Guidelines for creating a Business Impact Analysis (BIA)
Transcript Of Guidelines for creating a Business Impact Analysis (BIA)
Guidelines for creating a Business Impact Analysis (BIA)
PLEASE GO TO PAGE 3 FOR STEP-BY-STEP INSTRUCTIONS FOR COMPLETING SPREADSHEET.
WHAT IS A BUSINESS IMPACT ANALYSIS (BIA)?
A business impact analysis (BIA) predicts the consequences of a disruption or outage of a business function, system or process and gathers information needed to develop recovery strategies. A function refers to an organization's purpose or goal; for example, one function of a School is teaching. A process is a group of activities or tasks performed to accomplish a goal; one example of a process is doing payroll. System refers to an IT system; an example of a system is 0365 e-mail.
WHY DO WE DO BIA?
BIA allows us to understand the impact of outages or disruptions across the institution. This information supplements the Business Continuity (BCP) plans already in Shadow-Planner to give us a better understanding of how different Schools, Centers and departments of the University need to respond to outages or disruptions. It will also allow internal and external partners (ISC, Facilities and Real Estate Services, vendors, etc.) to have a better understanding of the priorities for recovery and continuity. Finally, it allows us to define priorities, in terms of which processes, systems of functions need to be recovered most quickly to resume the University's operations in the wake of an outage or disruption. Doing a BIA, like doing BCP plans, is in service of continuing the University's missions of teaching, research, service and clinical work.
HOW DOES THIS RELATE TO MY BUSINESS CONTINUITY (BCP) PLANS?
BCP plans describe what steps to take in the event of an outage or disruption pertaining to a critical system, function or process, whereas the BIA identifies how quickly a critical system, function or process needs to be recovered or restored.
HOW DO I DO A BIA?
To do a BIA, please use these guidelines to fill out the spreadsheet, with one spreadsheet for each organization, School, Center or department.
Page 1 of 6
Guidelines for creating a Business Impact Analysis (BIA) WHAT'S NEW IN DOING A BIA?
Two new items in the BIA are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The RTO asks the question: how long can we go without this process or system being in place? The RPO asks the question: how much data can we afford to lose in an outage to this system or process? For example, if you can stand to lose a day's worth of e-mail due to an outage, your RPO is 1 day. If you cannot stand to lose any e-mail due to an outage, your RPO is 0. NOTE: RPO only applies to IT only.
You may wish to assemble your tabletop exercise team and obtain their input in completing the spreadsheet. Once you've completed the spreadsheet, please send it to [email protected] The central Mission Continuity Program (MCP) leadership will load the information into Shadow-Planner for you. Once the information is loaded, you can report it out from ShadowPlanner to review it and determine how you may want to update it. Below are guidelines for updating BIAs once they are in Shadow-Planner. Questions? Contact the Mission Continuity Program (MCP) at [email protected]
Page 2 of 6
Guidelines for creating a Business Impact Analysis (BIA)
• To create a BIA, follow the steps below to complete the BIA spreadsheet. • Once the spreadsheet is completed, please submit it to [email protected] • The central Mission Continuity Program (MCP) leadership will load the information into Shadow-Planner. • Once the information is stored in Shadow-Planner, you may use the update guidelines to keep your BIA information up-to-date.
Step # 1
Column letter
Column title
2
B
Organization
3
C
Location
Instructions
Open the spreadsheet, located on the MCP website here. From this drop-down list, select the name of your organization. From this drop-down list, select the location of your organization.
Notes
Items in the drop-down list include: Main campus, New Bolton Center, Morris Arboretum, Wharton West, Pennovation, Other.
For off-site clinical practices, use Other.
4
D
Plan type
This column is already populated as: Business
Impact Analysis.
5
E
Mission type From this drop-down list, select the part of the Items in the drop-down list include:
University's mission this process supports.
Education/Teaching, Research, Service, Clinical and
Operations/Admin.
6
F
Process type The data is organized into the BETH3 model
Items in the drop-down list include: Buildings,
(also used for BC Planning Actions Plans).
Equipment, Technology, Human Resources and 3rd-party
vendors/partners.
7
G
Process name Select the most critical processes your
organization is responsible for within each
Process Type.
