Pub. 9 2020 Issue 4

28 Simplifying Business Impact Analysis To have an effective Business Continuity Plan (BCP), recovery plans must be based on a Business Impact Analysis (BIA). According to the FFIEC’s Business Continuity Management booklet, BIA is “the process of identifying the potential impact of disruptive events to an entity’s functions and processes.” There are a lot of elements to capital BIA, but for the purpose of this article we are going to focus on the conceptual lower-case business impact analysis. This analysis will help you make informed decisions about when certain processes can be restored and help you determine appropriate Recovery Time Objectives (RTO). Prepare the Definitions The first step in simplifying a BIA is to define ratings, categories, and labels of any kind. Definitions are foundational to an effective analysis process. Criticality Levels Criticality Levels are necessary for defining which processes require more immediate attention than others. Consider creating a set of levels such as: Critical, Urgent, Important, Normal, and Nonessential. If you work for a smaller institution, you may find you need fewer level options. The definition of each criticality level is its correspondingMaximumTolerable Downtime (MTD). This is the amount of time your business can tolerate without the process. For Critical processes, youmay only tolerate minutes, but for Nonessential processes youmight tolerate weeks. Business Impact Categories When considering downtime of a business process, consider the ramifications this downtime may have on your organization. The kind of impacts that concern you will determine your categories. At a minimum, you should consider the Compliance, Financial, Operational, and Reputational impacts to your organization, should a process be unavailable. For each category, provide clear definitions for each rating. For example, consider the following impact level definitions for the Compliance category: • Insignificant: Negligible compliance, contractual, regulatory, or legal concerns. • Low: Potential for compliance, contractual, regulatory, or legal issues with minor implications. • Medium: Confirmed compliance, contractual, regulatory, or legal issues with moderate implications. • High: Major penalties and/or costs related to compliance, contractual, regulatory, or legal issues. • Extreme: Extreme penalties related to compliance, contractual, regulatory, or legal issues (e.g., jail time for employees, closing of the institution, etc.). Analyze Impact Make a list of your business processes. Business processes are a combination of the people, resources, and procedures that achieve a goal, such as Accounting, Information Technology, Lending Operations, Cash Management, and Regulatory Reporting. Review one process at a time. Gather a group of people who deeply know and understand the process and how the lack of the process could impact the institution in different ways over different periods of time. Identifying the impact level for each category at each timeframe allows you to determine the MTD for this process. Example Analysis Let’s look at an example business impact analysis with the Mobile By Leticia Saiid, CoNetrix