business impact analysis, risk management and assessment

Business Impact Analysis / BIA

Home

About us

Contact us

Site map

Terms of use

Privacy

Copyright

ASIS Members Product overview ORMS Toolkit ORMS Entry Level ORMS Intermediate ORMS Professional ORMS Consultant Comparative Example data Pricing & Licensing Free trial FAQ Private Sector Preparedness OR Standard Organizational Resilience Risk Management Crisis Management Impact Analysis Business impact analysis Risk management Risk assessment	Impact Analysis Business impact analysis and organizational resilience software tools When analyzing your business for the purposes of improving resiliency and continuity, it is necessary to identify and assess the likely impact on the organization from potential disruptive events. Also known as business impact analysis, this risk based process is often considered to be a rather daunting procedure as it often involves making a subjective assessment on disruptive events where the severity can range from minimal to catastrophic. This lack of clarity causes confusion and uncertainty and makes the process of defining specific outcomes difficult and can be subject to many disagreements about how an accurate result can be achieved. At long last help is now available that removes much of the complexity and establishes a workable and practical framework that is easy to understand and implement. The organizational resilience software outlined on this website provides a simple methodology for achieving this and it really works. Using impact analysis to establish recovery time objectives (RTOs) and other impact analysis values Impact analysis is a critical part of the organizational resilience process and is used for setting recovery times and criticality as well as driving risk treatment strategy and risk treatment projects. An impact analysis should result in the differentiation between critical and non-critical operations and critical and non-critical components. Operations or operational components may be considered critical if the implications for stakeholders of damage to the organization resulting from loss or unavailability of that operation or operational component are regarded as unacceptable. Acceptability of the estimated impact from disruption may be judged according to the established risk appetite of the organization and the approved risk policy. Risk treatment and risk treatment strategy are normally identified with regard to the cost of establishing and maintaining appropriate business or technical recovery solutions. An operation or operational component may also be considered critical if dictated by a regulatory or legal requirement. For each critical operation or operational component that is considered to be within the scope of the organizational resilience project, two important BIA values can then be assigned: Recovery Time Objective (RTO) - the acceptable amount of time to restore the function. Maximum tolerable period of disruption (MTPD) – the maximum amount of time before the disruption will cause significant and critical losses or damage. Using the Organizational Resilience Software to conduct effective impact analysis The first stage in the risk identification and impact analysis is to identify the organization’s critical objectives. This will cover all important products and services created and delivered to the customers plus all critical potential non-compliance items. These critical objectives will be identified during the organization components mapping process which should support detailed dependency setting and should create the ability to cascade established impact values to all related operations and operational components. Once these critical objectives have been identified, it is necessary to identify a range of measurable impact categories that relate to the organization. Impact categories could include items such as financial loss; loss of business; environmental loss; or regulatory non-compliance etc. The ASIS organizational resilience software delivers a range of standard impact category areas but the User can adjust these very easily to make the list specifically relevant to the organization’s needs and perceived areas or risk. The User also establishes up to five measurement periods for assessing impact from the moment that the disruptive incident occurs. The software includes a default setting for these periods but they can be easily changed to match the User’s needs. The User then assesses the impact on the organization from the interruption to the critical objectives within each period and this creates a recovery objective for the selected item. These values are then cascaded through the mapped components with adjustments for the level of dependency as set by the User. This process results in clear and verifiable criticality values, clear and verifiable recovery time objectives, and clear and verifiable maximum periods of tolerable disruption. Setting priorities for impact analysis After defining and analyzing potential hazards and threats, calculating and assessing the resultant impact scenarios that form the basis of the response and recovery plan the development of a series of relevant and formal plans is recommended. As a general rule priorities for development of these plans should be based on the criticality levels established through the impact analysis of the potential incidents that could occur. When working on response and recovery planning, it is preferable to concentrate initial resources on the most wide-reaching disaster or disturbance as many smaller scale problems can be partial elements of larger disasters. Concentrate efforts also on those disruptive events affecting operations or operational components that are expected to have the largest impact on the organization’s key deliverables or compliance shortfalls. Identification of those areas will be simpler once the risk and impact mapping process has been completed as part of the “understanding your business” process.

