Loss over a period of
time

Regulatory
Compliance
Non-compliance
Non-compliance
Loss of goodwill
and customer
confidence
Loss of goodwill and
customer confidence
Reputation loss
Impact on revenue

X
Affects efficiency only
X
14 of 48
Minor (Low)
X
X
Non-compliance
X
A Reliance Capital company
BCP – Invocation Flowchart / Call Tree
Recovery
Timescales
INCIDENT DETECTED
(Security Alerted)
CALL OUT
• EMERGENCY SERVICES
CALL OUT
Incident Alert
INCIDENT ALERT to BCP
Team
0 to 2 hrs
INVOKE
CALL OUT
BUSINESS
RECOVERY
CORPORATE
COMMUNICATION
CRISIS
MANAGEMENT
TEAM (CMT)
INVOKE
INVOKE
INVOKE
DEPARTMENT BCP PLAN
IMPACT ASSESSMENT
DEPARTMENT BCP PLAN
CLIENT / PUBLIC
RELATIONS STRATEGY
CMT BCP PLAN
Incident Invocation
Business
Recovery
BCP PLAN
RECOVERY SITE
VOICE DIVERT - TO MESSAGE
BCP WEBSITE MESSAGE UPDATE
STAFF MESSAGE LINE UPDATE
IT RECOVERY
OTHER
LOCATIONS
TEAM LEADERS
INVOKE
INVOKE
IA process
-
IT BCP PLAN
IMPACT ASSESSMENT
BACKUP TAPE DELIVERY
LOCAL BCP PLAN
‘BATTLEBOX’ DELIVERY
VOICE DIVERT - TO RECOVERY SITE
Incident / Damage & Salvage Assessment
Invoke Recovery Site or put on Standby
Call-out the CMT and Confirm Invocation
Invoke Voice Divert & Message Updates (Staff Line & BCP Website)
Call-out Recovery Team Leaders or their Alternates
Manage Invocation and IT / Services Recovery and Support
CMT
-
Liaise with IA teams and Confirm Invocation
Set-up Command Centre / Conference Call
Conduct Business Impact Assessment & Determine Recovery Priorities
Assume Ongoing Crisis Management Responsibility
Team Leaders to Call-out Team Members & Invoke BCP Plan
Conduct Business Impact Assessment & Advise CMT
Recover Business / IT / Service Functions
2 to 4 hrs
4 to 24
hrs
•
•
•
•
•
RECOVERY
Processes
15 of 48
A Reliance Capital company
Recovery Timeframes (RTO)

Recovery timeframes refer to the period by which each business process needs to be
recovered / resumed to avoid disruption to business i.e. a business process may not
be critical at the time of disaster striking the organization.

However if such process is not recovered within the stipulated period subsequent to
the disaster then such process may also become critical at the end of such identified
period

For e.g. process for payment of salaries if not resumed / recovered within 15 days
would become critical.

There are two factors to be considered
-
Recovery time:
Refers to the time taken to ensure that key business processes are up and running
-
Currency of data:
Refers to the currency of data (i.e how latest the data should be – yesterday’s back up or
information keyed in two hours before the disaster or every SECOND! no data lost)
16 of 48
A Reliance Capital company
Executive Summary









Introduction 
Essentials of BIA
Incident Management
Impact Analysis
RTO / RPO
Recovery Strategies / Alternatives
Threat Scenarios and assumptions
The teams
Summing up
17 of 48
confidential
A Reliance Capital company
BCP Process
Phases of the business continuity planning process
•
•
•
•
Creation of a business continuity and disaster recovery policy
Business impact analysis
Classification of operations and criticality analysis
Development of a business continuity plan and disaster recovery
procedures
• Training and awareness program
• Testing and implementation of plan
• Monitoring
18 of 48
A Reliance Capital company
The Essentials:
• Rigorous planning and commitment of resources
• Risk assessment to identify critical business processes
• Reduction of risk for unexpected disruption to critical
functions
• Assure continuity of minimum level of service for critical
operations
• Responsibility of senior management
• Address all functions and assets to continue as a viable
organization
19 of 48
A Reliance Capital company
BIA - Elements

•
•
•
Disasters
- Disrupt the operation of critical information
processing
- Adversely impact business operations
Not all disruptions are disasters
Causes of service disruption
- Natural
- Expected services no longer supplied
BCP must take into account all types of events
impacting IS processing facilities and end users
functionality
20 of 48
A Reliance Capital company
BCP Incident Management


The management of incidents need be dynamic, proactive
and documented
All types of incidents need to be categorized
- Negligible: causing no significant damage
- Minor: produce no negative material or financial impact
- Major: cause negative material impact on business
processes
- Crisis: serious material impact on the functioning of the
business
21 of 48
A Reliance Capital company
Business Impact Analysis


