Business Impact Analysis #122 Richard Archer, CISA, CIA Partner KPMG LLP April 25, 2005

2 Key Points Learning Objectives Overview BIA defined BIA key components and approaches Major inputs, sources, and analytics Methods of gathering and assimilating risk information Tools and techniques Formats for reporting and presentation of results Use and implications for IT audit Resources

3 Learning Objectives 1.The key components and approaches to the BIA process. 2.The major inputs, sources of information, and analytics suggested for a complete BIA. 3.Methods of gathering and assimilating risk information during the BIA process. 4.Tools and techniques for performing the BIA. 5.Formats for reporting and presenting the results of the BIA.

4 Overview This session will address the major components, approaches, tools & techniques, and presentation formats for dealing with a Business Impact Analysis. The linkage of a BIA to IT audit uses and the risks identified will be discussed. Information sources, tools, and techniques that can be used during the course of a BIA will be identified and practical examples of each will be presented. In addition, a framework for analysis of the information accumulated and the risk analysis will be discussed. Finally, examples of BIA report and presentation formats will be presented.

5 Overview of Business Continuity (BC) Utilizing risk management to improve operational reliability and performance, and to protect business resources. Our Objectives – To help organizations –Maintain chosen availability levels –Effectively manage and control operational reliability –Minimize downtime To meet the ever increasing demands of business on an end-to- end continuous basis. Focus –Both risk reduction and improved infrastructure operations

6 Identify disruption risks and potential impacts of disruptions, due to –Technology risks, and –Other potential disruptions or disasters Design strategies, plans, processes and infrastructures to –Minimize potential for disruption –Plan for continuity or restoration of critical business functions Business Continuity Planning, Enterprise High Availability, and Service Level Management –Enabling continuous BCM evolution, to meet competitive, customer service, and compliance requirements of a leading organization Overview of Business Continuity

7 Value Layers in BC Framework I can recover my information systems in the event of a disaster. I can recover my critical operations in the event of a disruption/disaster. I’m always there for my customers. My business services exceed my customers’ expectations. My data architecture offers scalable information delivery when customers need it. How I manage information is a competitive advantage.

8 An Approach to Managing Business Continuity Business Continuity Management is a lifecycle process Monitor and Test (Measure) Develop Strategy, Architect Solution Assess Risk Organizational Strategy/ Core Business Functions People Implement Change ProcessTechnology

9 Phase 1: Assess Risks –Business Impact Analysis Identify impacts resulting from events/disruptions Quantify and qualify such impacts Establish critical functions and priorities Identify interdependencies between processes, businesses, systems Establish recovery time objectives or availability requirements An organization needs to understand how it relies on its people, processes and technology, as well as its relationships with customers, suppliers, and other contributors to its value chain An Approach to Managing Business Continuity

10 BIA Objectives –Establish the value of each unit or resource as they relate to the function of the total organization –Provide the basis for identifying the critical/time-sensitive resources required to develop a business recovery strategy –Establish an order of priority to restoring the function of the organization in the event of an unplanned event

11 BIA Objectives –Threats that could potentially impact critical functions –Prioritized list of risks (risk=likelihood of failure event x impact) –Technology recovery capabilities and identified Key Points of Failure –Process maps for critical functions with interdependencies –Minimum resource requirements At Time of Disaster (ATOD) –Identify for each critical function RTOs - Recovery Time Objective RPOs - Recovery Point Objective MTOs - Maximum Tolerable Outage SDOs - Service Delivery Objective –Gap analysis of “as-is” and “to-be” states –Recommended risk strategies to minimize risk

12 Core Business Function(s) STEP #1 BIA Workshop STEP #2 Functional Leaders and champions complete questionnaire(s) on critical business processes functions (Collect Data) STEP #3 Functional Leaders and champions analyze process flows and BIA dependencies/impacts for critical processes/functions (Analyze Data) STEP #4 Functional Leaders and champions review financial / capacity / time-dependent attributes for critical business processes/functions (Review Data) STEP #5 Functional Leaders and champions level-set process/function against benchmark to determine if additional drill-down into sub-processes is needed, if “Yes”, sub-process goes through cycle (Level-set Data) The BIA: It’s an Iterative Process

13 Risk Strategies At the highest level, there are four things that can be done with Risk: MitigateInsurePlanAccept Types of Risk to be consideredComplianceFinancialOperationalStrategicTechnical Contractual (penalties assessed by customers) Lost or Deferred Revenue People (key historical and process knowledge) Marketshare (competitors with capacity to take business away) Infrastructure Failure RegulatoryOpportunityProductionCustomer and Partner Relationships Loss of Intellectual Property Service Level Agreements (Formal and informal customer expectations) Shareholder Equity Supply Chain (single sources and long lead time to delivery) Reputation (brand name and image) Disruption (virus)