ASIS Members

Product overview

ORMS Toolkit

ORMS Entry Level

ORMS Intermediate

ORMS Professional

ORMS Consultant

Comparative

Example data

Pricing & Licensing

Free trial

FAQ

Private Sector Preparedness

OR Standard

Organizational Resilience

Risk Management

Crisis Management

Impact Analysis

Business impact analysis

Risk management

Risk assessment

Impact Analysis

Business impact analysis and organizational resilience software tools

When analyzing your business for the purposes of improving resiliency and continuity, it is necessary to identify and assess the likely impact on the organization from potential disruptive events. Also known as business impact analysis, this risk based process is often considered to be a rather daunting procedure as it often involves making a subjective assessment on disruptive events where the severity can range from minimal to catastrophic. This lack of clarity causes confusion and uncertainty and makes the process of defining specific outcomes difficult and can be subject to many disagreements about how an accurate result can be achieved. At long last help is now available that removes much of the complexity and establishes a workable and practical framework that is easy to understand and implement. The organizational resilience software outlined on this website provides a simple methodology for achieving this and it really works.

Using impact analysis to establish recovery time objectives (RTOs) and other impact analysis values

Impact analysis is a critical part of the organizational resilience process and is used for setting recovery times and criticality as well as driving risk treatment strategy and risk treatment projects. An impact analysis should result in the differentiation between critical and non-critical operations and critical and non-critical components. Operations or operational components may be considered critical if the implications for stakeholders of damage to the organization resulting from loss or unavailability of that operation or operational component are regarded as unacceptable. Acceptability of the estimated impact from disruption may be judged according to the established risk appetite of the organization and the approved risk policy. Risk treatment and risk treatment strategy are normally identified with regard to the cost of establishing and maintaining appropriate business or technical recovery solutions. An operation or operational component may also be considered critical if dictated by a regulatory or legal requirement. For each critical operation or operational component that is considered to be within the scope of the organizational resilience project, two important BIA values can then be assigned:

Recovery Time Objective (RTO) - the acceptable amount of time to restore the function.
Maximum tolerable period of disruption (MTPD) – the maximum amount of time before the disruption will cause significant and critical losses or damage.

Using the Organizational Resilience Software to conduct effective impact analysis

The first stage in the risk identification and impact analysis is to identify the organization’s critical objectives. This will cover all important products and services created and delivered to the customers plus all critical potential non-compliance items. These critical objectives will be identified during the organization components mapping process which should support detailed dependency setting and should create the ability to cascade established impact values to all related operations and operational components. Once these critical objectives have been identified, it is necessary to identify a range of measurable impact categories that relate to the organization. Impact categories could include items such as financial loss; loss of business; environmental loss; or regulatory non-compliance etc. The ASIS organizational resilience software delivers a range of standard impact category areas but the User can adjust these very easily to make the list specifically relevant to the organization’s needs and perceived areas or risk. The User also establishes up to five measurement periods for assessing impact from the moment that the disruptive incident occurs. The software includes a default setting for these periods but they can be easily changed to match the User’s needs. The User then assesses the impact on the organization from the interruption to the critical objectives within each period and this creates a recovery objective for the selected item. These values are then cascaded through the mapped components with adjustments for the level of dependency as set by the User. This process results in clear and verifiable criticality values, clear and verifiable recovery time objectives, and clear and verifiable maximum periods of tolerable disruption.

Setting priorities for impact analysis

After defining and analyzing potential hazards and threats, calculating and assessing the resultant impact scenarios that form the basis of the response and recovery plan the development of a series of relevant and formal plans is recommended. As a general rule priorities for development of these plans should be based on the criticality levels established through the impact analysis of the potential incidents that could occur. When working on response and recovery planning, it is preferable to concentrate initial resources on the most wide-reaching disaster or disturbance as many smaller scale problems can be partial elements of larger disasters. Concentrate efforts also on those disruptive events affecting operations or operational components that are expected to have the largest impact on the organization’s key deliverables or compliance shortfalls. Identification of those areas will be simpler once the risk and impact mapping process has been completed as part of the “understanding your business” process.