PP3 Analysis

Question 1

Four types of Business Impact Analysis (BIA)

Answer 1

1. An initial BIA.
2. A product and service BIA.
3. A process BIA.
4. An activity BIA.

Question 2

Business continuity requirements can be defined as

Answer 2

the time frames, resources, and capabilities necessary to continue to deliver the prioritised products, services, processes, and activities following a disruption.

Question 3

Initial BiA:

Answer 3

Provides high-level analysis that can be used
to develop a framework for the more detailed BIAs. It
can also be used to clarify the scope of the BC programme (typically only required first time organization conducts a BIA).

Question 4

Product and Service BIA

Answer 4

Identify & prioritise products & services & determine
organization’s BC requirements at a strategic level.

Question 5

Process BIA:

Answer 5

Determine process or processes required

for delivery of organization’s prioritised products and services.

Question 6

Activity BIA:

Answer 6

Identify & prioritise activities that deliver most urgent products & services, & to determine resources
required for continuity of these activities.

Question 7

Products and services are defined as

Answer 7

“beneficial outcomes provided by an organization to its customers, recipients and interested parties.” (Source: ISO 22301:2012)

Question 8

A process is described as

Answer 8

“a set of interrelated or interacting activities which transforms inputs to outputs.” (Source: ISO 22301:2012) Process may be divided into a number of activities.

Question 9

An activity is defined as

Answer 9

One or more tasks undertaken by, or for an organization, that produces or supports the delivery of one or more products and services.

Question 10

MTPD

Answer 10

Maximum tolerable period of disruption

Question 11

MAO

Answer 11

Maximum acceptable outage

Question 12

RTO

Answer 12

Recovery time objectives

Question 13

Terms ‘maximum tolerable period of disruption’ or ‘maximum acceptable outage’ are used to describe

Answer 13

“the time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become
unacceptable.” (Source: ISO 22301:2012)

Question 14

The ‘recovery time objective’ is defined as

Answer 14

“the period of time following an incident within which a product or service must be resumed, or activity must be resumed, or resources must be recovered.” (Source: ISO 22301:2012)

Question 15

Prioritised activities is defined as

Answer 15

“activities to which priority must be given following an

incident in order to mitigate impacts.” (Source ISO 22301:2012)

Question 16

The BIA process can be summarised as follows:

Answer 16

1. Prioritise the organization’s products & services
   by determining the MTPD for each.
2. Prioritise the process or processes required to deliver the organization’s most urgent products and services,
   including identification of the activities that make up
   those processes, if required.
3. Prioritise the activities that deliver the most urgent products and services, determine resources required for
   continuity of these activities following an incident, as
   well as their interdependencies.
4. Perform final analysis or consolidation of analyses which should lead to determination of BC
   requirements.
5. Seek top management approval of BIA results.

Question 17

When conducting a BIA, the following points should be

considered:

Answer 17

1. Scope of BC programme can be clarified, or may need to be modified following the initial BIA findings.
2. Determining impacts over time should demonstrate to top management how quickly the organization needs to respond to a disruption.
3. consistent approach to performing BIA should be used throughout the organization.
4. Scope of BC programme can be clarified, or may need to be modified following the initial BIA findings.
5. Determining impacts over time should demonstrate to top management how quickly the organization needs to respond to a disruption.
6. Consistent approach to performing the BIA should be used throughout the organization.

Question 18

Methods & techniques used to collect the BIA information include:

Answer 18

1. Workshops.
2. Questionnaires.
3. Interviews.

Question 19

Examples of documents to review as part of the BIA include:

Answer 19

1. Existing BIA information, where relevant.
2. The organization’s strategic plan.
3. Annual reports.
4. Departmental or business unit plans.
5. Legal or regulatory requirements.
6. Service level agreements.
7. Risk assessments or risk registers.

Question 20

Main factors that should be considered when estimating MTPD of a disruption to product or service delivery are:

Answer 20

1. Damage to financial value or viability (short or long-term).
2. Damage to reputation or interested party confidence.
3. Breach of legal or regulatory obligations.
4. Failure to meet the strategic objectives of the organization

Question 21

Examples of impacts over time are as follows:

Answer 21

1. Breaches of legal or regulatory requirements, for example, fines and reputational damage
2. Financial impacts
3. Environmental damage
4. Delays to major projects or a new product launch, for example, delay to a development project and loss of expected revenue.
5. Opportunities for competitors
6. Health implications from a service failure, resulting in bad publicity & financial penalties.

