Business Continuity Planning Booklet - March 2008

BUSINESS IMPACT ANALYSIS

Action Summary
A business impact analysis is the first step in the business continuity
planning process and should include the:
ƒ Assessment and prioritization of all business functions and
processes, including their interdependencies, as part of a work
flow analysis;
ƒ Identification of the potential impact of business disruptions
resulting from uncontrolled, non-specific events on the institution's
business functions and processes;
ƒ Identification of the legal and regulatory requirements for the
institution’s business functions and processes;
ƒ Estimation of maximum allowable downtime, as well as the
acceptable level of losses, associated with the institution’s business
functions and processes; and
ƒ Estimation of recovery time objectives (RTOs), recovery point ob-
jectives (RPOs), and recovery of the critical path.
The institution’s first step in the business continuity process is the development of a
BIA.9 The amount of time and resources needed to complete the BIA will depend on the
size and complexity of the financial institution. The BIA should include a work flow
analysis that involves an assessment and prioritization of those business functions and
processes that must be recovered. The work flow analysis should be a dynamic process
that identifies the interdependencies between critical operations, departments, personnel,
and services. The identification of these interdependencies, as part of the BIA, should
assist management in determining the priority of business functions and processes and the
overall affect on recovery timelines.

Once business functions and processes have been assessed and prioritized, the BIA
should identify the potential impact of uncontrolled, non-specific events on these
business functions and processes. Non-specific events should be identified so that
management can concentrate on the impact of various disruptions instead of specific
threats that may never affect operations. At the same time, management should never
ignore potential risks that are evident in the institution’s particular area. For example,
financial institutions may be located in flood-prone areas, near fault lines, or by areas
subject to tornados or hurricanes.

9
Refer to Appendix F:“Business Impact Analysis Process”for additional information.

FFIEC ITExamination Handbook Page 8

 Business Continuity Planning Booklet - March 2008

In addition to identifying the impact of non-specific events on business functions and

processes, the BIA should also consider the impact of legal and regulatory requirements.
For example, management should assess the impact of compromised customer data,
which can result in regulatory concerns and a loss of public confidence.10 By identifying
the potential impact of this issue, management may have a better idea of the business
functions and processes that could potentially be affected. M anagement should consider
the regulatory requirement regarding notification to the institution' s primary federal
11
regulator when facilities are relocated.

The BIA should also estimate the maximum allowable downtime for critical business
functions and processes and the acceptable level of losses (data, operations, financial,
reputation, and market share)associated with this estimated downtime. As part of this
analysis, management should decide how long its systems can operate before the loss
becomes too great and how much data the financial institution can afford to lose and still
survive. The results of this step will assist institution management in establishing RTOs,
RPOs, and recovery of the critical path, which represents those business processes or
systems that must receive the highest priority during recovery. These recovery objectives
should be considered simultaneously to determine more accurately the total downtime a
financial institution could suffer due to a disaster. In addition, these recovery objectives
require management to determine which essential personnel, technologies, facilities,
communications systems, vital records, and data must be recovered and what processing
sequence should be followed so that activities that fall directly on the critical path receive
the highest priority. One of the advantages of analyzing allowable downtime and
recovery objectives is the potential support it may provide for the funding needs of a
specific recovery solution based on the losses identified and the importance of certain
business functions and processes.

Personnel responsible for the BIA should consider developing uniform interview and
inventory questions that can be used on an enterprise-wide basis. Uniformity can
improve the consistency of responses and help personnel involved in the BIA phase
compare and evaluate business process requirements. This phase may initially prioritize
business processes based on their importance to the institution’s achievement of strategic
goals and the maintenance of safe and sound practices. However, this prioritization

10
Refer to the “Information Security Booklet”included in the Federal Financial Institutions Examination
Council IT Examination Handbook for additional information.
11
Refer to the “Policy Statement of the Office of the Comptroller of the Currency, Board of Governors of the
Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision Concerning
Branch Closing Notices and Policies,”Volume 64Federal Register, page 34844(June 29, 1999);“Establishment
and Relocation of Domestic Branches and Offices,”Board of Governors of the Federal Reserve System, 12CFR
Part 208.6;Federal Deposit Insurance Corporation, 12CFR Part 303.44;Office of the Comptroller of the
Currency, 12CFR Part 5.30;and Office of Thrift Supervision, 12CFR Part 545.95.

FFIEC ITExamination Handbook Page 9

 Business Continuity Planning Booklet - March 2008

should be revisited once the business processes are modeled against various threat
scenarios so that a comprehensive BCPcan be developed.

W hen determining a financial institution's critical needs, all functions, processes, and
personnel should be analyzed. In documenting the mission critical functions performed,
each department should consider the following questions:

ƒ W hat critical interdependencies exist between internal systems,

applications, business processes, and departments?
ƒ W hat specialized equipment is required and how is it used?
ƒ How would the department function if the mainframe, network and/or
Internet access were not available?
ƒ W hat single points of failure exist and how significant are those risks?
ƒ W hat are the critical outsourced relationships and dependencies?
ƒ W hat are the required responsibilities of the institution and the third-party
service provider as defined by the service level agreement?
ƒ W hat critical operational or security controls require implementation prior
to recovery?
ƒ W hat is the minimum number of staff and amount of space that would be
required at a recovery site?
ƒ W hat special forms or supplies would be needed at a recovery site?
ƒ W hat equipment would be needed at a recovery site to communicate with
employees, vendors, and customers?
ƒ W hat is the potential impact if common recovery sites serve multiple
financial institutions?
ƒ Have employees received cross training, and has the department defined
back-up functions/roles that employees should perform if key personnel
are not available?
ƒ Are the personal needs of employees adequately considered?
ƒ W hat are the critical cash management/liquidity issues?

Once the BIA is complete, it should be evaluated during the risk assessment process and
incorporated into, and tested as part of, the BCP. The BIA should be reviewed by the
board and senior management periodically and updated to reflect significant changes in
business operations, audit recommendations, and lessons learned during the testing
process. In addition, a copy of the BIA should be maintained at an offsite location so it is
easily accessible when needed.

FFIEC ITExamination Handbook Page 10