When drawing up a Business Continuity Plan, conducting a Business Impact Analysis is an important fist step. Chiara Ejbich and Aldo Soprano explain why.
Regulators require financial institutions to set up business continuity planning (BCP) to ensure that their business operations can cope with the effects of disruptions in service, and that the impact of these does not undermine confidence in the financial system. Such planning requires financial institutions to maintain and recover business processes should an unexpected disruption occur. So banks must define business continuity plans,and set out an internal policy that outlines how the institution will manage critical situations.
Other organisations are similarly tasked with ensuring resilience. Global warming, terrorism and pandemic diseases are all current topics reported widely in the global media and often the subject of government conferences. And disasters regularly hit the headlines. But what is needed is to translate the effects in practical terms if your own organisation were to be affected. For example, what would happen if a disease affected working employees or managers, outage occurred and recovery systems failed? Companies and financial institutions must rely on defined strategic plans within business continuity management.
Each company should design its business continuity plan based on the risk exposures of its own business, by applying defined techniques such as business impact analysis (BIA), continuity recovery requirements analysis and risk assessment.
It is essential although often complex to identify the processes, people and assets that should be included in these plans. ‘Critical’ in this context does not always mean major or important functions, but those which require urgent prioritisation. It is vital to identify which critical resources and functions have to be reactivated in the case of a disruption that might threaten business continuity, and decide which have priority.
A fundamental tool is the Business Impact Assessment (BIA). This should be top of the list when the business continuity team starts drawing up business continuity plans. BIA selects and measures quantitatively and qualitatively the impact of a disruption on business processes. It is necessary to identify recovery priorities, resource requirements and key staff, in order to shape the BCP.
BIA estimates the maximum downtime for critical business processes: How long would it take to reactivate them and what would the maximum downtime be? BIA quantifies the cost of returning processes to normal functionality and the impact on customers and the company's reputation. Figure 1 represents a BIA flowchart.
The business continuity team should interview the company's process owners and, with their support, identify the really critical activities. The process owner should also assess the impact on reputation, regulatory requirements and service to clients. Critical processes are then listed and the risks to these assessed, measuring the kinds of threats, and the probability of the frequency with which these may occur. The company should then balance business impact costs in terms of resources and time needed.
A key element in the BIA will be calculating the financial costs of a breakdown or other major event. In large financial groups where activities are often outsourced, it is extremely difficult to map cost centres, so it may be challenging and onerous to identify costs related to individual processes. Simplified and standardised questions and answers about impacts on the process are a recommended solution.
We believe that the process owner should be able to provide the business continuity team with assessments as to how:
“It is necessary to identify recovery priorities, resource requirements and key staff
n a business disruption may affect the company financially
n it may affect its reputation
n regulatory authorities may react (for example by issuing restrictions)
n processes differ – it may be more complex to recover one process than another
n people working within that process will react – this can be a particular challenge to forecast.
The process owner, answering a multiple choice questionnaire, assesses whether the impact would be negligible, low, medium, relevant or critical (we prefer a five point scale although this may be varied). Each level of impact receives a score and the business continuity team then adds up the scores. Figure 2 shows a template report.
Based on previously defined score ranges, one will obtain the risk profile associated with the process, – not important, low, medium, prominent or critical. The business continuity team should then ascertain the time and costs necessary to reactivate the critical processes.
Once the BIA approach is set, it must be updated at least annually or any time when there is a significant change in the business such as in internal business processes, location, technology or the external business environment, such as the market or regulatory framework.
Postscript
Chiara Ejbich is operational risk analyst in UniCredit Group Milan, and a member of its group-wide business continuity management project team; Aldo Soprano is head of operational risk management in UniCredit Group and chairman of the Institute of International Finance working group on operation risk, www.unicreditgroup.eu