|
Page 7 of 18 BIA Steps The more detailed and granular steps of a BIA are outlined here: - Select individuals to interview for data gathering.
- Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
- Identify the company’s critical business functions.
- Identify the resources that these functions depend upon.
- Calculate how long these functions can survive without these resources.
- Identify vulnerabilities and threats to these functions.
- Calculate risk for each different business function.
- Document findings and report them to management.
The committee needs to step through scenarios that could produce the following results: - Equipment malfunction or unavailable equipment
- Unavailable utilities (HVAC, power, communications lines)
- Facility becomes unavailable
- Critical personnel become unavailable
- Vendor and service providers become unavailable
- Software and/or data corruption
Qualitative and quantitative impact information should be gathered and then properly analyzed and interpreted. Loss criteria must be applied to the individual threats that were identified. The criteria may include the following: - Loss in reputation and public confidence
- Loss of competitive advantages
- Increase in operational expenses
- Violations of contract agreements
- Violations of legal and regulatory requirements
- Delayed income costs
- Loss in revenue
- Loss in productivity
These costs can be direct or indirect and must be properly accounted for. Interruptions Being properly prepared specifically for a flood, earthquake, terrorist attack, or lightning strike is not as important as being properly prepared to respond if one of the following results becomes reality: - Equipment malfunction or unavailable equipment
- Unavailable utilities (HVAC, power, communications lines)
- Facility becomes unavailable
- Critical personnel become unavailable
- Vendor and service providers become unavailable
- Software and/or data corruption
All of the previously mentioned disasters could cause these results, but so could a meteor strike, a tornado, or a wing falling off of a plane passing overhead. So the moral to the story is to be prepared for the loss of any or all business resources, instead of focusing on the events that could cause the loss. Maximum tolerable downtime (MTD) estimates that may be used within an organization: - Nonessential 30 days
- Normal 7 days
- Important 72 hours
- Urgent 24 hours
- Critical Minutes to hours
Categories of disruptions A nondisaster is a disruption in service as a result of a device malfunction or failure. The solution could include hardware, software, or file restoration. A disaster is an event that causes the entire facility to be unusable for a day or longer. This usually requires the use of an alternate processing facility and restoration of software and data from offsite copies. A catastrophe is a major disruption that destroys the facility altogether. This requires both a short-term solution, which would be an offsite facility, and a long-term solution, which may require rebuilding the original facility.
|
I need to organize Tender for BCP implementation for my company.
What is neccesary for Tender ?