Forum

BIA Repository: Imp...
 
Notifications
Clear all

BIA Repository: Impact Tolerances Assessment Questions

4 Posts
3 Users
1 Reactions
174 Views
Shane Mathew
Posts: 14
Topic starter
(@shanemstoneriskconsulting-com)
Eminent Member
Joined: 1 year ago

Overview: Impact Tolerances in the context of a Business Impact Analysis (BIA) refer to the maximum acceptable level of disruption or downtime for critical business functions before significant impacts occur. Identifying Impact Tolerances is crucial because it helps determine which functions require immediate attention in a Business Continuity (BC) strategy. By understanding these tolerances, organizations can prioritize resources and efforts to ensure the most critical processes are restored quickly in the event of a disruption.


Contributions:

Please share your methodology or sample questions you use when assessing the impact tolerances of critical processes. You can include text and/or attach relevant screenshots for clarity.

Key Areas to Address:

  • Methodology: Describe your approach to measuring the impact of function stoppage.
  • Sample Questions: Share examples of the questions you ask to assess impact.
  • Best Practices: Highlight any tips or best practices that have worked well for you.

Example Contribution: Methodology: We assess each function by measuring the impact if it were to stop for up to 30 days, focusing on the following criteria.

Sample Questions:

- How would a stoppage in your function affect Brand/Guest Experience

- What revenue losses would result from a stoppage in your function?

- How would expenses be affected if your function stops?

- Are there any compliance or legal obligations tied to your function?

- How reliant are other departments on the outputs of your function?

- How dependent is your function on third-party providers?

Best Practices:

- Utilize the Criteria Guide to score the impact of a function stopping.

- Refer to the Assumptions List to aid in decision-making.

- Break down impacts into three categories: Brand/Guest Experience, Revenue, Expense, and Compliance/Legal.

- Consider additional factors like reliance on function outputs and supply chain dependencies.

- Define Maximum Allowable Downtime (M.A.D) to understand the urgency of impacts, categorized into time frames (e.g., 24 hours or less, 1-3 days, etc.).


Reminder:

  • Confidentiality: Do not include any confidential or sensitive information from your organization.
  • Tags: Tag your response appropriately so others can easily search and find your contribution.

Your contributions will help in building a comprehensive understanding of the impact tolerances of critical processes, which is essential for developing an effective Business Continuity Strategy.

3 Replies
Shane Mathew
Posts: 14
Topic starter
(@shanemstoneriskconsulting-com)
Eminent Member
Joined: 1 year ago

I use an explanation/instruction to rate a critical processes' impact of loss as follows:

For each function, measure the impacts if it were to stop for up to 30 days.  Only those functions that would impact the business unit significantly within 30 days need to be included in a BC strategy. The impact will be measured against and is broken down into 3 categories.  All participants in this effort should utilize the Criteria Guide as tool to determining how to score the impact of a function stopping.  Also, and Assumptions List is also provided to help participants make a decisions.   

 Then instructions on rating each critical process as follows: 

We will use four primary criteria, all of which are weighted equally in this tool.  Scores range from 0-3 with 3 being the highest (most impactful). 

  - Brand / Guest Experience
  - Revenue
  - Expense
  - Compliance / Legal (governmental or contractual obligations)

I've attached the definitions chart for the primary criteria below.

1720711261-Impact-Rating-Chart-Example.jpg
Reply
Posts: 4
(@umadanday)
Active Member
Joined: 6 years ago

Depending on the industry, for prioritizing what needs to be included in the BC strategy and planning for the initial phases of the program, a tiered approach has worked as well . Customer / Operational impact tolerance included along with Brand, Regulatory and revenue  

Reply
Posts: 1
(@peter-cotiautodesk-com)
New Member
Joined: 2 years ago

For my company, we measure the finance, compiance/regulatory/legal, operational, and reputational impacts at 0 hours, 1 hour, 4 hours, 12 hours, 1 day, 2 days, 3 days, 4 days, then every week after. We have the process owners determine the level of impact based on our criteria at these times. My question is, when does the impact start? 

For some infrequent processes such as a quarterly audit, the systems could be down 90% of the time, but if they work when the audit occurs, then there is no issue. So I generally ask thw process owners to use the "worst case" scenario. So for example, if the application which handles payroll is down, it does down right before it is needed, that is when we would have them evaluate the impact. 

When assessing impacts at intervals, how do you describe "when the impact starts"?

1721227416-Screenshot-2024-07-17-093024.png
Reply
Share: