Pub. 9 2020 Issue 3

The CommunityBanker 20 Simplifying Business Impact Analysis T o have an effective Business Continuity Plan (BCP), re- covery plans must be based on a Business Impact Analy- sis (BIA). According to the FFIEC’s Business Continuity Management booklet, BIA is “the process of identifying the potential impact of disruptive events to an entity’s functions and processes.” There are a lot of elements to capital BIA, but for the purpose of this article, we are go- ing to focus on the conceptual lowercase business impact analysis. This analysis will help you make informed decisions about when certain processes can be restored and help you determine appropriate Recovery Time Objectives (RTO). Prepare the D efinitions The first step in simplifying a BIA is to define ratings, cat - egories, and labels of any kind. Definitions are foundational to an effective analysis process. Criticality Levels Criticality Levels are necessary for defining which processes require more immediate attention than others. Consider creating a set of levels such as Critical, Urgent, Im- portant, Normal, and Nonessential. If you work for a smaller institution, you may find you need fewer level options. The definition of each criticality level is its corresponding Maximum Tolerable Downtime (MTD). This is the amount of time your business can tolerate without the process. For Criti- cal processes, you may only tolerate minutes, but for Nones- sential processes, you might tolerate weeks. Business Impact Categories When considering downtime of a business process, consid- er the ramifications this downtime may have on your organi - zation. The kind of impacts which concern you will determine your categories. At a minimum, you should consider the Compliance, Financial, Operational and Reputational impacts to your organization, should a process be unavailable. For each category, provide clear definitions for each rating. For example, consider the following impact level definitions for the Compliance category: • Insignificant: Negligible compliance, contractual, regulatory or legal concerns. • Low: Potential for compliance, contractual, regulatory or legal issues with minor implications. • Medium: Confirmed compliance, contractual, regula - tory or legal issues with moderate implications. • High: Major penalties and/or costs related to compli- ance, contractual, regulatory or legal issues. • Extreme: Extreme penalties related to compliance, contractual, regulatory or legal issues (e.g., jail time for employees, closing of the institution, etc.) Analyze Impact Make a list of your business processes. Business processes are a combination of the people, resources, and procedures that achieve a goal, such as Accounting, Information Tech- nology, Lending Operations, Cash Management, and Regula- tory Reporting. By Leticia Saiid F E A T U R E