Year 2000 Business Continuity and Contingency Planning
2.0 Business Impact Analysis
The principal objective of the Year 2000 business impact analysis is to
determine the effect of mission-critical information system failures on
the viability and operations of agency core business processes. During
the assessment phase of the Year 2000 program, agencies have assessed the
impact of potential Year 2000-induced failures on core business areas and
associated processes. The business impact analysis takes this process further
and provides greater detail. It examines business processes composition
and priorities, dependencies, cycles, and service levels, and, most important,
the business process dependency on mission-critical information systems.
Key Processes
2.1 Define and document information requirements, methods, and techniques
to be used in developing the business continuity plan
2.2 Define and document Year 2000 failure scenarios
2.3 Perform risk and impact analyses of each core business process
2.4 Assess and document infrastructure risks
2.5 Define the minimum acceptable level of outputs and services
for each core business
process
2.1 Define and document information requirements, methods, and techniques
to be used in developing the business continuity plan
Define the information requirements for constructing a business continuity
plan. These requirements generally fall into four categories:
(1) business process composition, execution cycles, and support,
(2) operational priorities, service levels, dependencies, and relationships,
(3) the primary and collateral Year 2000 business risks and the business
scope of their impact,
(4) and the costs and benefits of business continuity strategies and
alternatives.
Each area has detailed information requirements that are essential to providing
effective business continuity. For example, the analysis of business process
support should provide information on the technical, functional,
organizational,
and infrastructure support requirements. When collected, analyzed, and
synthesized, the information defines a model of critical processes and
risks to the business.
2.2 Define and document Year 2000 failure scenarios
Assess business vulnerabilities and their impacts and define the Year 2000
risk scenarios. Assume the loss of all mission-critical information systems
due to post-implementation failures or delays in renovation and testing.
Consider the possibility that Year 2000 date problems may be encountered
earlier than expected, and address the potential disruption of essential
infrastructure services, including electric power, telecommunications,
and transportation.
2.3 Perform risk and impact analyses of each core business process
Monitor the status and progress of the Year 2000 program and review and
verify risk metrics and critical milestones for all mission-critical systems
undergoing renovation or replacement. Evaluate Year 2000-related risks
posed by customers, suppliers, information technology vendors, and business
partners. Determine the impact of internal and external information system
failures and infrastructure services on each core business process. Consider
acquiring business impact analysis tools. These tools will provide consistent
analytical structure and processes, and help to standardize the impact
analyses throughout the enterprise. For the core business processes and
supporting business areas, analyze both manual and automated functional
requirements, manual and automated system support requirements, infrastructure
support requirements, suppliers, customers, service levels, processing
cycles, and the external and internal business drivers. Identify critical
functions, recovery priorities and timing, and dependencies to other systems
and processes. If a core business process receives data from an external
organization, contact that organization and obtain the status of its Year
2000 remediation effort. If there are reasons to be concerned, address
these concerns in contingency plans. Estimate the potential cost of service
disruptions. In estimating impacts, address the duration of each disruption.
Consider using a scorecard to aggregate and track the risk and impact information.
2.4 Assess and document infrastructure risks
Monitor the Year 2000 readiness of the public infrastructure, including
power and telecommunications services. Assess the risk of service outages,
and the potential impact of outages on the core business processes. Review
existing contingency and disaster recovery plans to determine whether emergency
services may be available to mitigate outages.
2.5 Define the minimum acceptable level of outputs and services for each
core business process
For each core business process, define the minimum acceptable level of
output and the recovery time objective.
Overview| |Initiation|
|Business Impact Analysis| |Contingency Planning|
|Testing
The Disaster Center Year 2000 Page|
|The Disaster Center Index Page
Formated from text provided by: The United States General
Accounting Office Accounting and Information Management Division HTML format
Copyrighted by The Disaster Center 1998