How real is Business Impact Analysis in Business Continuity Plan - Armend Salihu

or is yours hi everyone uh so my presentation is uh how real is this business impact analysis which is uh main part of business continuity plan uh to introduce myself myself I'm merman salio this is a serious mccse and copy 35 certified also work inside the auditor at NLB bank here Christina uh my presentation is different from others since it's not technical presentation but more physical presentation uh so what is business path analysis uh business impact analysis is a process that identifies and evaluates so the potential part of interruption to critical business processes and business functions uh what is the purpose of business impact analysis the main purpose is so to provide the framework for developing

a comprehensive plan for responding to those uh events also uh to assess potential impact of disruption both internal and external past that institution they had many organizations today claim that they have a comprehensive Business Park analysis which is part of business continuity plan uh as part of their Disaster Recovery or business continuity management process color uh the question is how real is this business impact analysis and this is actually uh deliver the desired outcomes uh to answer this question usually we have to consider uh the factors that contribute to the thickness effectiveness of business impact analysis firstly business impact analysis must be conducted with a clear understanding of the organization called the critical business function and processes uh also

that has to be included involves the main stakeholders of the organization like Business Leaders uh process owners or Business Leaders departmentally hats and subject matter experts have to be included since without this involvement business impact analysis uh members critical elements and leading to an effective planning secondly business impact analysis must be conducted using rigorous and well-defined methodologies uh as well as well-known standards in order to be comprehensive and cover all the uh uh partition pattern online or identified and evaluated this requires a comprehensive risk assessments maybe we cannot do anything that causes both internal and external such cyber attacks on natural disaster as well as supply chain disruptions business impact analysis must be an ongoing process not one time process

it's a living document uh we have to update on every change every process the changes within the institution we have to update our business impact analysis uh which reflects in a business continuing international plan uh this change includes critical business function processes as well as changes in general external threats and risk factors that have been identified in my opinion which is based on several researchers read uh business impact analysis can be highly effective tool for organization when conducted correctly it requires significant investment of time and resources and but this must be viewed as an ongoing processor rather than one-time process however we have not yet to answer the question of this presentation what are the factors that we have to

consider uh while preparing business impact analysis uh the key factors are critical criticality of business processes uh recovery time objectives research requirements interdependence and risk assessment communication coordination as well as testing and validation also there are several other factors uh lateral workers than those however in this presentation we will be focused on recovery time objectives and in a testing and validation uh part of that we will mention several random standards that are applied on business content management as well as in business impact analysis the first one is ISO 22 301 which is uh business continuity management system and covers also business impact analysis in this standard another standard is British standard number 25 999 another standard is NFPA 1 600 which is

uh standard developed by National Fire Protection Association in the United States uh also Asa as i s uh spsc one 2009 uh standard uh developed by American Society for for institutional security another standard which is developed by the United Arab Embraces ncema uh 7000 also uh uh business continuity Institute good practice guidelines which is a best practice to be implemented during preparation of business Continuum management as well as business impact analysis performed uh these standards provide business with a set of guidelines to help them develop uh and implement the effectiveness country plans ensuring that they are prepared for potential disruption and able to continue operations during the entire research events even though the above mentioned

standards are very comprehensive do they address all the factors a human psychological concept is not foreseen in all of the standards including others not mentioned here so we have to consider this related to the recovery time objectives rtos will discuss two following cases which were performed by a friend of mine who is performing PhD in Psychology especially in the I.T industry in banking sector in Asia and Africa he encountered several cases but we mentioned two interesting cases that we saw during our interview with the process owner a case in Malaysia where bank had a Cyber attack and the uh of all maintenance data center went down so they have had to operate from the secondary data center however uh the key

responsible stuff for business continuity management received a loan call that his family was kidnapped so he was unable to uh perform uh all the uh understood steps to recover on time so he missed the recovery time objectives and the light as I remember uh three times more than it was foreseen in the internal acts related to this business consuming management another case that we counter during our interview we had in Japan uh back in Japan uh located its maintenance Data Center and minus one floor honestly speaking it was the worst decision to put on the minus one floor uh the main Data Center and uh even worse of a electric supply was on the floor so they

had a uh water flow did on pavat and a key staff of it were locked inside he he couldn't escape from that place uh even though the ID guy was not part of the business County management uh they were unable to uh activate business continue business continuity plan and Disaster Recovery Center from the secondary data center since they were very engaged to help the IT guy to leave that space related to testing a validation we'll provide the case of flight uh one uh 1549 have you watched Sully Miracle on the Hudson movie If I strongly recommend to watch this movie it's based on uh the U.S Airways flight uh 1549 emergency landing in January 2009 by captain