Identifying the various events that could impact the continuity
of operations and their impact on the organization
Issues to consider for BIA:
• Different business processes
• Critical information resources related to critical business
processes
• Critical recovery time period before significant losses are
incurred
• Systems risk ranking
22 of 48
A Reliance Capital company
Recovery Point Objective and Recovery Time Objective


Recovery Point Objective (RPO)
- Based on acceptable data loss
- Indicates earliest point in time in which it is acceptable to recover
the data
Recovery Time Objective (RTO)
- Based on acceptable downtime
- Indicates earliest point in time at which the business operations
must resume after a disaster
23 of 48
A Reliance Capital company
Recovery Point Objective and Recovery Time Objective
(continued)



RPO and RTO are based on time parameters
The lower the time requirements, the higher the cost of recovery
strategies
Parameters to consider when defining recovery strategies:
- Interruption window
- Service delivery objective (SDO)
- Maximum tolerable outages
24 of 48
A Reliance Capital company
Recovery Strategies

Like all threats, the most effective action would be:
- To remove the threat altogether
- To minimize the likelihood and effect of occurrence

A recovery strategy is a combination of preventive, detective and
corrective measures.

The selection of a recovery strategy would depend upon:
- The criticality of the business process and the applications
supporting the processes
- Cost
- Time required to recover
- Security
25 of 48
A Reliance Capital company
Recovery Strategies (continued)
Recovery strategies based on the risk level identified for recovery
would include developing:
• Hot sites
• Warm sites
• Cold sites
• Duplicate information processing facilities
• Mobile sites
• Reciprocal arrangements with other organizations
26 of 48
A Reliance Capital company
Recovery Alternatives
Types of offsite backup facilities
• Hot sites - Fully equipped facility
• Warm sites - Partially equipped but lacking processing power
• Cold sites - Basic environment
• Duplicate information processing facility
• Mobile sites
• Reciprocal agreement
–
Contract with hot, warm or cold site
–
Procuring alternative hardware facilities
27 of 48
A Reliance Capital company
Recovery Alternatives (continued)
Procuring alternative hardware facilities
• Vendor or third-party
• Off-the-shelf
• Credit agreement or emergency credit cards
28 of 48
A Reliance Capital company
What is a Potentially Disastrous
incident?
A potentially disastrous incident (hereafter
referred to as an ‘incident’) is any internal
or external incident which may cause an
unacceptable interruption in the company’s
critical and important business processes.
29 of 48
A Reliance Capital company
Threat scenarios
Threat
Impact
Scenario
Environmental Incidents
Loss and Damage of records, premises
Inaccessibility of premises
Fire
Loss and Damage of records, premises
Inaccessibility of premises
Power Outages
Temporary disruption of services/operations
Critical IT Systems non availability
Sabotage / Terrorist activity
Loss, Damage
Inaccessibility of premises
Civil Disturbances
Loss, Damage
Inaccessibility of premises
Loss or theft of key data
Loss, Damage and disclosure of confidential
information
Critical IT Systems non availability (due to
disruption in the integrity of the data)
Failure of IT and/or Telecom Infrastructure
Disruption of services
Non availability of critical IT Systems
IT Security Incident
Disruption of services,
Loss of data
Non availability of critical IT Systems
Logistical failures for centralized operations
Disruption of services
Inaccessibility of premises
•Water Damage
•Earthquake
30 of 48
A Reliance Capital company
What assumptions should you make?

In developing your business unit’s plan, you
should make the following assumptions:
- The incident may occur at the worst possible time
- The incident may be a ‘worst case’ scenario, or it may be
a lesser incident (e.g. loss of computer systems,
temporary loss of access to the facility,
telecommunications failure)
- Some or many of your staff may be unavailable for work
following the incident
31 of 48
A Reliance Capital company
What assumptions should you make?

You can also make the following assumptions:
- An alternate location would be available for your critical
business unit within 4 hours of an incident, with the
number of workstations specified
- The alternate location would be within driving distance
- The Company has a formal Business Continuity Team
structure in place, consisting of a Business Continuity
Coordinator, a ‘Corporate Crisis Management Team’
(CCMT) and support teams (in addition to the business
unit teams)
- Only the the BCP Coordinator and CCMT can authorize
teams to activate their Business Continuity plans
32 of 48
A Reliance Capital company
What is a
Business Continuity Team?
33 of 48
A Reliance Capital company
What is a Business Continuity Team?