Question 22

Minimum business continuity objective (MBCO).

Answer 22

MBCO is the minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption.”(Source: ISO 22301:2012)

Question 23

The process for developing an initial BIA should include:

Answer 23

1. Deciding terms of reference and draft scope of
   initial BIA.
2. Identifying products and services which can be grouped to simplify information collection and
   analysis.
3. Agreeing impacts to be considered, for
   example, financial and reputational.
4. Agreeing and documenting impacts over time
   relating to delivery failure of products and services.
5. Estimating MTPD for each product and
   service.
6. Identifying processes that deliver products or services. This should consider organization-wide and
   departmental processes.
7. Identifying owners for each process, for example, subject matter experts to provide information
   about the processes.
8. Identifying how and when a disruption to the
   process could result in damage to the delivery
   of products and services.
9. Presenting the findings to top management
   for review and approval.

Question 24

Initial BIA should consider specific impacts, including:

Answer 24

1. Backlogs and capacity issues.
2. Duration or lead time of the process.
3. Any non-standard or unique activities which are difficult to recover and could unexpectedly affect the continuity of the process.

Question 25

Outcomes of an initial BIA are:

Answer 25

1. A list of the of the organization’s products and services (grouped together where appropriate).
2. Impacts over time relating to the delivery failure of products and services.
3. Estimated MTPDs for products and services.
4. List of processes and owners that contribute to the delivery of products and services.
5. Breakdown of internal and external activity dependencies.
6. A list of products, services, processes, and activities that have been excluded, along with the justification for the exclusion.

Question 26

Examples of significant organizational

changes:

Answer 26

1. Introduction of a new product or service.
2. Retirement of an existing product or service.
3. Relocation or a change in the geographical positioning of the business.
4. Significant change in business operations, structure, or personnel levels.
5. A significant new supplier or outsourcing contract

Question 27

The product and service BIA process should

include:

Answer 27

1. Reassessing scope of BC programme. This includes reviewing any exclusions and considering inclusion of new products or services.
2. Collecting the information necessary to perform
   product and service BIA.
3. Understanding potential impact of significant
   developments within organization or the operating
   environment.
4. Assigning products and services to groups
   for analysis purposes.
5. Reviewing impacts as well as the criteria to
   determine the MBCO
6. Documenting impacts of a product or service
   group delivery failure.
7. Estimating MTPD for each product or service group
8. Obtaining top management signoff of product
   and service BIA results.
9. Proceeding to the process BIA.

Question 28

Outcomes of a product and service BIA are:

Answer 28

1. Clarification or modification of the scope of the BC
   programme.
2. A list of the organization’s prioritised products and services.
3. Evaluation of impacts over time

Question 29

Process BIA should include the following steps:

Answer 29

1. Determine scope of process BIA
2. Identify process owners
3. Identify dependencies for processes that deliver
   prioritised products and services
4. Identify suitable personnel, for example, subject
   matter experts, to provide process-level information.
5. Collect information necessary to perform process BIA
6. Identify how disruption to process could result
   in disruption to delivery of products and services
7. Define timeframe within which disruption to each
   process would become unacceptable and cause
   failure to deliver products and services.
8. Define any impacts not considered by top
   management, such as backlogs and capacity issues.
9. Consider duration or lead time of the process.
10. Obtain confirmation from process owner
    concerning accuracy of information in process BIA.
11. Obtain support from top management for
    conclusions of process BIA.
12. Publish results of process BIA

Question 30

Outcomes of the process BIA are

Answer 30

1. List of processes that contribute to delivery of
   organization’s prioritised products and services within the scope of BC programme.
2. Identification of interdependencies of processes.
3. The MTPD, RTO, and RPO where appropriate for each process.
4. Identification of any processes that have been outsourced by the organization and therefore present an increased risk. Service level agreements and more frequent reviews should be considered for these processes.

