• Are you aware that cyber attacks cost businesses $400 billion every year ?

    Did you know that security incidents caused downtime of more than
    8 hours for 31% of impacted organizations ?

    Did you know that the involvement of business continuity management
    reduced the cost of data breach by an average of almost $9 per record ?
  • Are you aware India had the most data breaches caused
    by a system glitch or business process failure ?

    Did you know that only 23% of respondents are confident their organizations
    have made adequate investments to monitor the activities of privileged users ?
  • Did you know that 49% of companies do not perform periodic
    “fire drills” to test IT Security event response plans ?

    Did you know that 34% of companies do not have a
    crisis response plan for a data breach or cyberattack event ?

Business Impact Analysis

A Business Impact Analysis predicts the impact of disruption of a function and business process. We assist you to collect information required for developing recovery strategies. We identify possible loss scenarios during a risk assessment. Delayed deliveries or failure of a supplier of products or services can interrupt operations. But the list is not limited to that. There are many scenarios which you should consider.Recognizing and assessing the impact of disasters on organization provides the basis for investment in recovery strategies, investment in prevention and mitigation strategies.

A five-phase execution, as illustrated below, will be followed to provide consultancy for establishing BIA and achieving the desired certification.

In this process we will help business units understand the impact of a disruptive event. The impact may be financial (quantitative) or operational (qualitative, such as the inability to respond to customer). Our vulnerability assessment would be a followed part of the BIA process which would identify the company’s critical systems needed for survival and estimate the outage time that can be tolerated by the company as a result of a disaster or disruption. We would

  1. Identify the directorates and business areas in the organisation, and the managers responsible for these areas.
  2. Identify the sub-units (if appropriate) under each business area.
  3. Identify the activities that are performed in each sub-unit (or business area if sub-units are not applicable).

In this phase we would identify the resources that are used by each of the activities under normal operations, and assess the level of dependency that the activity has on a given resource. We would

  1. Identify the dependencies (people, utilities / essential services, office equipment and telecommunications, specialised equipment and key consumables) that are used by each activity.
  2. Identify the systems / applications that are used by each activity
  3. For each activity, we would rate the level of dependency that it has on each of the system / application listed.
  4. Determine the “system off-line duration”– the maximum duration that a system / application may be unavailable before the impact becomes unacceptable.
  5. Determine the “data loss duration” – the maximum data loss that can be tolerated before it becomes unacceptable.
  6. Upon completion of the assessment, the ratings will provide an indication of what the critical dependencies for each business area are, and a separate exercise may be undertaken to risk assess these dependencies and to implement further preventative controls or contingency measures where necessary.

In this phase, we would assess the potential business impact of a disruption to activities, determine the maximum amount of time that the activities may be disrupted for before the impact becomes intolerable, and prioritise the activities for recovery. We would

  1. We will discuss how a disruption could impact the organisation, using the impact categories.
  2. The cause of the disruption is immaterial – it may be a power outage, roof collapse, fire, etc. – the focus is on the impact of a disruption, rather than the cause of the disruption. We would score the impact over various timeframes (i.e. minutes, hours, days, weeks) using the severity level rating taking into consideration the impact categories discussed earlier.
  3. Determine the Maximum Tolerable Period of Disruption (MTPD) by selecting the appropriate timeframe. The MPTD would be guided by the severity level ratings which indicates an unacceptable level of impact.

In this phase, we would identify the strategies, interdependencies and resource requirements for the continuity of priority activities.

  1. Identify the Immediate Continuity Strategy for responding to a disruption and the duration for this strategy. This is a short term strategy designed to provide a bare minimum or basic level of service in order to contain or minimise the impact of the disruption on stakeholders until a more sustainable level of service can be provided.
  2. Identify the Sustainable Continuity Strategy that will provide a higher level of service that can be sustained beyond the Immediate Continuity Strategy, and the duration that this strategy can be maintained.
  3. Examples of strategies include:
    • Temporary suspension of an activity.
    • Redirecting the activity to another facility.
    • Transferring resources to another facility.
    • Using alternate procedures / workarounds.
    • Stopping altogether until full recovery can be achieved, etc.
  4. Perform a risk analysis on each critical process to identify any vulnerabilities that exist, along with steps to mitigate those vulnerabilities.
  5. Here we capture the internal and external dependencies of the business area in relation to the priority activities:
    • Internal Interdependencies - identify the internal parties / stakeholders (outside the branch / business area) within the organisation with whom you have interdependencies with.
      • Upstream – are parties whom you are dependent on to perform your activities.
      • Downstream – are parties who are dependent on you to perform their activities.
    • External Interdependencies - identify the external parties / stakeholders (outside the organization, such as other agencies, suppliers, service providers, etc.) with whom the business area have interdependencies with.
      • Upstream – are parties whom you are dependent on to perform your activities.
      • Downstream – are parties who are dependent on you to perform their activities.
  6. Emergency response procedures would be prepared as an actionable point that are developed to help people in a crisis situation better cope with the disruption. They are the first line of defense when dealing with a crisis situation.

In this phase, we would assist the client in the following actions:

  1. Assist in preparation of Corrective Action Plan.
  2. Determine the readiness to face the external audit (Certification audit).
  3. We would assist the client during the external audit to provide any clarifications required by the external auditor during the documentation review and field survey.
  4. Prepare the corrective action plan, if required, to close the non-conformities as reported by the auditor.