The purpose of this document is to define the methodology and process for assessing the impacts of disrupting Resolver activities, and for determining continuity and recovery priorities, objectives, and targets.
Business impact analysis is applied to the entire scope of the Business Continuity Management System (BCMS), i.e., to all activities that support Resolver products and services.
Users of this document are all employees of Resolver who take part in establishing and implementing the BCMS.
Business impact analysis is implemented through Business Impact Analysis Questionnaires. The process is coordinated by the BC Manager and the analysis of individual activities is conducted by the responsible person in each activity.
Business impact analysis is performed after the risk assessment has finished so that the information about the required resources can be gathered during the risk assessment.
Handling of confidential documents produced according to this Methodology is to be done according to “A.8.2 Resolver Corporate Data Handling Policy”
BC leads in each department are responsible for identifying all the activities that support the provision of products and services, and for defining the responsible person for each activity.
The impacts of a disruptive incident on an activity are assessed through (1) general impacts (qualitative assessment), and (2) financial impact (quantitative assessment). Both of these impacts are assessed for the following time scales:
If some activity is less time-sensitive, then the scales in that particular activity can be lengthened, e.g., from 4 hours to 2 weeks, or similar.
For general assessment (1), the impacts are classified as follows:
| Marginal impact | 1 | Duration of the disruptive incident causes negligible damage to the organization’s cash flow, legal or contractual obligations, or its reputation, or regulatory impact. Damage lower than CAD $10000 |
| Acceptable impact | 2 | Duration of the disruptive incident causes damage to the organization’s cash flow, legal or contractual obligations, or its reputation, or regulatory impact, but such damage is still acceptable considering its size and specific circumstances. |
| High impact | 3 | Duration of the disruptive incident causes damage to the organization’s cash flow, legal or contractual obligations, or its reputation, or regulatory impact, and such damage is unacceptable for its size and specific circumstances. |
| Catastrophic impact |
4 | Duration of the disruptive incident causes critical damage to the organization’s cash flow, legal or contractual obligations, or its reputation, or regulatory impact, so that it will lose most of its capital, and/or will have to shut down its operations permanently. |
For financial assessment (2), the impact needs to be stated in local currency.
Terms of definitions per ISO 22301 for Maximum acceptable outage (MAO) / Maximum tolerable period of disruption (MTPOD or MTPD):
The time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable.
Or per BSI BS 25999, Part 2: MTPOD is the duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed.
MAO / MTPOD / MTPD is determined in hours or days, as follows:
In this part of the analysis the periods with the highest workload peaks are identified, and the minimum business continuity objective is determined.
The following types of resources need to be identified:
For each resource the following needs to be determined:
In this part of the analysis, the dependencies on (1) other activities, (2) outsourcing partners, and (3) suppliers need to be identified.
For each outsourcing partner and supplier, the following needs to be analyzed:
RPO, or Recovery Point Objective, is focused on data and your company’s loss tolerance in relation to your data. RPO is determined by looking at the time between data backups and the amount of data that could be lost in between backups.
As part of business continuity planning, you need to figure out how long you can afford to operate without that data before the business suffers. A good example of setting an RPO is to imagine that you are writing an important, yet lengthy, report. Think to yourself that eventually your computer will crash and the content is written after your last save will be lost. How much time can you tolerate having to try to recover, or rewrite that missing content?
That time becomes your RPO, and should become the indicator of how often you back your data up, or in this case, save your work. If you find that your business can survive three to four days in between backups, then the RPO would be three days (the shortest time between backups). Reference: https://www.techadvisory.org/2014/07/the-difference-between-rto-and-rpo/
For each database, application, or information identified in the analysis, the maximum amount of data that can be lost needs to be assessed. The data loss is assessed for the amount of data that is created in the last:
If needed, the scales in particular activities can be shortened/lengthened in order to fit the type of data in that activity.
The impact of the loss of data is classified as follows:
| Marginal impact | 1 | The amount of lost data causes negligible damage to the organization’s cash flow, legal or contractual obligations, or its reputation. |
| Acceptable impact | 2 | The amount of lost data causes damage to the organization’s cash flow, legal or contractual obligations, or its reputation, but such damage is still acceptable considering its size and specific circumstances. |
| High impact | 3 | The amount of lost data causes damage to the organization’s cash flow, legal or contractual obligations, or its reputation, and such damage is unacceptable considering its size and specific circumstances. |
| Catastrophic impact | 4 | The amount of lost data causes critical damage to the organization’s cash flow, legal or contractual obligations, or its reputation, so that it will lose most of its capital, and/or will have to shut down its operations permanently. |
The information gathered through Business Impact Analysis Questionnaires is sent to an Information Security Analyst, whose responsibility is to aggregate and document the data through Business Continuity Strategy.
BC Manager must conduct a review of the Business Impact Analysis Questionnaires and update the Business Continuity Strategy accordingly. The review is conducted at least once a year, or more frequently in case of significant organizational changes, a significant change in technology, change of business objectives, changes in the business environment, etc.
| Record name | Storage location | Person responsible for storage | Control for record protection | Retention time |
| Business Impact Analysis Questionnaires (electronic form – Excel document) | Box-folder: link should be here. | BC Manager | Questionnaires need to be saved in a read-only format. | Data is stored for a period of 5 years. |
BC Coordinator can grant other employees access to any of the above-mentioned documents, in absence of the BC Coordinator, BC Manager can grant permission, in absence of BC Manager, BC Manager backup.
This document is valid as of August 2020
The owner of this document is an Information Security Analyst, who must check and if necessary update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.