IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

BIA Workshop“Everything you ever wanted to know about BIA

but were afraid to ask”Berkshire Business Continuity Forum

Robin Gaddum FBCI, May 2016

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

What do you want to get out of today?

Agenda

1. What is a Business Impact Analysis and why do you need one?

2. What comes first, BIA or Risk Assessment?

3. A new ISO guidance standard for BIAs to supplement ISO 22301 - so what?

4. What's the secret to a good BIA?

5. Does the BIA have a future as organisations move towards resilience?

What level of experience do we have in the room?

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

What is a Business Impact Analysis (BIA)? Why do you need one?

Source: BCI Good Practice Guide 2013 http://www.thebci.org/

Syndicate Questions (20 minutes):

1. Where does the BIA fit in the BCM Lifecycle?

2. What is the BIA’s purpose?

3. Have a go!

- What should it include?- How to structure it?- How would you present it for

review and approval?

4. How would you go about completing your BIA?

NB: You are allowed to cheat!

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

What comes first, BIA or Risk Assessment?

Syndicate Questions (15 minutes):

1. Who ‘owns’ the BIA and why?

2. How do you determine BIA scope?

3. Do you need to consider worst-case scenarios and if so, why?

4. How do you define the level of impact that is intolerable?

5. What might you do:

- Before starting the BIA?- After completing the BIA?

6. What does your BIA contribute to your BC Plan?

BIA and Risk Assessment –what is the difference?

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

What's the secret to a good BIA?

Syndicate Questions (15 minutes):

1. What internal objections to doing a BIA might you encounter?

2. Common BIA problems from your own experience?

3. Hints and tips for getting it right?

What have we learnt..?

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

ISO/TS 22317:2015Guidelines for business impact analysis (BIA)

Available to buy at http://shop.bsigroup.com/

This new standard offers supplementary guidance to ISO 22301 and ISO 22313

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

Does the BIA have a future and what might it look like?

Issues:

1. Less appropriate for fixed and mobile asset dependent businesses

2. Automation eroding importance of a solely people-centric BIA, e.g. STP

3. Out of date almost immediately

4. Labour and time-intensive

5. Rarely leveraged for information insight and decision support

In summary, the BIA’s cost does not justify its value other than for compliance purposes

Response:

1. Systems modelling approach, e.g. Bayesian networks

2. Systems Impact Analysis to assess fully automated business processes

3. Automatic update in near real time

4. Ditto above

5. Self-service business analytics, dashboards, situation and workflow

As they stand today, BIAs must either dramatically diminish in time, cost and difficulty, or transform into something that enables operations management

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

For more informationRobin Gaddum FBCIAssociate Partner, IBM Resiliencergaddum@uk.ibm.com07770 610130

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

Impact Categories and Risk Appetite example

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

Process impacts example

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

Process prioritisation and Business Continuity requirements

IBM Resiliency Services: Always there, in an always-on world

© 2015 IBM Corporation

Process resource recovery requirements example