* Kelli Ribeiro
Today we are going through a crisis of major global proportions due to the pandemic caused by the corona virus, however Brazilian companies do not have a culture of prevention and planning for unexpected and emergency situations.
Given the current scenario, it is important for organizations to have a Business Continuity Plan (PCN) established.
To define the Continuity Plan, the first step is to carry out the business impact analysis, it will help to create a clear understanding of the main operations of the organization, as well as, to measure the acceptable times to keep the essential functions in operation during a crisis. and recover with as little downtime as possible.
What is Business Impact Analysis (BIA)?
The Business Impact Analysis (BIA), aims to analyze business processes and activities, to understand the impact of downtime with the goal of recovery and prioritization.
Requirements for Business Impact Analysis (ISO 22301 - Clause 8.2.2)
The ISO 22301 standard that establishes Business Continuity guidelines and determines that the organization must implement and maintain a formal and formalized assessment process to determine the priorities for continuity and recovery, with objectives and goals. This process should include the assessment of the interruption impacts that support the organization's products and services.
Business Impact Analysis should:
- Identify the activities that support the supply of products and services;
- Assess the impacts, over time, of not carrying out these activities;
- Set deadlines in a prioritized manner for the resumption of these activities, at a minimum tolerable level of execution, taking into account the time within which the impacts of this interruption become unacceptable;
- Identify dependencies and resources that support these activities, including suppliers, third parties and other relevant stakeholders.
Methodology considerations - BIA
For the elaboration of the BIA methodology, the following elements help the implementation according to the best practices:
- Assess the size and complexity of the organization (the BIA methodology may be simpler or not);
- Consult legislation and contractual obligations;
- Analyze the existing risk assessment methodology to take advantage of information already collected;
- Determine the time sensitivity scales;
- List business continuity activities;
- Inform that they need to be collected:
- Impact assessment;
- Evaluation of RPO (maximum data loss);
- Minimum business continuity objectives (MBCO);
- Required resources;
- Dependencies between activities.
- Define the impact assessment (qualitative and quantitative);
- Develop questions for impact assessment (qualitative);
- Define time scales for evaluation (hours or days);
- Define qualitative scales for impact assessment (1 to 5 or low to high);
- Define scales for RPO (hours);
- Use a tool to run the BIA report (excel or others);
- Conduct impact assessment through:
- Interviews with the people responsible for each activity;
- Workshops with the people responsible for the activities.
- Report the results of the BIA methodology (reports).
- Top management approval for the BIA methodology, as it requires effort;
- Before submitting for approval, it is important to review the methodology together with the department managers and project team;
- Assessments need to be made by the people responsible for each activity;
- The Business Continuity Coordinator is involved in the decisions of MAO (maximum acceptable stop) and RPO (maximum data loss) together with the people responsible for the activities, based on the results of the BIA questionnaires.
The BIA methodology document must contain:
- Description of the analysis process;
- Roles in the process;
- Requirements considered in the BIA;
- Review period (at least once a year);
- Methodology questionnaires or information collected by a BIA tool;
- BIA report compiling all the information collected (optional).
Every day we identify companies experiencing financial difficulties or image and continuity crises because they were impacted in some way by events that could have been foreseen and, perhaps, avoided.
The BIA helps organizations to prove what is vital and critical to the functioning of the business, in addition to establishing the tolerable interruption time, calculating possible impacts and the minimum infrastructure for a contingency and detecting that the vital processes are those that result in the activities company's operating costs.
BIA is one of the most complex activities required for business continuity and the one that requires the most experience during execution.
* Kelli Ribeiro is Information Security Specialist at SAFEWAY
Regarding the [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 20 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!