A Business Continuity Team is a designated
group of individuals responsible, at time of
incident, for:
- determining which tasks need to be performed
- coordinating the execution of those tasks
- communicating and coordinating with other
Business Continuity Teams

Each team must have a team leader and
alternate(s), and an appropriate number of
members
34 of 48
A Reliance Capital company
Typical Business
Continuity Team
Structure
Corporate Crisis
Management
Team
Business Continuity
Coordinator
Support Team
Support Team
IT Team
Business Resumption Teams
Critical Process 3
Critical Process 2
Critical Process 1
Local
Incident
Management
Teams
35 of 48
A Reliance Capital company
The Specific BCP Teams for Reliance Life Insurance
Company Limited
C o rp o ra te C ris is
M anagem ent Team
B u s in e s s
C o n tin u ity
C o o rd in a to r
S u p p o rt T e a m
In fo rm a tio n
T e c h n o lo g y
Team
36 of 48
B u s in e s s
R e s u m p tio n
Team
A Reliance Capital company
What is a Crisis Management Team?


A Corporate Crisis Management Team (CCMT) is
a designated group of senior individuals
responsible for overall management of a
potentially disastrous incident
Typical responsibilities include:
- Activation of Business Continuity and support
teams
- Coordination of all communication between teams
- High level decision making (including ‘incident
declaration’)
- Prioritization of activities
- De-activation of Business Continuity and support
teams
37 of 48
A Reliance Capital company
What are Support Teams?


Support Teams are specialized groups that may
be activated by the CCMT to help manage the
incident
Typical support teams include:
- Information Technology team - Systems and
Application Support Members and
Communications and Infrastructure Support
Members
- Support Team (including Facilities, Services,
Finance, Functional representatives (SPOCs),
Corporate Communications and so on)
38 of 48
A Reliance Capital company
What is the role of Information Technology
Teams?


Typically, Information Technology Support Teams
would handle all of the ‘technology issues’
associated with a potentially disastrous incident
Responsibilities could include:
- Recovering mainframe, mid-range, and serverbased systems at the alternate location(s)
- Restoring data from latest off-site backups
- Re-establishing voice and data communications
- Commissioning employees’ desktop systems
- Restoring technology at the original location
- Activating connections from Alternate Operations
Center
39 of 48
A Reliance Capital company
What is the role of the Support Team?


Typically, the support team provides the damage assessment
following an event, and assists with the site restoration process.
Responsibilities would include:
- Coordinating preparation of detailed damage assessments
Facility
- Business Process and
- Systems
- Overseeing damage assessment and control activities
- Coordinating site cleanup and salvage activities
- The Support Team will provide the CCMT and the BCP Coordinator
with a comprehensive assessment of damage after disaster has
occurred, including:
Missing staff, injuries and loss of life;
Extent of facility damage; and
Damaged equipment (Computer Hardware,
Network Components, UPS, etc.)
-
40 of 48
A Reliance Capital company
What is the role of Support Team?


Handle all of the ‘public relations’ issues associated with a
potentially disastrous incident
Responsibilities could include:
- Preparing press releases and public announcements
- Coordinating news conferences, interviews
- Interfacing with media personnel
- Issuing communiqués to employees and stakeholders
- Managing the Company's image and reputation during
the crisis
41 of 48
A Reliance Capital company
What is the role of Administration Personnel in
the Support Team?


Handle all of the ‘facility issues’ associated with a potentially
disastrous incident
Responsibilities could include:
- Liaison with civil authorities
- Damage assessment, salvage, and restoration
- Preparing the alternate location(s) for occupancy
- Physical security
- Transportation of equipment and materials
- Redirecting of mail and courier service
- Management of interim phone systems
42 of 48
A Reliance Capital company
What is the role of Human Resources
Department Personnel in the Support Team?


Handle all of the ‘people issues’ associated with
a potentially disastrous incident
Responsibilities could include:
- Ensuring all employees are accounted for
- Contacting employees’ families
- Coordinating temporary relocation of staff, including travel and
accommodation arrangements
- Hiring contract personnel
- Providing assistance to individual employees
- Ensuring continuance of salaries and benefits
43 of 48
A Reliance Capital company
What is the role of Finance Department
Members in the Support Team?


Handle all of the ‘accounting issues’
associated with a potentially disastrous
incident
Responsibilities could include:
- Authorizing and tracking expenditures
- Ensuring appropriate accounting controls are
maintained
- Identifying losses
- Processing insurance claims
44 of 48
A Reliance Capital company
To sum up
The Phases in a Business
Continuity Plan
45 of 48
A Reliance Capital company
The Five BCP Phases
Return
To Normal
Business
Resumption
Resource Recovery & Commissioning
Interim Contingencies
BUSINESS IMPACT ANALYSIS
Initial Response And Assessment
46 of 48
A Reliance Capital company
Acknowledgement

ISACA
47 of 48
A Reliance Capital company
Thank you
November 29 2007
A Reliance Capital company