Beruflich Dokumente
Kultur Dokumente
Executive Summary
This document attempts to provide an understanding of the BIA process as required by the British Standard, BS259992:2007 A flow chart illustrates the flow of the BIA process per Clause 4.1.1 of the standard Subsequently, each step in the process has been demonstrated by means of an example
Most of the content within the example tables are selfexplanatory, however some of them have been supported with call outs The example does not strictly stick to the BS standard but includes additional items which are believed to add value from the actionable information point of view
02/08/2009
Dipankar Ghosh
Section 4.1.1 Of BS259994.1.1 Business Impact Analysis 4.1.1.1 There shall be a defined, documented and appropriate method for determining 2:2007 any disruption of the activities that support the organisations key the impact of
products and services (see 3.2.1) 4.1.1.2 The organisation shall:
a) b) c)
Identify activities that support its key products and services Identify impacts resulting from the disruption to these activities, and determine how these vary over time Establish maximum tolerable period of disruption (MTPoD) for each activity by identifying:
(1) (2) (3)
The maximum time after the start of the disruption within which each activity needs to be resumed The minimum level at which each activity needs to be performed upon resumption; and The length of time within which normal levels of operation need to be resumed;
d) e) f) g) h)
Categorise its activities according to their priority for recovery and identify its critical activities Identify all dependencies relevant to the critical activities, including suppliers and outsourced partners For suppliers and outsource partners on whom critical activities depend determine what BCM arrangements are in place for the relevant products and services they provide Set recovery time objectives (RTO) for the resumption of critical activities within their maximum tolerable period of disruption; and Estimate the resources that each critical activity will require for resumption
Dipankar Ghosh 3
02/08/2009
02/08/2009
Dipankar Ghosh
4.1.1.2 c 2 4.1.1.2 c 3
30 min
4.1.1.2 b Identify impacts and determine how they vary over time
1 hr
RTO Minimum Level Time To (< MTPoD) Of Performance Resume Normal Operations
L L
L L L L L L L L L
L L L L L L L L L
L L L L L L M M L
L M M M L M M H L
L H H H L H H H L
3 days
2 days
Do paper based requirements analysis for all projects for which deadlines are near
5 days
Reputation Loss L Customer Satisfaction Software architecture and design Human Life Implications Financial Implications L L L
16 hours
12 hours
Reputation Loss L Customer Satisfaction Software construction Human Life Implications Financial Implications These L L
Do paper based design and architecture activities for all projects for which deadlines are near
2 days
16 hours
12 hours
4.1.1.2L c 1 M L L M H are the cells which are the transition points from Reputation Loss L Low to Medium impact and may be L L M M H used to derive the MTPoD. Using ones judgementL the MTPoD can be considered as H any Customer L L M H Satisfaction between the time represented by the time transitioning low impactDipankar Ghosh time and the next medium impact time. In this example it is a
Software 1 day construction work for projects for which deadlines are near
4.1.1.2 g Note that RTO is mandatory only for the critical activities per the standard. It can be calculated after putting a safety cushion per company policy over the MTPoD. The safety 5 cushion should consider the cycle time to deliver
MTPoD
30 min
1 hr
1 month
Priority
Human Life Implications Financial Implications Reputation Loss Customer Satisfaction Human Life Implications Financial Implications Reputation Loss Customer Satisfaction
L L L L L L L L L L L L
L L L L L L L L L L L L
L L L L L L L L L L L L
L L L L L L M M L M M M
L M M M L M M H L M M H
L H H H L H H H L H H H
3 days
2 days
16 hours
12 hours
4.1.1.2 d Indentify activities which are critical to the organisation. This may be based on the companys Criticality policy. For example, any activity whose Not Critical RTO is <= 16 Hours can be considered to be critical by the company. All other activities though could become critical Critical over time if they are not brought up within their respective RTOs.