14 BIA Process Business Impact Analysis is a broad term for efforts to identify business impacts resulting from a disruption. There are several kinds of risk: –Financial, –Operational, –Technology, –Environmental, –Competitive

15 Key Terminology RTO – Recovery Time Objectives MTO – Maximum Tolerable Outage RPO - Recovery Point Objective SDO – Service Delivery Objective ATOD – At Time of Disaster

16 Inputs to the BIA Information used as input to the BIA process can include: –Financial reports –Supply chain analysis / vendor spend –Analysis of key customers –Cost analysis

17 BIA Information Identified Quantitative Impact –Losses identified in quantities, percentages, or factor of standard that can de described in monetary terms –Sales, market share, penalties, assets, revenue, income –Actual or order of magnitude

18 Qualitative Impact –Operations impact causing intangible losses that can not be directly quantified in monetary terms –Losses with financial impact that can not be quantified –Efficiency, satisfaction, control, inter/intra- departmental –Order of magnitude BIA Information Identified

19 BIA Information Identified –Determine Loss Exposure Quantitative Property loss Revenue loss Fines Cash flow Accounts receivable Legal liability Human resources Additional expenses/increased cost of working Loss of investment income

20 Questionnaire Gathering information can be done using a questionnaire Questionnaires can take many forms Advantages of questionnaires are ease of use and availability Disadvantages are lack of clarification and consolidation of data

21 Analysis Once all data is gathered, analysis must be applied to identify key threads Qualitative Quantitative Critical point analysis

22 Analysis Trends, Summaries and Validation Look for trends that pointed toward potential impacts and exposures. Information was summarized into operational and intangible severity impact ratings, and department units were ranked by criticality. Rankings were determined by considering the relative importance of operational and financial impact factors, weighted by severity over time. Ultimately, the BIA Provides: the validation of recovery priorities and time frames the conversion of data into meaningful information a tool for management to facilitate the decision process for a sensible recovery strategy

23 Gap Identification Identification of current capabilities Initial analysis of potential needs Where do these two match up

24 Recovery Time Objectives

25 High Dependence on Systems + High Business Impact = Shorter Recovery Time Objective (RTO) –Business functions with high business impact and high dependence on on-line processing cannot sustain lengthy outages. These functions require immediate recovery. –Business functions with moderate dependence on on-line processing can sustain outages for several days Going Out of Business Major Business Losses Disruption Inconvenience Hours Days Weeks Months Impacts/ Costs Length of Outage

26 Shorter Recovery Time Objectives Generally Result in More Expensive Recovery Solutions High availability architecture Hot Site and Vital Record Strategy Cold Site (Recover in New Location Recover in Place Hours Days Weeks Months Plan Costs Lengths of Outage

27 Tools and Techniques Software tools to assist in the process JAD style approach Electronic meeting Surveys and data gathering

28 Reporting Formats The reporting of analysis is critical Proper presentation is the key Graphs and charts provide a quick summary Don’t over kill on analytics Know your audience

29 Reporting Formats

30 Reporting Formats

31 Recovery Time Objective (RTO) by Business Function or Process The table summarizes the identified RTO’s for key business functions and processes. Functions deemed to be non-critical to business continuity during a crisis (while important for Company growth during normal periods) are shown in the detailed report. In accordance with the company definitions, RTO within: Red = up to 2 days; Yellow = between 3 days and 2 weeks; Green = over 2 weeks.

32 Reporting Formats

33 Implications for IT Audit The BIA is an important source of information for IT Auditors BIA will show critical components of the areas analyzed The risk assessment information can identify areas of vulnerability for future audits The gap analysis can identify SPF’s

34 Internal Audit can also provide valuable input into the BIA process Importance of a valid, timely BIA to the business continuity program BIA provides the basis for any continuity plan Implications for IT Audit

35 Resources – Disaster Recovery Institute Internationalwww.drii.org - Continuity Planning and Managementwww.contingencyplanning.com - Disaster Recovery Journalwww.drj.com - Disaster Links – Information on physical threatswww.disasterlinks.com - Resources for DRP/BCPwww.disaster-resource.com - MidAtlantic Disaster Recovery Associationwww.madra.org - Business Continuity Institutewww.thebci.org - Continuity Planning Exchangewww.cpeworld.org www-1.ibm.com/services/us/index.wss/it/bcrs/a – IBM - Strohl Systemswww.strohlsystems.com - SunGardwww.availability.sungard.com - Federal Emergency Management Agencywww.fema.org

36 For More Information: Richard Archer Partner KPMG LLP

Thank you!