Page 3 of 6
NOTE: Human Resources, in addition to faculty, staff and students, includes human subjects and patients. Equipment includes animals and specimens. A Process may be something your organization does, like a function, or an IT system. Examples include: For a School, a critical Process under Teaching might be
Guidelines for creating a Business Impact Analysis (BIA)
Step Column
#
letter
Column title
Instructions
Notes
Undergraduate instruction. For the Registrar's Office, a critical process under Technology might be the Pennant system.
For each Process Type, you may enter as many processes as you think are critical. If you choose to use more than 4, you can add an additional row in the spreadsheet in the appropriate location.
If you have a Mission Continuity plan created for a
specific element in the BETH3 model, it's wise to have a
process in the BIA for it also.
8
H
Process
Enter a one-sentence description of what the For example, "Provide instruction to undergraduate,
overview
process, function or system does.
professional and doctoral students." Or "Store all
student academic information and allow students to
register for classes."
9
I
Process
Who is/are responsible for ensuring the
This may be one person's name or the name of a group,
owner
process runs properly?
Department, Division, etc.
10
J
BAU location Where is the process usually conducted?
BAU stands for "Business As Usual." For example,
"Franklin Building," or "Huntsman Hall."
11
K
Business
What are the business hours of the
For example, could be 9AM – 5 PM, Mon-Fri.
hours
organization that owns the process or system?
12
L
BAU
Approximately how many FTEs are involved in Under normal conditions, the total calculation of
Headcount
conducting the process on a business-as-
FTEs needed to fulfill or conduct this process. For
(FTEs)
usual basis?
example, if two people normally each spend 75% of their
time on this process or function, the FTE would be 1.5.
13
M
Business
From the drop-down list, select the item that
Determine if there are times of week, month or year
peaks
describes any peak times for this process.
when your organization is busier than usual conducting
this process. Examples include: move-in,
Commencement, payroll processing.
Page 4 of 6
Guidelines for creating a Business Impact Analysis (BIA)
Step Column
#
letter
Column title
Instructions
14
N
Process
When is the process usually available or
availability
conducted?
Notes
Items in the drop-down list include: specific day of week, specific time of month, specific time of year, more than 1 of these, none of these. For example, could be Mondays of every week, or every year in May, or from 2-5 PM every day.
15
O
Breadth of
How widely does the process impact the
Items in the drop-down list include: Department only,
impact
University, the health system and/or the
Organization-wide, School/Center-wide, University-
community?
wide, Community impact, UPHS & University.
16
P
Date last
Date of your last tabletop exercise
tested
17
Q
Recovery
If the process/system needs to be recovered in
location
a different place, what is that? If it's not a
different place, enter, "Same location".
18
R
Recovery
The Recovery Time Objective (RTO): how
Select from drop-down: less than 1 hour, up to 4
Time
long can we go without this process or system hours, up to 1 day, up to 3 days, up to 1 week, greater
Objective
being in place?
than 1 week
(RTO)
19
S
Recovery
The Recovery Point Objective (RPO): how
For example, if you can stand to lose a day's worth of e-
Point
much data can we afford to lose in an outage mail due to an outage, your RPO is 1 day. If you cannot
Objective
to this system or process?
stand to lose any e-mail due to an outage, your RPO is
(RPO)
0. NOTE: This applies to IT only.
Select from drop-down: less than 1 hour, up to 4
hours, up to 1 day, up to 3 days, up to 1 week, greater
than 1 week
20
T
IT
List the most critical IT systems on which this This could be a centrally maintained system, or a system
Dependencies process depends.
that is maintained just for your organization. For
example, if the process is student course registration, it
depends on the Pennant system. Examples of some of
the most-used central systems include: BEN, Box,
PennNet, 0365 e-mail, PennWorks/Payroll.
Page 5 of 6
Guidelines for creating a Business Impact Analysis (BIA)
Step Column
#
letter
Column title
Instructions
Notes
List no more than 10 dependencies for each process or
system.
21
U
Life
OPTIONAL: If the process involves living
Items in drop-down list include: Human subjects,
Dependencies beings, specimens or plants, please use the Animals, Specimens, More than 1 of these, None of
drop-down to select the appropriate item.
these.
