To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed...

8
Ian Charters FBCI To BIA or not to BIA? BCM The Key Questions “Securing our Digital City” Presentation at CSM-ACE 2010 26 th October 2010

Transcript of To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed...

Page 1: To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed risk analysis….” NO! Risk analysis assumptions do not hold for BC events Risk

Ian Charters FBCI

To BIA

or not to

BIA?

BCM

The Key Questions

“Securing our Digital City”

Presentation at CSM-ACE 2010 – 26th October 2010

Page 2: To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed risk analysis….” NO! Risk analysis assumptions do not hold for BC events Risk

Why do a BIA?

What is a BIA?

When do we do a BIA?

How do we measure disruption cost?

Do we update the BIA every year?

So is it worth it?

Page 3: To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed risk analysis….” NO! Risk analysis assumptions do not hold for BC events Risk

Time

Successful recovery

Limited recovery

Failure

RTO MTPD

What is a BIA?

The process of analysing business functions and the

effect that a business disruption might have upon them (BS 25999 & BCI Good Practice Guidelines 2010)

Maximum Tolerable Period of Disruption Of Products and Services => of business activities => of support services

Provides the required timescales that have to be

achieved by our recovery strategies and plans

BIA is about: Services & Activities, Impacts and TIME

Page 4: To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed risk analysis….” NO! Risk analysis assumptions do not hold for BC events Risk

When do we do a BIA?

AS/NZS 5050:2010 "Detailed risk analysis….” NO!

Risk analysis assumptions do not hold for BC events

Risk analysis should not limit the scope of BIA

Successful Business Recovery after an incident

depends on the speed of the resumption of delivery of

services not the cause of the incident

Prevention is better than cure – but is costly –

controlled failure may be more cost-effective

BIA must come first – before threats, strategies and plans

Page 5: To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed risk analysis….” NO! Risk analysis assumptions do not hold for BC events Risk

How do we measure of disruption cost?

Impacts grow over time and:

Are Cumulative

Some are intangible

MTPD is approximate – but so are strategies

Page 6: To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed risk analysis….” NO! Risk analysis assumptions do not hold for BC events Risk

An annual update of the BIA?

Work towards BIA as a process rather than an annual project

Page 7: To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed risk analysis….” NO! Risk analysis assumptions do not hold for BC events Risk

Why do a BIA?

Ensures recovery plans meet customer’s service

(minimum) expectations

Delivers effective plans

Can save money!

A forward-looking BIA can identify opportunities (or

dangers) of proposed changes

Builds resilience over time

Understanding the business may lead to operational

improvements and threat reductions

A thorough BIA should repay the effort many times over

Page 8: To BIA or not to BIA? - CSM-ACE · 2015. 7. 14. · When do we do a BIA? AS/NZS 5050:2010 "Detailed risk analysis….” NO! Risk analysis assumptions do not hold for BC events Risk

Ian Charters [email protected]

www.continuity.co.uk

To BIA

or not

to BIA?BCM

A BIA:• Identifies impacts over time• finds the point of no return• is not an annual chore• … but a vital business tool for:

• Effective recovery plans• Business planning

Key points