salmonberg the captain was advised to land on the LaGuardia in the airport when he deported or in total Borough another near airport where did he land the Airbus A320 and Hudson River and why I mentioned this movie which is based on the real case is that after the incident of the company suit their Capital that he could have safely landed in both uh LaGuardia or total Borough airports and they performed several tests as I remember 37 testing but the Capitan could have landed safely in both airports however on the on the last uh us for the sense of the Judgment he requested to add also psychological human factor on testing environment after adding that uh he couldn't land in

total Boro nor in LaGuardia so he won the case and started working also on the same company uh he was working recently in my institution where I work we performed uh resource recovery plan and we worked several days from our secondary class Center uh several days uh total switchover of the main data center uh results were more than perfect of delay was uh foreseen about four hours and the of activation was in less than 10 minutes very perfect however we have to add that we prepared two weeks earlier for that and so uh if we have a case uh unexpected would we be able to activate I don't think so not our company that I

work but a majority of mid-range companies would be unable to activate the secondary Center on time if it's not considered human uh psychological concept so on your conclusion uh wild business impact analysis may not be a solar ballot for addressing other organization it can be a valuable tool for identifying the relating potential parts and develop an effective response Plans by conducting business impact analysis uh regularly enroll in stakeholders the organization can increase the preparedness and resilience in the face of unexpected events also including human psychological concept which is a recommendation of my friend who is performing PhD in Psychology and the research will be religious soon I think

determining uh recovery time objectives and for the test and purpose is a key and increase the effectiveness of business continuity management as well as business impact analysis which is part of the business management thank you for your attention [Applause] Wellman thank you so much does anybody have any question I personally know that you made it like seem quite easy but like in practice it works completely different it's much more like lengthy process as I've been described it involves a lot of parties and that process of identifying and assessing and prioritizing all these like potential threats among like different departments it doesn't go that smooth you know each department think or that they have their own

priorities and they want to bump like the priority level so in case of a crisis their services or systems or address first so that's why we have Armand and other people who likely can walk us through and help us with those type of situations thanks Armin do we have any question yes thank you for presentation maybe you can share with us if it is not confidential from your bank because uh data storage having second redundancy of your servers Etc one side takes some money cost Etc but when necessary is very important how often do you make secure backups and how often you make Roll-Ups just to be to check that your Secure Storage is are okay and intact

yeah uh of a backup in data center uh goes on a real-time application however we perform another uh backup on tips which is uh daily and sent to another location which is different from our main Data Center uh what's the length of time that you keep the the tape so now or the the I don't know the last seven years the last 10 years what's the the time that you usually keep the tips as I have seen from my audits on the IT department uh they had had tapes as I remember from 2013. Maybe I'm Wrong I I don't know exactly but uh probably I've seen the latest 2013 I don't know if they have earlier versions of backups

and another thing I I was always curious how much time does retrieving data from tips uh take you so let's say you had a ransomware everything is wiped even the backup the real-time backup you have to retrieve everything from the tapes is is it I don't know a lengthy process to retrieve everything from the tapes or does is it done you know where is yeah uh since we have a lot of data a huge database in our institution uh on last performance of recovering from tapes especially on the case simulated case that uh we had on server attack it took about two days to fully recover from the tapes thank you you're welcome I guess the backup strategy it's like a

science on its own I know that not only like backups that we do as Army knows like as scheduled but we also have like real-time replication then you want to make sure that you have like even the backup for media for example for companies that uh I used to work before we didn't only have like vpns we also had like a fiber cable going from asq to DRC and then maybe just to to add to what Armand said um regarding the data backup like how fast usually if you want it to be restored fast it takes long time to back up so it's like always you're gonna either make that extra mile while you're backing up or if you want to do it fast

you're going to do the same like path when you're restoring it any other question yes you know um first of all thank you very much for your presentation um I wanted to ask you maybe from your point of experience you've been an auditor and there's some correlation between the recovery in time and Recovery point so retail RTO and RPO RPO yes um on your experience up until now what do you think should be let's say the time difference between the two or it depends on the industry it's uh not written standard to to have that difference but we have to to have in mind that uh RPO have to be always shorter than RTO so uh we have a point

object where we have to go and we have the time how to go uh how much it takes to go to that object so uh during my experience I have seen uh that we had cases that have they have a institution planned to have rpos uh longer than rtos which is contrary uh we have to have uh have a or shorter rpos uh longer rtos uh but it uh I don't remember if uh there is a standard that defines this uh difference on time between those two uh objects okay thank you you're welcome

do we have more questions foreign okay Armin thanks so much that was very insightful you're welcome