To have an effective Business Continuity Plan (BCP), recovery plans must be based on a Business Impact Analysis (BIA). According to the FFIEC's Business Continuity Management booklet, BIA is "the process of identifying the potential impact of disruptive events to an entity's functions and processes." There are a lot of elements to capital BIA, but for the purpose of this article, we are going to focus on the conceptual lower-case business impact analysis (a.k.a., business impact assessment). This analysis will help you make informed decisions about when certain processes can be restored and help you determine appropriate Recovery Time Objectives (RTO).
Prepare the Definitions
The first step in simplifying a BIA is to define ratings, categories, and labels of any kind. Definitions are foundational to an effective analysis process. Shared definitions help all parties to work together during the analysis and make the final results clear for future readers.
Criticality Levels are necessary for defining which processes require more immediate attention than others. Consider creating a set of levels such as: Critical, Urgent, Important, Normal, and Nonessential. If you work for a smaller institution, you may find you need fewer level options.
The definition of each criticality level is its corresponding Maximum Tolerable Downtime (MTD). This is the amount of time your business can tolerate without the process. For Critical processes, you may only tolerate minutes, but for Nonessential processes, you might tolerate weeks. Pick the right MTD to fit your business requirements.
Business Impact Categories
When considering downtime of a business process, consider the ramifications this downtime may have on your organization. Could the lack of this process cause reputational damage, financial damage, etc.? The kind of impacts which concern you will determine your categories. At a minimum, you should consider the Compliance, Financial, Operational, and Reputational impacts to your organization, should the process become unavailable.
For each category, provide clear definitions for each rating. For example, consider the following impact level definitions for the Compliance category:
- Insignificant: Negligible compliance, contractual, regulatory, or legal concerns.
- Low: Potential for compliance, contractual, regulatory, or legal issues with minor implications.
- Medium: Confirmed compliance, contractual, regulatory, or legal issues with moderate implications.
- High: Major penalties and/or costs related to compliance, contractual, regulatory, or legal issues.
- Extreme: Extreme penalties related to compliance, contractual, regulatory, or legal issues (e.g., jail time for employees, closing of the institution, etc.)
Make a list of your business processes. This should be something readily available if you already have a BCP. Business processes are a combination of the people, resources, and procedures that achieve a goal, such as Accounting, Information Technology, Lending Operations, Cash Management, and Regulatory Reporting.
Review one process at a time. Gather a group of people who understand the process and how the lack of the process could impact the institution in different ways over different periods of time. Identifying the impact level for each category at each timeframe allows you to determine the MTD for this process.
Example Business Impact Analysis
Let's look at an example. Let's create a business impact analysis with the Mobile Deposit Capture process and the Reputational impact category. In other words, if a disruption to the Mobile Deposit Capture process occurred, what impact would this have on the organization?
Don't spend too much time thinking about why the process is unavailable. Knowing why a process is unavailable is irrelevant to how long your organization can tolerate going without it before the missing piece begins to affect the organization's mission, customer and member experiences, other business functions, or compliance requirements.
After one hour, the institution may have a few unhappy customers or members, but the impact would overall be Insignificant. Even after one day, the impact might still be Low. If the process was down for three days, clients may really start to notice and could be upset (Medium). After one week, the organization would likely have to do a lot of work to regain trust (High). If the process was unavailable for 60 days, the impact might be Extreme, as clients could be lost and damage the reputation to the institution with the community. See the image for an example of what the ratings could look like.
When this assessment is performed for each category, the level of tolerance can be identified before a disruption becomes too detrimental for the business. That is the process' maximum tolerable downtime, and thus, criticality level. In this example, perhaps the impact is generally low prior to three days, so this process is set as Important. This means, in the event of a widespread business disruption, other higher priority processes will be given attention before this one, until the three-day mark is reached.
Override for Dependent Processes
Don't forget about process dependencies. This could completely override the criticality level you determine through the BIA process. If there is another process with a shorter MTD which depends on this one to function, you must shorten the MTD of this process to have it ready to support the dependent one. Another option would be to reconsider the relationship between the two processes or reconsider if the other process has an accurate MTD.