Not logged in - Login
< back

BIA Operation

Before beginning a BIA, ensure that the BIA Setup has been completed to the organisation's requirements.

Identify Products, Services and Activities

The first steps of a BIA are to identify
  1. products and services
  2. activities

Once the above steps have been completed, the activity workflow can be followed, as described below.

Activity BIA

Abriska guides the users through an organisational defined workflow that meets the requirements of ISO 22301. The buttons available on the sidebar will increase depending on the activity work stage.

Activity duration, frequency and operating times

To capture information regarding the criticality of an activity, the operating hours, approximate duration and frequency should be entered. To add this information, click ‘Activity Duration and Frequency’ from the ‘Activity’ page.
The adding of new operating hours or frequencies can only be performed by an organisation administrator.

Link to products and services

For each product and service that is loaded into Abriska (regardless of the division), each activity needs to specify whether it is required to deliver that product. To add this information, click ‘Products and Services’ from the ‘Activity’ page.

: Each activity must state if it supports a key product or not. If neither option is selected, Abriska will flag this stage as red. This will also flag the activity as ‘In Error’ within the activity hierarchy.

Activity inter-dependencies

An activity may rely on other activities for either data, or to complete its operational processes. These relationships need to be modelled within Abriska to understand what the recovery priority should be for each activity. To add this information, click ‘Identify Inter-dependencies’. The activity hierarchy will be shown and a checkbox will be visible next to each activity. When a checkbox is clicked, a further information panel will display which allows additional information to be entered about this relationship.

Identify Assets' business as usual

To understand what an activity requires for business as usual, each activity can be linked to organisation resources. To add this information, click ‘Identify Resources’ from the ‘Activity’ page. Displayed is the resource hierarchy. Each resource with a checkbox allows the resource to be selected as “required for business as usual”.

Abriska allows resources to be set up as ‘multiple’. If this flag is set, a textbox will be displayed to enter the amount of resources required by this activity.


infobox:
Resources can be entered in decimal numbers to represent fractions of resources e.g. full time equivalent.@@equivalent.

Identify impact over time and MTPD

The MTPD must be defined for each activity. Abriska satisfies this by specifying the impact over time for each activity. Abriska then uses the organisation’s threshold for each impact to determine this time period. A graphical representation of this is shown in Figure 25 – Graphical Presentation of MTPD. Each of the impacts that were specified at the organisation level (see section 1.1.1 Impacts) need to be quantified against the timescale that was specified at the division level (see section 1.1.2 Timescales). Note: Abriska can be configured to utilise alternative terminology for MTPD e.g. MAO - Maximum Acceptable Outage.level.

Figure 25 – Graphical Presentation of MTPD To edit the profile of a specific impact, click ‘Identify Impacts’ from the ‘Activity’ page (highlighted in orange in Figure 20 - Expanded Activity Sidebar) and click on the globe next to the ‘Impact Name’. This will display a screen similar to Figure 26 - Impact Over Time. The timescale will be specific to this division and the impact level will be specific to this impact. For each timescale, specify what the impact would be (a description of the impact levels is available by click on the button highlighted in blue in Figure 26 - Impact Over Time). For example, if the reputational impact is moderate after 4 days select the radio button highlighted red. Note:

Only after each impact has been specified for each time period will the workflow allow you to continue.

Figure 26 - Impact Over Time From the ‘Activity’ page, click on ‘Identify MTPD’ (highlighted in brown in Figure 20 - Expanded Activity Sidebar). Note: If an impact reaches the organisation’s threshold within the timescale, then the MTPD will be calculated (shown in Figure 27 - Entering MTPD for Non-Critical Activities). If none of the impacts reach the threshold within the timescale, the MTPD will need to be manually entered. Note: When entering the MTPD, it must be larger than the greatest impact time. This is required to enforce the impact threshold logic.

Figure 27 - Entering MTPD for Non-Critical Activities 2.3.7       Identify recovery resources, RPO and RTO ISO 22301 requires that an organisation: “identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.” Recovery resources are entered in a similar way to business as usual resources (see Section 2.3.5 Identify resources business as usual), although there is the addition of the division’s timescale (highlighted blue in Figure 28 - Allocating Recovery Resources). To add this information, click ‘Identify Resources’ from the ‘Activity’ page (highlighted in pale blue In Figure 20 - Expanded Activity Sidebar). Initially, Abriska shows all resources that are used within business as usual (the business as usual requirement is visible in the far left column) and an input box is available for each time period. Enter the required number of resources for the timescale unit determining how the resource will vary over time. If the amount of resources exceeds the total number required for business as usual, the input box will be highlighted red, although this does not stop a value being entered. One possible reason for entering more required resources during a recovery than the business as usual amount is that there may be the need to recover from a backlog. If resources are not used for business as usual, but are required for a recovery period, then select the checkbox next to that resource and enter the recovery over time requirements. Note: A resource must be assigned before the MTPD time. If no resource is entered before the MTPD, Abriska will flag this stage as red (the identify resources and RTO stage within the flowchart in Figure 19 - Activity Flowchart). This will also flag the activity as in error within the activity hierarchy (Figure 16 - Activity Hierarchy). Figure 28 - Allocating Recovery Resources If any of the selected resources have been set up as ‘RPO required’ then additional information will display within the resource detail section (highlighted blue in Figure 29 - Resource RTO). This allows the data recovery requirements to be entered. Enter the amount that could be lost from this system but still allow the activity to operate. Note: It may be that 24 hours could be tolerated with users re-keying the information in from manual hard copies. Figure 29 - Resource RTO Once all of the recovery resources have been entered, the next stage is to identify the recovery time objective (RTO). Within ISO 22301 the RTO is defined as: “period of time following an incident within which; product or service must be resumed, or activity must be resumed, or resources must be recovered” This time must be greater than, or equal to, the time the first resource is recovered, but it must be smaller than the MTPD. To add this information, click ‘Identify RTO’ from the ‘Activity’ page (highlighted in lilac in Figure 20 - Expanded Activity Sidebar). Complete the fields of the ‘RTO’ form and press ‘Submit’ to save. As the RTO of the activity may change over time, the history of how this variable has changed is available from the ‘RTO History’ tab. Figure 30 - Determining Recovery Time Objective 2.3.8       Identify vital records The final stage of the BIA activity is to enter any vital records that are required for this activity to be operational. Examples include operational manuals that do not exist in electronic format or specialist forms/cheques. If the activity does not require any vital records then click ‘Vital Records’ from the ‘Activity’ page and click ‘Confirm No Vital Records Exist’ (highlighted red in Figure 31 - Vital Records). Alternatively enter the vital records adding the location of the record and selecting salvage flag (this indicates that this record would need to be replicated to any recovery location).