Business impact analysis and organizational resilience software tools
When analyzing your business for the purposes of improving resiliency and continuity, it is necessary to identify and assess the likely impact on the organization from potential disruptive events. Also known as business impact analysis, this risk based process is often considered to be a rather daunting procedure as it often involves making a subjective assessment on disruptive events where the severity can range from minimal to catastrophic. This lack of clarity causes confusion and uncertainty and makes the process of defining specific outcomes difficult and can be subject to many disagreements about how an accurate result can be achieved. At long last help is now available that removes much of the complexity and establishes a workable and practical framework that is easy to understand and implement. The organizational resilience software outlined on this website provides a simple methodology for achieving this and it really works.
Using impact analysis to establish recovery time objectives (RTOs) and other impact analysis values
Impact analysis is a critical part of the organizational resilience
process and is used for setting recovery times and criticality as well
as driving risk treatment strategy and risk treatment projects. An
impact analysis should result in the differentiation between critical
and non-critical operations and critical and non-critical components.
Operations or operational components may be considered critical if the
implications for stakeholders of damage to the organization resulting
from loss or unavailability of that operation or operational component
are regarded as unacceptable. Acceptability of the estimated impact from
disruption may be judged according to the established risk appetite of
the organization and the approved risk policy. Risk treatment and risk
treatment strategy are normally identified with regard to the cost of
establishing and maintaining appropriate business or technical recovery
solutions. An operation or operational component may also be considered
critical if dictated by a regulatory or legal requirement. For each
critical operation or operational component that is considered to be
within the scope of the organizational resilience project, two important
BIA values can then be assigned:
Recovery Time Objective
(RTO) - the acceptable amount of time to restore the function.
Maximum tolerable period of disruption
(MTPD) – the maximum amount of time before the disruption will cause
significant and critical losses or damage.
Using the Organizational Resilience Software to conduct effective impact analysis
The first stage in the risk identification and impact analysis is to identify the organization’s critical objectives. This will cover all important products and services created and delivered to the customers plus all critical potential non-compliance items. These critical objectives will be identified during the organization components mapping process which should support detailed dependency setting and should create the ability to cascade established impact values to all related operations and operational components. Once these critical objectives have been identified, it is necessary to identify a range of measurable impact categories that relate to the organization. Impact categories could include items such as financial loss; loss of business; environmental loss; or regulatory non-compliance etc. The ASIS organizational resilience software delivers a range of standard impact category areas but the User can adjust these very easily to make the list specifically relevant to the organization’s needs and perceived areas or risk. The User also establishes up to five measurement periods for assessing impact from the moment that the disruptive incident occurs. The software includes a default setting for these periods but they can be easily changed to match the User’s needs. The User then assesses the impact on the organization from the interruption to the critical objectives within each period and this creates a recovery objective for the selected item. These values are then cascaded through the mapped components with adjustments for the level of dependency as set by the User. This process results in clear and verifiable criticality values, clear and verifiable recovery time objectives, and clear and verifiable maximum periods of tolerable disruption.
Setting priorities for impact analysis
After defining and analyzing potential hazards and threats, calculating and assessing the resultant impact scenarios that form the basis of the response and recovery plan the development of a series of relevant and formal plans is recommended. As a general rule priorities for development of these plans should be based on the criticality levels established through the impact analysis of the potential incidents that could occur. When working on response and recovery planning, it is preferable to concentrate initial resources on the most wide-reaching disaster or disturbance as many smaller scale problems can be partial elements of larger disasters. Concentrate efforts also on those disruptive events affecting operations or operational components that are expected to have the largest impact on the organization’s key deliverables or compliance shortfalls. Identification of those areas will be simpler once the risk and impact mapping process has been completed as part of the “understanding your business” process.