Guidelines for creating a Business Impact Analysis (BIA)

Preparing to load PDF file. please wait...

0 of 0
100%
Guidelines for creating a Business Impact Analysis (BIA)

Transcript Of Guidelines for creating a Business Impact Analysis (BIA)

Guidelines for creating a Business Impact Analysis (BIA)
PLEASE GO TO PAGE 3 FOR STEP-BY-STEP INSTRUCTIONS FOR COMPLETING SPREADSHEET.
WHAT IS A BUSINESS IMPACT ANALYSIS (BIA)?
A business impact analysis (BIA) predicts the consequences of a disruption or outage of a business function, system or process and gathers information needed to develop recovery strategies. A function refers to an organization's purpose or goal; for example, one function of a School is teaching. A process is a group of activities or tasks performed to accomplish a goal; one example of a process is doing payroll. System refers to an IT system; an example of a system is 0365 e-mail.
WHY DO WE DO BIA?
BIA allows us to understand the impact of outages or disruptions across the institution. This information supplements the Business Continuity (BCP) plans already in Shadow-Planner to give us a better understanding of how different Schools, Centers and departments of the University need to respond to outages or disruptions. It will also allow internal and external partners (ISC, Facilities and Real Estate Services, vendors, etc.) to have a better understanding of the priorities for recovery and continuity. Finally, it allows us to define priorities, in terms of which processes, systems of functions need to be recovered most quickly to resume the University's operations in the wake of an outage or disruption. Doing a BIA, like doing BCP plans, is in service of continuing the University's missions of teaching, research, service and clinical work.
HOW DOES THIS RELATE TO MY BUSINESS CONTINUITY (BCP) PLANS?
BCP plans describe what steps to take in the event of an outage or disruption pertaining to a critical system, function or process, whereas the BIA identifies how quickly a critical system, function or process needs to be recovered or restored.
HOW DO I DO A BIA?
To do a BIA, please use these guidelines to fill out the spreadsheet, with one spreadsheet for each organization, School, Center or department.
Page 1 of 6

Guidelines for creating a Business Impact Analysis (BIA) WHAT'S NEW IN DOING A BIA?
Two new items in the BIA are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The RTO asks the question: how long can we go without this process or system being in place? The RPO asks the question: how much data can we afford to lose in an outage to this system or process? For example, if you can stand to lose a day's worth of e-mail due to an outage, your RPO is 1 day. If you cannot stand to lose any e-mail due to an outage, your RPO is 0. NOTE: RPO only applies to IT only.
You may wish to assemble your tabletop exercise team and obtain their input in completing the spreadsheet. Once you've completed the spreadsheet, please send it to [email protected] The central Mission Continuity Program (MCP) leadership will load the information into Shadow-Planner for you. Once the information is loaded, you can report it out from ShadowPlanner to review it and determine how you may want to update it. Below are guidelines for updating BIAs once they are in Shadow-Planner. Questions? Contact the Mission Continuity Program (MCP) at [email protected]
Page 2 of 6

Guidelines for creating a Business Impact Analysis (BIA)
• To create a BIA, follow the steps below to complete the BIA spreadsheet. • Once the spreadsheet is completed, please submit it to [email protected] • The central Mission Continuity Program (MCP) leadership will load the information into Shadow-Planner. • Once the information is stored in Shadow-Planner, you may use the update guidelines to keep your BIA information up-to-date.

Step # 1

Column letter

Column title

2

B

Organization

3

C

Location

Instructions
Open the spreadsheet, located on the MCP website here. From this drop-down list, select the name of your organization. From this drop-down list, select the location of your organization.

Notes
Items in the drop-down list include: Main campus, New Bolton Center, Morris Arboretum, Wharton West, Pennovation, Other.

For off-site clinical practices, use Other.

4

D

Plan type

This column is already populated as: Business

Impact Analysis.

5

E

Mission type From this drop-down list, select the part of the Items in the drop-down list include:

University's mission this process supports.

Education/Teaching, Research, Service, Clinical and

Operations/Admin.

6

F

Process type The data is organized into the BETH3 model

Items in the drop-down list include: Buildings,

(also used for BC Planning Actions Plans).

Equipment, Technology, Human Resources and 3rd-party

vendors/partners.

7

G

Process name Select the most critical processes your

organization is responsible for within each

Process Type.

