The BIA identifies critical areas needing protection.
Review and edit, or replace, this content as appropriate to meet the needs of your business. Ensure everything within [brackets] and in the tables is customized before finalizing.
Last reviewed and updated: [date]
Owner: [Full Name]
Responsible Team: [Department/Business Unit Name]
Purpose of this Document:
- Approach to Disruptions: Provides a structured approach to evaluate how potential disruptions could affect operations, emphasizing planning, conducting, and reporting.
- Identification and Prioritization: Focuses on uncovering the critical aspects of your business that require protection, including the impact of legal, regulatory, and contractual obligations on business continuity.
- Justifying Continuity Plans: Facilitates analysis of disruption impacts to justify resource allocation and focus, aiding in stakeholder agreement.
- Critical Timeline Determination: Involves identifying the Maximum Tolerable Period of Disruption (MTPD) for essential operations.
- Resource Mapping: Highlights the need to recognize resources and dependencies crucial for quick recovery post-disruption, including setting Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
- Understanding Interconnections: Examines how various parts of your operations are interdependent and the relationship with external entities like suppliers and partners.
Critical Concepts Defined:
- MTPD (Maximum Tolerable Period of Disruption): Defines the longest duration your company can endure a disruption in any operation before significant harm is caused. Understanding MTPD is crucial for prioritizing recovery and managing vulnerability timelines effectively.
- RTO (Recovery Time Objective): The targeted time frame for restoring IT and business activities after a disruption. RTOs are pivotal in shaping disaster recovery strategies, ensuring timely resumption of operations.
- RPO (Recovery Point Objective): Concerns data recovery, specifically the maximum age of data files needed for restoring normal operations. RPOs are essential for gauging data loss tolerance and guiding data backup strategies.
Trustero Tip: Think of MTPD, RTO, and RPO not just as compliance terms but as practical tools to bulletproof your operations against unexpected disruptions.
Business Impact Analysis (BIA) Process Steps:
Step 1 - MTPD Determination
Critical business aspects have been identified and their maximum tolerable offline duration determined to avoid significant impact.
MTPD Impact Table:
|
Impact Type |
Description |
MTPD Threshold |
|
Business objectives |
Mission and vision of [Company Name] with focused product or service deliverables |
Projected revenue - All Hands Meetings |
|
Product |
Failure to deliver on providing defined services to customers via [Company Name] Platform |
Loss of services due to system downtime exceeding 4 hours |
|
Liability (inclusive of legal costs) |
Financial losses due to fines, penalties and/or class action lawsuits |
Loss greater than USD 1 million |
|
Regulatory |
Litigation liability and withdrawal of license to operate |
Regulator takes an interest requesting regular updates Public warning issued |
|
Market share |
Loss of clients moving to competitors |
New orders drop greater than 25% |
|
Reputation |
Negative opinion or brand damage |
Temporary negative regional attention reported via news channels requiring response Social media complaints requiring dedicated response team |
Step 2 - Activity Documentation and RTO Setting
Key business activities, along with their respective Maximum Tolerable Periods of Disruption (MTPDs) and Recovery Time Objectives (RTOs), have been documented for balance between operational resilience (how long can this wait) and recovery efficiency (how quickly we can restore it).
Activity BIA Form:
|
Product |
Activity - Service Deliverables |
Activity MTPD |
Activity RTO |
|
[Company Name] Platform |
Primary Infrastructure |
30 min |
15 min |
|
app.[domain name].com |
2 hours |
90 min |
|
|
[Product/Service offering] |
2 hours |
90 min |
|
|
[Product/Service offering] |
4 hours |
90 min |
|
|
Knowledge Base |
1 hr |
30 min |
|
|
Customer Success (support) |
2 hours |
30 min |
Step 3 - Employee Resource Allocation
A comprehensive assessment was conducted to determine the necessary personnel allocation for each business activity during various disruption stages.
Employee Resource Chart Table:
|
Activity - Service Deliverables |
Resource |
*BAU |
1 hr |
< 2 hrs |
< 8 hrs |
< 1 wk |
< 1 mo |
> 1 mo |
|
Primary Infrastructure |
Sr. Engineer |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
|
app.[domain name].com |
Technical Lead - Front End |
2.5 |
1 |
1 |
2 |
2 |
2.5 |
2.5 |
|
[Product/Service offering] & [Product/Service offering] |
Sr. Engineer & Engineers |
2.5 |
1 |
1 |
2 |
2 |
2.5 |
2.5 |
|
Knowledge Base & Customer Success (support) |
Head of Customer Success |
1 |
0 |
0 |
1 |
1 |
1 |
1 |
|
Total |
7 |
3 |
3 |
6 |
8 |
9 |
9 |
|
|
*BAU: business as usual |
||||||||
Step 4 - ICT (Information Communication & Technology) System and Supplier Dependencies
Key external resources and suppliers have been outlined, including their Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), to align with our recovery goals.
ICT System and Dependencies Table:
|
Supplier |
Resource |
Used by Activity / Service Deliverable |
Activity RTO |
RPO |
|
AWS |
Engineers |
Primary infrastructure, app.[domain name].com, [Product/Service offering] & [Product/Service offering] |
90 min |
5 min |
|
GitHub |
Engineers |
Primary infrastructure, app.[domain name].com, [Product/Service offering] & [Product/Service offering] |
90 min |
5 min |
|
Multi (formerly Remotion) |
Engineers |
Primary infrastructure, app.[domain name].com, [Product/Service offering] & [Product/Service offering] |
90 min |
5 min |
|
Jira & Confluence |
Engineers & Head of Customer Success |
All |
30 min |
10 min |
|
Slack |
Engineers & Head of Customer Success |
All |
30 min |
10 min |
|
HubSpot |
Head of Customer Success |
Knowledge Base & Customer Success (support) |
30 min |
10 min |
|
Google Workspace |
Engineers & Head of Customer Success |
Knowledge Base & Customer Success (support) |
30 min |
10 min |
Customization Is Key: Adapt this template to fit your company’s specific operations, resources, and recovery capabilities. Regular updates are vital to keep it relevant.
Associated Controls: Upload to BC01