What do we do?
The purpose of the Business Impact Analysis (BIA) is to identify the organization's mandate and critical services or products; rank the order of priority of services or products for continuous delivery or rapid recovery; and identify internal and external impacts of disruptions. The BIA is an essential part of a Business Continuity Plan (BCP). The BIA can be done separately from the BCP, or in conjunction with the overall BCP project. Regardless of the approach taken, the BIA results must inform the organizations BCP.
How we do it?
RHEA has acquired the services of highly experienced and qualified Security professionals who either oversaw, guided or led working groups in the conception of a Business Impact Analysis (BIA) or created one themselves for their organization. They are familiar with the BIA concept, requirements and contents. These selected individuals have been assigned to complete similar projects for specific clients due to their knowledge and expertise in this area of security.
1. Identify the mandate and critical aspects of an organization
This step determines what goods or services must be delivered. Information can be obtained from the mission statement of the organization, and legal requirements for delivering specific services and products.
2. Prioritize critical services or products
Once the critical services or products are identified, they must be prioritized based on minimum acceptable delivery levels and the maximum period of time the service can be down before severe damage to the organization results. To determine the ranking of critical services, information is required to determine impact of a disruption to service delivery, loss of revenue, additional expenses and intangible losses.
3. Identify impacts of disruptions
The impact of a disruption to a critical service or business product determines how long the organization could function without the service or product, and how long clients would accept its unavailability. It will be necessary to determine the time period that a service or product could be unavailable before severe impact is felt.
4. Identify areas of potential revenue loss
To determine the loss of revenue, it is necessary to determine which processes and functions that support service or product delivery are involved with the creation of revenue. If these processes and functions are not performed, is revenue lost? How much? If services or goods cannot be provided, would the organization lose revenue? If so, how much revenue, and for what length of time? If clients cannot access certain services or products would they then to go to another provider, resulting in further loss of revenue?
5. Identify intangible loss
Estimates are required to determine the approximate cost of the loss of consumer and investor confidence, damage to reputation, loss of competitiveness, reduced market share, and violation of laws and regulations. Loss of image or reputation is especially important for public institutions as they are often perceived as having higher standards.
6. Establish insurance requirements
Since few organizations can afford to pay the full costs of a recovery; having insurance ensures that recovery is fully or partially financed.
When considering insurance options, decide what threats to cover. It is important to use the BIA to help decide both what needs insurance coverage, and the corresponding level of coverage. Some aspects of an operation may be over insured, or underinsured. Minimize the possibility of overlooking a scenario, and to ensure coverage for all eventualities.
Document the level of coverage of your institutional policy, and examine the policy for uninsured areas and non-specified levels of coverage. Property insurance may not cover all perils (steam explosion, water damage, and damage from excessive ice and snow not removed by the owner). Coverage for such eventualities is available as an extension in the policy.
When submitting a claim, or talking to an adjustor, clear communication and understanding is important. Ensure that the adjustor understands the expected full recovery time when documenting losses. The burden of proof when making claims lies with the policyholder and requires valid and accurate documentation.
Include an expert or an insurance team when developing the response plan.
7. Produce services & products ranking
Once all relevant information has been collected and assembled, rankings for the critical business services or products can be produced. Ranking is based on the potential loss of revenue, time of recovery and severity of impact a disruption would cause. Minimum service levels and maximum allowable downtimes are then determined.
8. Identify dependencies
It is important to identify the internal and external dependencies of critical services or products, since service delivery relies on those dependencies.
Internal dependencies include employee availability, corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and support services such as finance, human resources, security and information technology support.
External dependencies include suppliers, any external corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and any external support services such as facility management, utilities, communications, transportation, finance institutions, insurance providers, government services, legal services, and health and safety service.
What do we deliver?
We will deliver the following:
A completed Business Impact Analysis (BIA) that will:
- Identify the mandate and critical aspects of an organization
- Prioritize critical services or products
- Identify impacts of disruptions
- Identify areas of potential revenue loss
- Identify additional expenses
- Identify/clarify insurance requirements
- Rank services
- Identify dependencies
What projects have we delivered?
RHEA Inc. delivered Business Continuity and Business Impact Analysis to many Federal Government departments and agencies, always ensuring their total satisfaction. Our list of clients includes:
- Natural Resources Canada (NRCan)
- Shared Services Canada (SSC)