Question 31

Following information should be collected during the activity BIA

Answer 31

1. Processes that the activity supports (where appropriate).
2. Operational methods for the activity.
3. Duration or lead time of the activity.
4. Fluctuations in demand or peak operating times.
5. Factors not already discovered that may affect determination of BC requirements, for example, backlogs, or legal and regulatory requirements of this activity.

Question 32

Detailed information regarding the resources required to continue activities fall into the following categories:

Answer 32

1. People.
2. Information and data.
3. Buildings, work environment and associated utilities.
4. Facilities, equipment, and consumables.
5. ICT systems.
6. Transportation.
7. Finance.
8. Partners and suppliers” (Source: ISO 22301:2012)

Question 33

The activity BIA process should involve the

following:

Answer 33

1. Identify and prioritise activities which contribute to the
   process or processes that deliver prioritised products
   and services.
2. Collect information necessary to perform activity BIA, including: • An understanding of activity details and interdependency information. • An understanding of activity specific RTOs. • A breakdown of the resources required to maintain activities at an agreed level and within MTPD and RTO.
3. Consider any additional activities that may be created
   during a disruption, including need to clear backlogs.
4. Obtain approval by the activity owner to confirm accuracy of information.
5. Obtain support of top management for conclusions

Question 34

Outcomes of an activity BIA are:

Answer 34

1. List of activities that contribute towards processes needed to deliver products and services.
2. MTPD and RTO and justification for each activity, which should determine time frame of solutions for each
   activity.
3. Breakdown of activity dependencies, both internal and
   external
4. An understanding of resources required to provide agreed service levels.
5. RPO for data and hard copy records.
6. Documentation of internal and external interdependencies for prioritised activities.

Question 35

A risk is defined as

Answer 35

An effect of uncertainty on objectives (Source:

ISO Guide 73).

Question 36

A threat is defined as

Answer 36

A potential cause of an unwanted incident, which can result in harm to individuals, a system
or an organization (Source: ISO 22300:2012).

Question 37

A risk assessment is defined as

Answer 37

An overall process of risk identification, risk analysis and risk evaluation.” (Source: ISO Guide 73)

Question 38

Key steps when undertaking a risk and threat assessment as part of the BC programme are as follows:

Answer 38

1. List known and anticipated internal and
   external threats.
2. Estimate impact of each threat on organization.
3. Determine probability of disruption for each threat.
4. Calculate a risk score of each threat by combining the
   scores for impact and probability
5. Prioritise threats based on risk score for prioritised
   activities.
6. Identify unacceptable areas of risk, which may
   include single points of failure.
7. Share outcomes with relevant interested
   parties.
8. Use information resulting from risk and
   threat assessment to identify options for mitigation
   measures in the Design stage of BC management lifecycle.

Question 39

Organizations may find following sources provide

useful information to carry out a risk assessment:

Answer 39

1. Risks and threats identified during the BIA process.
2. Risks and threats identified during previous exercises.
3. Previous incidents experienced by organization, and
   captured in risk register or other incident reports.
4. Previous incidents recorded within industry sector or
   geographical location.
5. Information or reports relating to threats and past
   disruptions.
6. Horizon scanning activities.
7. Publicly available records about known local hazards

Question 40

Outcomes from risk and threat assessment as part

of the business continuity programme are:

Answer 40

1. An awareness of range of potential threats that could
   disrupt the organization’s activities.
2. A prioritised list of threats based on the risk of disruption to organization’s activities.
3. Identification of any unacceptable risks and single points of failure.
4. Identification of potential options for measures to reduce frequency or scale of impact of the prioritised threats.

Question 41

Final analysis should “…challenge and check the

information to ensure that it is:

Answer 41

1. Correct, accurate and reliable.
2. Credible, believable, and reasonable.
3. Consistent, clear, and repeatable.
4. Current, up-to-date, and available in a timely manner.
5. Complete and comprehensive.” (Source: ISO/TS 22317:2015)

Question 42

Final analysis and consolidation activity should result in

the following:

Answer 42

1. Confirmation of impacts over time.
2. Review and confirmation of resource dependencies and requirements.
3. Consolidation of resource requirements, for example, across processes, organizational structures, or locations.
4. Review and confirmation of the interdependencies of processes and activities, and their relation to the delivery of products and services…”. (Source: ISO/TS 22317:2015)