Welcome » IT Booklets » Business Continuity Planning » Business Impact Analysis
A business impact analysis (BIA) is the first step in the business continuity planning process and should include the:
The institution's first step in the business continuity process is the development of a BIA.Refer to Appendix F: "Business Impact Analysis Process" for additional information. The amount of time and resources needed to complete the BIA will depend on the size and complexity of the financial institution. The BIA should include a work flow analysis that involves an assessment and prioritization of those business functions and processes that must be recovered. The work flow analysis should be a dynamic process that identifies the interdependencies between critical operations, departments, personnel, and services. The identification of these interdependencies, as part of the BIA, should assist management in determining the priority of business functions and processes and the overall affect on recovery timelines.
Once business functions and processes have been assessed and prioritized, the BIA should identify the potential impact of uncontrolled, non-specific events on these business functions and processes. Non-specific events should be identified so that management can concentrate on the impact of various disruptions instead of specific threats that may never affect operations. At the same time, management should never ignore potential risks that are evident in the institution's particular area. For example, financial institutions may be located in flood-prone areas, near fault lines, or by areas subject to tornados or hurricanes.
In addition to identifying the impact of non-specific events on business functions and processes, the BIA should also consider the impact of legal and regulatory requirements. For example, management should assess the impact of compromised customer data, which can result in regulatory concerns and a loss of public confidence.Refer to the "Information Security Booklet" included in the Federal Financial Institutions Examination Council IT Examination Handbook for additional information. By identifying the potential impact of this issue, management may have a better idea of the business functions and processes that could potentially be affected. Management should consider the regulatory requirement regarding notification to the institution's primary federal regulator when facilities are relocated.Refer to the "Policy Statement of the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision Concerning Branch Closing Notices and Policies," Volume 64 Federal Register, page 34844 (June 29, 1999); "Establishment and Relocation of Domestic Branches and Offices," Board of Governors of the Federal Reserve System, 12 CFR Part 208.6; Federal Deposit Insurance Corporation, 12 CFR Part 303.44; Office of the Comptroller of the Currency, 12 CFR Part 5.30; and Office of Thrift Supervision, 12 CFR Part 545.95.
The BIA should also estimate the maximum allowable downtime for critical business functions and processes and the acceptable level of losses (data, operations, financial, reputation, and market share) associated with this estimated downtime. As part of this analysis, management should decide how long its systems can operate before the loss becomes too great and how much data the financial institution can afford to lose and still survive. The results of this step will assist institution management in establishing RTOs, RPOs, and recovery of the critical path, which represents those business processes or systems that must receive the highest priority during recovery. These recovery objectives should be considered simultaneously to determine more accurately the total downtime a financial institution could suffer due to a disaster. In addition, these recovery objectives require management to determine which essential personnel, technologies, facilities, communications systems, vital records, and data must be recovered and what processing sequence should be followed so that activities that fall directly on the critical path receive the highest priority. One of the advantages of analyzing allowable downtime and recovery objectives is the potential support it may provide for the funding needs of a specific recovery solution based on the losses identified and the importance of certain business functions and processes.
Personnel responsible for the BIA should consider developing uniform interview and inventory questions that can be used on an enterprise-wide basis. Uniformity can improve the consistency of responses and help personnel involved in the BIA phase compare and evaluate business process requirements. This phase may initially prioritize business processes based on their importance to the institution's achievement of strategic goals and the maintenance of safe and sound practices. However, this prioritization should be revisited once the business processes are modeled against various threat scenarios so that a comprehensive BCP can be developed.
When determining a financial institution's critical needs, all functions, processes, and personnel should be analyzed. In documenting the mission critical functions performed, each department should consider the following questions:
Once the BIA is complete, it should be evaluated during the risk assessment process and incorporated into, and tested as part of, the BCP. The BIA should be reviewed by the board and senior management periodically and updated to reflect significant changes in business operations, audit recommendations, and lessons learned during the testing process. In addition, a copy of the BIA should be maintained at an offsite location so it is easily accessible when needed.