Business Impact Analysis
Business Impact Analysis
The institution’s first step in developing a BCP is to perform a Business Impact Analysis (BIA). The amount of time and resources necessary to complete the BIA will depend on the size and complexity of the institution. The institution should include all business functions and departments in this process, not just data processing.
The BIA phase identifies the potential impact of uncontrolled, non-specific events on the institution's business processes. The BIA phase also should determine what and how much is at risk by identifying critical business functions and prioritizing them. It should estimate the maximum allowable downtime for critical business processes, recovery point objectives and backlogged transactions, and the costs associated with downtime. Management should establish recovery priorities for business processes that identify essential personnel, technologies, facilities, communications systems, vital records, and data. The BIA also considers the impact of legal and regulatory requirements such as the privacy and availability of customer data and required notifications to the institution's primary federal regulator and customers when facilities are relocated.
Personnel responsible for this phase should consider developing uniform interview and inventory questions that can be used on an enterprise-wide basis. Uniformity can improve the consistency of responses and help personnel involved in the BIA phase compare and evaluate business process requirements. This phase may initially prioritize business processes based on their importance to the institution's achievement of strategic goals and maintenance of safe and sound practices. However, this prioritization should be revisited once the business processes are modeled against various threat scenarios so that a BCP can be developed.
When determining a financial institution's critical needs, reviews should be conducted for all functions, processes, and personnel within each department. Each department should document the mission critical functions performed.
Consider the following questions:
- What specialized equipment is required and how it is used?
- How would the department function if mainframe, network and/or Internet access were not available?
- What single points of failure exist and how significant are those risks?
- What are the critical outsourced relationships and dependencies?
- What is the minimum number of staff and space that would be required at a recovery site?
- What special forms or supplies would be needed at a recovery site?
- What communication devices would be needed at a recovery site?
- What critical operational or security controls require implementation prior to recovery?
- Is there any potential impact from common recovery sites serving multiple lines of business or departments?
- Have employees received cross training and has the department defined back-up functions roles employees should perform if key personnel are not available?
- Are emotional support and family care needs adequately considered?