Page 6 of 6
PLEASE GO TO PAGE 3 FOR STEP-BY-STEP INSTRUCTIONS FOR COMPLETING SPREADSHEET.
WHAT IS A BUSINESS IMPACT ANALYSIS (BIA)?
A business impact analysis (BIA) predicts the consequences of a disruption or outage of a business function, system or process and gathers information needed to develop recovery strategies. A function refers to an organization's purpose or goal; for example, one function of a School is teaching. A process is a group of activities or tasks performed to accomplish a goal; one example of a process is doing payroll. System refers to an IT system; an example of a system is 0365 e-mail.
WHY DO WE DO BIA?
BIA allows us to understand the impact of outages or disruptions across the institution. This information supplements the Business Continuity (BCP) plans already in Shadow-Planner to give us a better understanding of how different Schools, Centers and departments of the University need to respond to outages or disruptions. It will also allow internal and external partners (ISC, Facilities and Real Estate Services, vendors, etc.) to have a better understanding of the priorities for recovery and continuity. Finally, it allows us to define priorities, in terms of which processes, systems of functions need to be recovered most quickly to resume the University's operations in the wake of an outage or disruption. Doing a BIA, like doing BCP plans, is in service of continuing the University's missions of teaching, research, service and clinical work.
HOW DOES THIS RELATE TO MY BUSINESS CONTINUITY (BCP) PLANS?
BCP plans describe what steps to take in the event of an outage or disruption pertaining to a critical system, function or process, whereas the BIA identifies how quickly a critical system, function or process needs to be recovered or restored.
HOW DO I DO A BIA?
To do a BIA, please use these guidelines to fill out the spreadsheet, with one spreadsheet for each organization, School, Center or department.
Page 1 of 6
Guidelines for creating a Business Impact Analysis (BIA) WHAT'S NEW IN DOING A BIA?
Two new items in the BIA are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The RTO asks the question: how long can we go without this process or system being in place? The RPO asks the question: how much data can we afford to lose in an outage to this system or process? For example, if you can stand to lose a day's worth of e-mail due to an outage, your RPO is 1 day. If you cannot stand to lose any e-mail due to an outage, your RPO is 0. NOTE: RPO only applies to IT only.
You may wish to assemble your tabletop exercise team and obtain their input in completing the spreadsheet. Once you've completed the spreadsheet, please send it to [email protected] The central Mission Continuity Program (MCP) leadership will load the information into Shadow-Planner for you. Once the information is loaded, you can report it out from ShadowPlanner to review it and determine how you may want to update it. Below are guidelines for updating BIAs once they are in Shadow-Planner. Questions? Contact the Mission Continuity Program (MCP) at [email protected]
Page 2 of 6
Guidelines for creating a Business Impact Analysis (BIA)
• To create a BIA, follow the steps below to complete the BIA spreadsheet. • Once the spreadsheet is completed, please submit it to [email protected] • The central Mission Continuity Program (MCP) leadership will load the information into Shadow-Planner. • Once the information is stored in Shadow-Planner, you may use the update guidelines to keep your BIA information up-to-date.
Step # 1
Column letter
Column title
2
B
Organization
3
C
Location
Instructions
Open the spreadsheet, located on the MCP website here. From this drop-down list, select the name of your organization. From this drop-down list, select the location of your organization.
Notes
Items in the drop-down list include: Main campus, New Bolton Center, Morris Arboretum, Wharton West, Pennovation, Other.
For off-site clinical practices, use Other.
4
D
Plan type
This column is already populated as: Business
Impact Analysis.
5
E
Mission type From this drop-down list, select the part of the Items in the drop-down list include:
University's mission this process supports.
Education/Teaching, Research, Service, Clinical and
Operations/Admin.
6
F
Process type The data is organized into the BETH3 model
Items in the drop-down list include: Buildings,
(also used for BC Planning Actions Plans).
Equipment, Technology, Human Resources and 3rd-party
vendors/partners.
7
G
Process name Select the most critical processes your
organization is responsible for within each
Process Type.
