05 Resolver Corporate Business Impact Analysis Methodology by ISO 22301

1. Purpose, scope, and users

The purpose of this document is to define the methodology and process for assessing the impacts of disrupting Resolver activities, and for determining continuity and recovery priorities, objectives, and targets.

Business impact analysis is applied to the entire scope of the Business Continuity Management System (BCMS), i.e., to all activities that support Resolver products and services.

Users of this document are all employees of Resolver who take part in establishing and implementing the BCMS.

2. Reference documents

  • ISO 22301 clauses 8.2.1 and 8.2.2
  • Business Continuity Policy
  • Business Continuity Strategy
  • List of Statutory, Regulatory, Contractual, and Other Requirements

3. Business Continuity Management

3.1. Organization

Business impact analysis is implemented through Business Impact Analysis Questionnaires. The process is coordinated by the BC Manager and the analysis of individual activities is conducted by the responsible person in each activity.

Business impact analysis is performed after the risk assessment has finished so that the information about the required resources can be gathered during the risk assessment.

Handling of confidential documents produced according to this Methodology is to be done according to “A.8.2 Resolver Corporate Data Handling Policy

3.2. Identification of activities

BC leads in each department are responsible for identifying all the activities that support the provision of products and services, and for defining the responsible person for each activity.

3.3. Impacts of a disruptive incident

The impacts of a disruptive incident on an activity are assessed through (1) general impacts (qualitative assessment), and (2) financial impact (quantitative assessment). Both of these impacts are assessed for the following time scales:

  • 2 hours
  • 4 hours
  • 24 hours
  • 48 hours
  • 1 week

If some activity is less time-sensitive, then the scales in that particular activity can be lengthened, e.g., from 4 hours to 2 weeks, or similar.

For general assessment (1), the impacts are classified as follows:

 

Marginal impact

 

1

Duration of the disruptive incident causes negligible damage to the organization’s cash flow, legal or contractual obligations, or its reputation, or regulatory impact. Damage lower than CAD $10000
 

Acceptable impact

 

2

Duration of the disruptive incident causes damage to the organization’s cash flow, legal or contractual obligations, or its reputation, or regulatory impact, but such damage is still acceptable considering its size and specific circumstances.
 

High impact

 

3

Duration of the disruptive incident causes damage to the organization’s cash flow, legal or contractual obligations, or its reputation, or regulatory impact, and such damage is unacceptable for its size and specific circumstances.
 

Catastrophic impact

 

 

4

Duration of the disruptive incident causes critical damage to the organization’s cash flow, legal or contractual obligations, or its reputation, or regulatory impact, so that it will lose most of its capital, and/or will have to shut down its operations permanently.

For financial assessment (2), the impact needs to be stated in local currency.

3.4. Determining the Maximum Acceptable Outage (MAO)

Terms of definitions per ISO 22301 for Maximum acceptable outage (MAO) / Maximum tolerable period of disruption (MTPOD or MTPD):

The time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable.

Or per BSI BS 25999, Part 2: MTPOD is the duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed.

MAO / MTPOD / MTPD is determined in hours or days, as follows:

  • The shortest time before which the general impact is level 3 (or level 4 if level 3 is not stated), or
  • The shortest time before which the financial impact is unacceptable when compared to equity/profit/budget/revenues.

3.5. Amount of work

In this part of the analysis the periods with the highest workload peaks are identified, and the minimum business continuity objective is determined.

3.6. Resources required for recovery

The following types of resources need to be identified:

  • People
  • Applications / databases / Services
  • Data stored in electronic form (not included in applications and databases)
  • Data stored on paper media
  • IT and communications equipment
  • Communication channels
  • Other equipment
  • Facilities and infrastructure
  • Working capital
  • External services

For each resource the following needs to be determined:

  • Amount of resources that are required for the recovery of an activity
  • Whether the resource in question is the Single Point of Failure
  • Time after which the resource is required (time after the resumption of the activity)

3.7. Dependency on others

In this part of the analysis, the dependencies on (1) other activities, (2) outsourcing partners, and (3)  suppliers need to be identified.

For each outsourcing partner and supplier, the following needs to be analyzed:

  • Which document defines the requirements in case of a disruptive incident
  • The existing level of business continuity capability

3.8. Maximum data loss / Recovery Point Objective (RPO)

RPO, or Recovery Point Objective, is focused on data and your company’s loss tolerance in relation to your data. RPO is determined by looking at the time between data backups and the amount of data that could be lost in between backups.

As part of business continuity planning, you need to figure out how long you can afford to operate without that data before the business suffers. A good example of setting an RPO is to imagine that you are writing an important, yet lengthy, report. Think to yourself that eventually your computer will crash and the content is written after your last save will be lost. How much time can you tolerate having to try to recover, or rewrite that missing content?

That time becomes your RPO, and should become the indicator of how often you back your data up, or in this case, save your work. If you find that your business can survive three to four days in between backups, then the RPO would be three days (the shortest time between backups). Reference: https://www.techadvisory.org/2014/07/the-difference-between-rto-and-rpo/

For each database, application, or information identified in the analysis, the maximum amount of data that can be lost needs to be assessed. The data loss is assessed for the amount of data that is created in the last:

  • 1 hour
  • 4 hours
  • 24 hours
  • 48 hours
  • 1 week

If needed, the scales in particular activities can be shortened/lengthened in order to fit the type of data in that activity.

The impact of the loss of data is classified as follows:

Marginal impact 

1

The amount of lost data causes negligible damage to the organization’s cash flow, legal or contractual obligations, or its reputation.
 

Acceptable impact

 

2

The amount of lost data causes damage to the organization’s cash flow, legal or contractual obligations, or its reputation, but such damage is still acceptable considering its size and specific circumstances.
 

High impact

 

3

 

The amount of lost data causes damage to the organization’s cash flow, legal or contractual obligations, or its reputation, and such damage is unacceptable considering its size and specific circumstances.

 

Catastrophic impact

 

4

The amount of lost data causes critical damage to the organization’s cash flow, legal or contractual obligations, or its reputation, so that it will lose most of its capital, and/or will have to shut down its operations permanently.

3.9. Reporting the results

The information gathered through Business Impact Analysis Questionnaires is sent to an Information Security Analyst, whose responsibility is to aggregate and document the data through Business Continuity Strategy.

3.10. Regular review of business impact analysis

BC Manager must conduct a review of the Business Impact Analysis Questionnaires and update the Business Continuity Strategy accordingly. The review is conducted at least once a year, or more frequently in case of significant organizational changes, a significant change in technology, change of business objectives, changes in the business environment, etc.

4. Managing Records kept on the basis of this document

Record nameStorage locationPerson responsible for

storage

Control for record protectionRetention time
Business Impact Analysis Questionnaires (electronic form – Excel document)Box-folder: link should be here.BC ManagerQuestionnaires need to be saved in a read-only format.Data is stored for a period of 5 years.

BC Coordinator can grant other employees access to any of the above-mentioned documents, in absence of the BC Coordinator, BC Manager can grant permission, in absence of BC Manager, BC Manager backup.

5. Validity and document management

This document is valid as of August 2020

The owner of this document is an Information Security Analyst, who must check and if necessary update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • the number of resources not included in Business Impact Analysis Questionnaires
  • failure to recover activities because of errors in the business impact analysis process
  • the number of errors in the business impact analysis process because of the unclear definition of roles and responsibilities

6. Appendices

  • Appendix 1 – Business Impact Analysis Questionnaire

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.