Business Impact Analysis Procedure

Version: 1.0
Status: Proposed: 11/8/96
Contact: George R. Koscho

PURPOSE

To complete the process that identifies and prioritizes critical business functions and to comply with CIM COV ITRM STANDARD 95-1.

SCOPE

This procedure covers all System Office and college business functions and the applications that support them.

APPLICABILITY

This procedure is applicable to the System Office and all colleges.

MODEL

The guidelines developed in this document define a minimum set of expectations. The guidelines will be reviewed as necessary to reflect changes in the use of technology, State and Federal Laws and State Policies, and Directives.

EXPECTATIONS

The System Office and each college will allocate the appropriate resources to conduct a Business Impact Analysis and Risk Analysis if necessary. It is not expected that each college will follow these guidelines in total, only to the extent that the purpose noted above is fulfilled.

GUIDELINES

The responsibility for conducting a Business Impact Analysis rests with the College President and the Vice Chancellors at the System Office. Initially, all business functions and systems must be scrutinized, however, further iterations can isolate specific business functions, and/or systems at the discretion of the President or Vice Chancellor. The recommended steps that should be completed to conduct a Business Impact Analysis and a Risk Analysis if required, are described below.

Risk Assessment Coordinator

A Risk Assessment Coordinator is appointed from existing staff, to coordinate this project. The person selected should be a mid-level manager that has a good understanding of business applications and services. This person will serve as the single point of contact for ensuring that a Business Impact Analysis is completed.

Business Impact Analysis Form 1’s

Business Impact Analysis Form 1’s are completed to (1) identify critical business activities and (2) ranks their importance to the agency from 1 - most important to 5 - least important. (See Page 4 Attached).

Business Impact Analysis Form 2’s

Business Impact Analysis Form 2’s are prepared for each business activity identified as critical on the Form 1’s. They are distributed to the individual deemed to be the "Application Owner" and the Form 2’s are completed and returned. (See Page 5 Attached).

Risk Analysis Form 3’s

Risk Analysis (Form 3’s - "The Application Profile Sheet") are prepared for each application identified as critical or confidential on the Form 2’s. They are distributed to the appropriate staff member, completed and returned. (See page 6 Attached).

Follow up

Once all the Forms are completed, they should be reviewed for accuracy and meetings should be conducted with appropriate staff to review exposures and risks that may have been identified during the analysis. A management response is developed, with actions required, and proposed target dates, for applications or services with undesirable levels of risk.

Executive Summary

An Executive Summary to alert the College President or Vice Chancellor of the risks and exposures to critical business functions and their supporting applications, that were identified, should be prepared.

The Executive Summary should contain the following components;

A. Information contained in the Form l’s. For example, how many business activities were identified, how many were given the weight of 1, 2 etc.

B. Information contained in the Form 2’s. For example, what applications were identified, how many were mainframe, PC or LAN based? How long can they survive without them?

C. Identify exposures, problems, and an action plan to correct identified deficiencies. (Distinguish between those that can be fixed and those that cannot, and why not.)

Final Review

The College President or Vice Chancellor should review and approve the results.

Copies of the completed Form 1, 2, 3’s and Executive Summary must be kept by the College for audit review.

BUSINESS IMPACT ANALYSIS

Step 1. Identify critical business activities.

-Business Activities-------------	-----Activity Owner--------------------	-Weight-----
Academic activities	.	.
Accounting activities	.	.
Accounts payable activities	.	.
Accounts receivable activities	.	.
Admissions and records	.	.
Administrative activities	.	.
Agency management activities	.	.
Auditing activities	.	.
Auxiliary operations activities	.	.
Book store activities	.	.
Budget and planning activities	.	.
Building and grounds activities	.	.
Financial aid activities	.	.
Fixed assets activities	.	.
Food service activities	.	.
Grants and development activities	.	.
Human resources	.	.
Information technology activities	.	.
Instructional research and planning activities	.	.
Learning resource center activities	.	.
Payroll activities	.	.
Purchasing activities	.	.
Public relations activities	.	.
Revenue activities	.	.
Student services activities	.	.

Activity Owner (The full name of the person having the overall responsibility for this business activity).

Weight (a relative value indicator of the element's priority to the business mission. The weight is assigned by VCCS upper level management).

Weight should be given a value from 1 - highly critical to 5 - not critical for business operations.

FORM 1

BUSINESS IMPACT ANALYSIS

Copy this form for each business activity.

Step 2. For each business activity, identify the:

a.) systems upon which it relies to perform its primary business function, and,

b.) any systems that contain sensitive information.

Business Activity:1 X---------------------------------------------------------------------------X

Activity Owner:1 X------------------------------------------------------X Weight:1 X

Application2	Does application support mission critical activity?3	Does application contain confidential information?	Acceptable downtime period? (hrs, days, wks, etc.)4
.	.	.	.
.	.	.	.
.	.	.	.
.	.	.	.
.	.	.	.
.	.	.	.
.	.	.	.
.	.	.	.

1 Business Activity, Activity Owner, and Weight should be obtained from the Form 1’s.

2 Application or manual process upon which the business activity is dependent to produce its product(s) and/or service(s). [Note: All applications regardless of platform should be listed]

3 Applications or manual processes that are relied upon to produce the business activities' mission critical product and/or service should be classified as critical. (Refer to output from Step 1 to determine the mission critical nature of the business activity).

4 Since many applications are cyclical in nature, an acceptable down time period may differ depending on the time of the year when an outage may occur. Responses should assume a “worst case” scenario when answering this question.

FORM 2

RISK ANALYSIS

APPLICATION PROFILE

Copy this form for each application supporting a business activity.

Step 3. Review the results of Steps 1 and 2. Develop application profiles only for applications:

a.) that contain sensitive information, and/or

b.) that support critical business functions.

System Name: _________________________________________________________________

Application Owner/Title: ________________________________________________________

ITS Custodian: ________________________________________________________________

Primary Users: ________________________________________________________________

System Description:

----------Database(s), language(s) and release level(s)----------

_______________________________________________________________________

Hardware used: (CPU type) _______________________________________________

Network Access (circle) ---------LAN - WAN - STANDALONE - NONE

Other (Describe) _________________________________________________________

Interface(s) to other systems:

_______________________________________________________________________

Access controlled by:

Hardware _______________________________________________________________

Programs _______________________________________________________________

Data ___________________________________________________________________

Change management description:

_______________________________________________________________________

FORM 3