Page 3 of 6
NOTE: Human Resources, in addition to faculty, staff and students, includes human subjects and patients. Equipment includes animals and specimens. A Process may be something your organization does, like a function, or an IT system. Examples include: For a School, a critical Process under Teaching might be
Guidelines for creating a Business Impact Analysis (BIA)
Step Column
#
letter
Column title
Instructions
Notes
Undergraduate instruction. For the Registrar's Office, a critical process under Technology might be the Pennant system.
For each Process Type, you may enter as many processes as you think are critical. If you choose to use more than 4, you can add an additional row in the spreadsheet in the appropriate location.
If you have a Mission Continuity plan created for a
specific element in the BETH3 model, it's wise to have a
process in the BIA for it also.
8
H
Process
Enter a one-sentence description of what the For example, "Provide instruction to undergraduate,
overview
process, function or system does.
professional and doctoral students." Or "Store all
student academic information and allow students to
register for classes."
9
I
Process
Who is/are responsible for ensuring the
This may be one person's name or the name of a group,
owner
process runs properly?
Department, Division, etc.
10
J
BAU location Where is the process usually conducted?
BAU stands for "Business As Usual." For example,
"Franklin Building," or "Huntsman Hall."
11
K
Business
What are the business hours of the
For example, could be 9AM – 5 PM, Mon-Fri.
hours
organization that owns the process or system?
12
L
BAU
Approximately how many FTEs are involved in Under normal conditions, the total calculation of
Headcount
conducting the process on a business-as-
FTEs needed to fulfill or conduct this process. For
(FTEs)
usual basis?
example, if two people normally each spend 75% of their
time on this process or function, the FTE would be 1.5.
13
M
Business
From the drop-down list, select the item that
Determine if there are times of week, month or year
peaks
describes any peak times for this process.
when your organization is busier than usual conducting
this process. Examples include: move-in,
Commencement, payroll processing.
Page 4 of 6
Guidelines for creating a Business Impact Analysis (BIA)
Step Column
#
letter
Column title
Instructions
14
N
Process
When is the process usually available or
availability
conducted?
Notes
Items in the drop-down list include: specific day of week, specific time of month, specific time of year, more than 1 of these, none of these. For example, could be Mondays of every week, or every year in May, or from 2-5 PM every day.
15
O
Breadth of
How widely does the process impact the
Items in the drop-down list include: Department only,
impact
University, the health system and/or the
Organization-wide, School/Center-wide, University-
community?
wide, Community impact, UPHS & University.
16
P
Date last
Date of your last tabletop exercise
tested
17
Q
Recovery
If the process/system needs to be recovered in
location
a different place, what is that? If it's not a
different place, enter, "Same location".
18
R
Recovery
The Recovery Time Objective (RTO): how
Select from drop-down: less than 1 hour, up to 4
Time
long can we go without this process or system hours, up to 1 day, up to 3 days, up to 1 week, greater
Objective
being in place?
than 1 week
(RTO)
19
S
Recovery
The Recovery Point Objective (RPO): how
For example, if you can stand to lose a day's worth of e-
Point
much data can we afford to lose in an outage mail due to an outage, your RPO is 1 day. If you cannot
Objective
to this system or process?
stand to lose any e-mail due to an outage, your RPO is
(RPO)
0. NOTE: This applies to IT only.
Select from drop-down: less than 1 hour, up to 4
hours, up to 1 day, up to 3 days, up to 1 week, greater
than 1 week
20
T
IT
List the most critical IT systems on which this This could be a centrally maintained system, or a system
Dependencies process depends.
that is maintained just for your organization. For
example, if the process is student course registration, it
depends on the Pennant system. Examples of some of
the most-used central systems include: BEN, Box,
PennNet, 0365 e-mail, PennWorks/Payroll.
Page 5 of 6
Guidelines for creating a Business Impact Analysis (BIA)
Step Column
#
letter
Column title
Instructions
Notes
List no more than 10 dependencies for each process or
system.
21
U
Life
OPTIONAL: If the process involves living
Items in drop-down list include: Human subjects,
Dependencies beings, specimens or plants, please use the Animals, Specimens, More than 1 of these, None of
drop-down to select the appropriate item.
these.
Page 6 of 6