Page 3 of 6

NOTE: Human Resources, in addition to faculty, staff and students, includes human subjects and patients. Equipment includes animals and specimens. A Process may be something your organization does, like a function, or an IT system. Examples include: For a School, a critical Process under Teaching might be

Guidelines for creating a Business Impact Analysis (BIA)

Step Column

#

letter

Column title

Instructions

Notes
Undergraduate instruction. For the Registrar's Office, a critical process under Technology might be the Pennant system.

For each Process Type, you may enter as many processes as you think are critical. If you choose to use more than 4, you can add an additional row in the spreadsheet in the appropriate location.

If you have a Mission Continuity plan created for a

specific element in the BETH3 model, it's wise to have a

process in the BIA for it also.

8

H

Process

Enter a one-sentence description of what the For example, "Provide instruction to undergraduate,

overview

process, function or system does.

professional and doctoral students." Or "Store all

student academic information and allow students to

register for classes."

9

I

Process

Who is/are responsible for ensuring the

This may be one person's name or the name of a group,

owner

process runs properly?

Department, Division, etc.

10

J

BAU location Where is the process usually conducted?

BAU stands for "Business As Usual." For example,

"Franklin Building," or "Huntsman Hall."

11

K

Business

What are the business hours of the

For example, could be 9AM – 5 PM, Mon-Fri.

hours

organization that owns the process or system?

12

L

BAU

Approximately how many FTEs are involved in Under normal conditions, the total calculation of

Headcount

conducting the process on a business-as-

FTEs needed to fulfill or conduct this process. For

(FTEs)

usual basis?

example, if two people normally each spend 75% of their

time on this process or function, the FTE would be 1.5.

13

M

Business

From the drop-down list, select the item that

Determine if there are times of week, month or year

peaks

describes any peak times for this process.

when your organization is busier than usual conducting

this process. Examples include: move-in,

Commencement, payroll processing.

Page 4 of 6

Guidelines for creating a Business Impact Analysis (BIA)

Step Column

#

letter

Column title

Instructions

14

N

Process

When is the process usually available or

availability

conducted?

Notes
Items in the drop-down list include: specific day of week, specific time of month, specific time of year, more than 1 of these, none of these. For example, could be Mondays of every week, or every year in May, or from 2-5 PM every day.

15

O

Breadth of

How widely does the process impact the

Items in the drop-down list include: Department only,

impact

University, the health system and/or the

Organization-wide, School/Center-wide, University-

community?

wide, Community impact, UPHS & University.

16

P

Date last

Date of your last tabletop exercise

tested

17

Q

Recovery

If the process/system needs to be recovered in

location

a different place, what is that? If it's not a

different place, enter, "Same location".

18

R

Recovery

The Recovery Time Objective (RTO): how

Select from drop-down: less than 1 hour, up to 4

Time

long can we go without this process or system hours, up to 1 day, up to 3 days, up to 1 week, greater

Objective

being in place?

than 1 week

(RTO)

19

S

Recovery

The Recovery Point Objective (RPO): how

For example, if you can stand to lose a day's worth of e-

Point

much data can we afford to lose in an outage mail due to an outage, your RPO is 1 day. If you cannot

Objective

to this system or process?

stand to lose any e-mail due to an outage, your RPO is

(RPO)

0. NOTE: This applies to IT only.

Select from drop-down: less than 1 hour, up to 4

hours, up to 1 day, up to 3 days, up to 1 week, greater

than 1 week

20

T

IT

List the most critical IT systems on which this This could be a centrally maintained system, or a system

Dependencies process depends.

that is maintained just for your organization. For

example, if the process is student course registration, it

depends on the Pennant system. Examples of some of

the most-used central systems include: BEN, Box,

PennNet, 0365 e-mail, PennWorks/Payroll.

Page 5 of 6

Guidelines for creating a Business Impact Analysis (BIA)

Step Column

#

letter

Column title

Instructions

Notes

List no more than 10 dependencies for each process or

system.

21

U

Life

OPTIONAL: If the process involves living

Items in drop-down list include: Human subjects,

Dependencies beings, specimens or plants, please use the Animals, Specimens, More than 1 of these, None of

drop-down to select the appropriate item.

these.

Page 6 of 6
ProcessBiaBusiness Impact AnalysisOrganizationSpreadsheet