Lost Password? No account yet? Register
  • Increase font size
  • Decrease font size
  • Default font size

WWW.BS25999.COM

Wednesday
Aug 20th
Home arrow BS25999 arrow BS25999 Part 1 - Code of Practice arrow Understanding the Organisation
Understanding the Organisation PDF Print E-mail
Arguably the most important step in a Business Continuity Management programme is to understand the organisation, its products, services, resources, facilities, suppliers, customers, other stakeholders and their interdependencies.

In order to protect key products and services it vital that the organisation identifies critical activities and the resources needed to produce those products and services. In understanding the organisation the business continuity management programme can be closely aligned to the business continuity strategy and ultimately the overall goals of the organisation

These steps can be summarised as

 

01 Business Impact Analysis; what would happen if?

 

02 Identification of Critical Activities and Resources; what is important

 

03 Continuity Requirements; what will we need to carry on

 

04 Risk Assessment; look at the threats and likelihoods

 

05 Risk treatment; choose what to do about the risks

 

 

01

Business Impact Analysis

 

Much has been written about business impact analysis and sometimes it is over complicated but essentially a BIA determines the impact of disruption to activities that support the organisations output, its products or services.

The impact may be different over time so the BIA should be able to show a time element and their may be different categories of impact.

The BIA should be carried out by personnel familiar with the process being assessed usually with assistance from business continuity or risk management staff so that not only is the method suitable and applicable to the organisation but that the information contained within it is correct.

The maximum tolerable period of disruption for each activity should be defined so that critical functions may be identified.

Spreadsheets and scoring matrices can be useful in helping organise and collate the results as can the many BIA management software applications currently available if the organisation is large, complex or dispersed but a simple Word document may also be sufficient.


There are no fixed methods of carrying out a BIA; each organisation must find a method that suits it best but the standard contains broad principles. There is no 'magic method' that will provide all the answers.

The key factors in achieving an effective Business Impact Analysis are

  • Identify what you want out of it
  • Identify activity experts (i.e. don't ask the facility manager about accounting software)
  • Develop a plan for gathering the data
  • Summarise the findings
  • Validate
  • Present

Organisations can sometimes fall in to the traps of over complications, trying to reduce the BIA to an exact statistical exercise and worrying about getting it 100% right the first time around. As we have seen in the previous section, BCM is an iterative management process which can and should be revisited often. The BIA may therefore be in summary format in the first pass.

It is much more valuable for a BIA to show only the largest impacts yet available within a reasonable time than one with every eventuality covered but not available to senior managers for a year. Don't laugh, this is a very easy and common mistake to make.

One of the most effective BIA's I have seen is one that was done in an afternoon with all company directors present. Why was it so effective?

It focussed on the most immediate and likely impacts and was turned into a plan of action the next morning. 

Of course it was light on detail and missed a lot of minor systems, some with a greater impact that imagined. The organisation recognised that its initial BIA was flawed and implemented a back filling exercise to catch the errors and omissions whilst mitigating the impacts of those it found in its first pass.

 

Perfect is the enemy of good enough

 

An example of a BIA is shown below

BS25999.COM Sample BIA


















The definition of LOW, MEDIUM or HIGH impacts should be done before the BIA process commences, they might be split as shown above or combined. Again the exact nature of the BIA should be determined by the organisation.

An excellent way to gather information to support the BIA is via a simple interview process. Sending blank spreadsheets out and asking people to fill them in, a more common activity than one might imagine, is doomed to failure with poor quality information resulting in incorrect assumptions and flawed plans. Speak to people, this is the single most effective way of creating a BIA. 

A valuable time saving can also be made if during the BIA interview, interviewees are asked how long could they make do without one resource or the other before it became critical. For example, email or the building.

 

02

Identification of Critical Activities

 

What is a priority for recovery?

The identification of critical activities should be obtained from the BIA.


 

These activities can then be prioritised for recovery and resources allocated according to this priority. The maximum disruption that can be tolerated will feed into the recovery time objective when determining BCM strategies.

 

 

03

Continuity Requirements

 

We have determined critical activities and the impact of disruption on them from the above processes. 

The continuity requirements to support each activity can then be determined. These may include;

  • Staff
  • Facilities and premises
  • Supporting technology
  • Information
  • External services
  • Suppliers
  • Raw materials or assemblies

For example

 

BS25999.COM Recovery Requirements Diagram

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

04

Risk Assessment

 

The risk to the organisations critical activities should be clearly understood

For each resource supporting these critical activities a risk assessment should be undertaken to determine the threats, vulnerabilities and impacts.

There are many techniques for carrying out risk assessments and the method chosen should be suitable for the organisation, wherever possible aligning with other risk assessment methods in use, for example in an Information Security Management System.

 

Sample Risk Assessment

BS25999.COM Sample Risk Assessment

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

05

Risk Treatment

 

Once the risks have been determined there are a number of options available to organisations, what to do about them.

There are 4 options

  • Use business continuity to reduce the risk
  • Accept the risk, it might be low enough to tolerate or there may be nothing that can be done with a reasonable degree of resource allocation or effort
  • Transfer the risk to some other, for example insurance
  • Change or stop the activity under question, permanently or temporarily

 

 

Document Author: Harvey Fawcett

 

 

Comments (0)add
Write comment
smaller | bigger

security image
Write the displayed characters


busy
 
< Prev   Next >
[ Back ]