The UCSF Business Impact Analysis (BIA) process identifies and evaluates the potential effects (financial, life/safety, regulatory, legal/contractual, reputational and so forth) of natural and man-made events or disasters on business operations. The information is quantified and analyzed and reported to executives to meet regulatory diligence, compliance requirements, and as an input to disaster recovery solution planning. This is a broad brush approach to seeing the risk at a high level. Show Documentation Frequently Asked Questions (FAQs):
What is a BIA? A business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. A BIA is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. The result is a business impact analysis report, which describes the potential risks specific to the organization studied. One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, UCSF may be able to continue more or less normally if one of the cafes on campus has to close, but would come to a complete halt if the information systems crash. As part of a disaster recovery plan, a BIA is likely to identify costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, loss of profits, staff and data, and so on. A BIA report quantifies the importance of business components and may suggest appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts in areas such as safety, finances, marketing, business reputation, legal compliance and quality assurance and in this case IT resiliency. Where possible, impact is expressed monetarily for purposes of comparison. For example, UCSF may spend three times as much on recruiting potential students, faculty and staff in the wake of a disaster to rebuild customer confidence. The BIA should assess a disaster’s impact over time and help to establish recovery strategies, priorities, and requirements for resources and time. BIA versus Risk Assessment Business impact analysis and risk assessment are two important steps in a business continuity plan. A BIA often takes place
prior to a risk assessment. In particular UC San Francisco’s IT Business Continuity Team will focus its BIA efforts on the effects or consequences of the interruption to critical IT business functions and attempts to quantify the financial and non-financial costs associated with a disaster. The business impact assessment looks at the parts of the organization that are most crucial. A BIA can serve as a starting point for a disaster recovery strategy and examine recovery time objectives (RTOs)
and recovery point objectives (RPOs), and resources and materials needed for business continuance. How do I know if a Business Impact Analysis (BIA) is required? To determine if a BIA is required, please complete the Business Impact Analysis Request Form (must have MyAccess Account):
What is should I expect during the BIA process? A BIA is generally a multi-phase process that includes the following steps (with possible follow-up interviews): Who should attend the BIA interview? The Business Impact Analysis interview attendees should include:
What are the types of BIAs? There are two types of BIAs: 1. Comprehensive BIA: A Comprehensive BIA is conducted for all critical applications or systems that must be restored within 24 hours following a disaster. 2. Basic BIA: A Basic BIA is an abbreviated version of the Comprehensive BIA and is conducted for less critical applications or systems. What type of BIA will I need? A Basic BIA will be required if:
A Comprehensive BIA will be required if:
What are the BIA Interview questions? Basic BIA Questions for the Customer:
Basic BIA Questions for the Technical Application Manager:
Comprehensive BIA Questions for the Customer: Includes all above 'Basic BIA Questions for the Customer' and:
Comprehensive BIA Questions for the Technical Application Manager: Includes all above 'Basic BIA Questions for the Technical Application Manager' and:
What is the information in the BIA used for? The information in the BIA is used to classify IT systems based upon criticality. Based upon the Business Owner's requested Recovery Time Objective (RTO) and the viability of downtime procedures or manual workarounds, a criticality Tier is assigned. Standard disaster recovery solutions are developed based upon an application's tiering and a data backup schedule is created based upon the Business Owner's Recovery Point Objective (RPO). Following a major disaster, IT will also use the RTO to define the restoration order of critical IT services. What are the application Tiers?
When will I see the BIA results? BIA results will be provided within 1 business week following a BIA interview. How do I access my BIA Summary Report? 1. Login to Catalyst by clicking the following URL:
https://ucsf.bccatalyst.com The summary report is broken down into several sections:
How often will BIAs be reviewed? BIAs will be reviewed annually or when a major change to the business impact or system/application is identified. What are the most vital functions at your place of work that the BIA will address?The BIA should assess a disaster's impact over time and help to establish recovery strategies, priorities, and requirements for resources and time. Business impact analysis and risk assessment are two important steps in a business continuity plan.
What is the function of BIA?A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment.
What are the factors considered in BIA?An effective BIA consists of five elements: Executive Sponsorship, Understanding the Organization, BIA Tools, BIA Processes and BIA Findings.
What BIA components would you recommend as critical for the organization?However, to achieve compliance, a BIA must:. Identify critical processes and functions.. Draft a roadmap for business recovery.. Find out resource interdependencies.. Track the flow of sensitive data.. Determine the impact of an incident on operations.. Sort processes and functions based on their necessity for business continuity.. |