Software construction
16 hours
12 hours
Critical
02/08/2009
Dipankar Ghosh
4.1.1.2 d Prioritising activities by comparing the RTOs of the activities and ensuring activities with lower RTOs are given higher
Identify Dependencies for All Critical Activities You Are Dependent On Them
Activity / Process
Priority Criticality Agency/Department External/Internal
Description of dependency
Critical
Internal
Receive inputs from this team on client requirements Ensure that network, systems, telecom and other technical resources required are available
Internal
Client
External/Internal
Receive inputs on software requirements Ensure that network, systems, telecom and other technical resources required are available
Critical
Technology
Internal
Client
External/Internal
Software construction
Critical
Technology
Internal
Ensure that network, systems, telecom and other technical resources required are available
4.1.1.2 e Additionally, if you are dependent upon a supplier/partner you are required to ensure that the supplier/partner has adequate BCM arrangements. This will entail some sort of audit of your supplier/partner BCM processes. 02/08/2009 Also ensure that there are alternatives to your
4.1.1.2 e Identify internal and external dependencies. This includes those who are dependant on you and those you are Dipankar Ghosh dependant upon.
Software analysis
Identify Dependencies for All Critical Activities They Are Dependent On You
Activity / Process
Priority Criticality Agency/Department External/Internal
Description of dependency
requirements2
Critical
AccountsInternal
Provide outputs to this team to take these up with client Provide outputs to client for their consideration/feedback/approval etc.
External/Internal
Software Quality
Internal
Provide system requirements specs to produce test plans and test cases
Critical
Client
External/Internal
Provide design deliverables to client for approval Provide design deliverables to consider for test plans and test cases
Software Quality
Internal
Software construction
Critical
Client
External/Internal
Ensure that network, systems, telecom and other technical resources required are available
02/08/2009
Dipankar Ghosh
Alternative Arrangement
Action
Who/When
Software requirements Staff analysis (RTO 2 days) Business Analyst 0 0 1 In absence of business analyst the architect and the senior programmer will do the job. In absence of architect the senior programmer will do the job. If required, another senior programmer will be utilised. In absence of the senior programmer the architect will do the job. If required, another senior programmer will be utilised. -
Select your time intervals as appropriate for your function as well the type of resource. E.g. Staff may have different intervals than say IT Applications, which in turn may have different time frames for Utilities
S/w Architect
02/08/2009
like to put a MTPoD and/or RTO to the resources this paper provides the alternative approach of recording the actual requirements against elapsed time. This takes care of the MTPoD/RTO information for the resources and at the same time provides additional information such as numbers reqd.
4.1.1.2 h Estimate resources for each critical activity for resumption. Add as much information you want on these resources. For example, for staff members it can be whether working from home is required or not. It is also prudent to have alternative (backup) arrangements for the resources required and identify any gaps that may exist and have a plan for the same.
Dipankar Ghosh
Activity/ Process
Alternative Arrangements
Action
Who/When
1 hr
12 hours
2 days
Premises
PM Towers
None
1.
2.
Arrangement for 1. BX home working to be 14/08/09 made. To ensure that each person has a PC/laptop, telephone/mobile and internet Finalise contract with 2. ZC 3rd party for making 31/08/09 alternate premises available with 3-5 desk positions within an hour of notice. To include Telephone with STD/ISD and broadband internet
None
As in premises above
MS Office Visio
0 0
0 0
0 0
3 1
02/08/2009
Dipankar Ghosh
10
Elapsed Time
12 hours 1 day 2 days
Alternative Arrangements
Action
Who/When
Hardware
PC/Laptop
None
1. Make arrangements with current TD PC/Laptop suppliers / alternate 31/08/09 suppliers to provide spare PC/Laptops within 4 hours of request 2. Finalise contract with 3rd party for making alternate premises available with 3-5 desk positions within an hour of notice. To include Telephone with STD/ISD and broadband internet -
Speaker/Mic
02/08/2009
Dipankar Ghosh
11
Elapsed Time
12 hours 1 day 2 days
Alternative Arrangements
Action
Who/When
Telecom &Internet
1. Use facility at alternate recovery location (ref Premises section above) 2. Use facility available at home (ref Premises section above)
Internet
As above
02/08/2009
Dipankar Ghosh
12
Elapsed Time
12 hours 1 day 2 days
Alternative Arrangements
Action
Who/When
Utilities/Other
Water Supply
None
Arrange with at least 2 local water suppliers to provide 10,000 litres (2 days supply) at a notice of 4 hours. -
KK 09/01/10
Power Supply
Standby Genset of 100 KVA available within 10 minutes of power outage None
KK 19/01/10
Fuel Supply
02/08/2009
Dipankar Ghosh
13