How to determine the criticality of a process in a BIA? In BCM there is a lot of talk about time-critical processes (TCP), essential processes (EP), necessary processes (NP) and useful processes (UP). | In this contribution I write my own opinion, not that of any organization |
Contents
Definitions
Typically one uses as definitions:
- TCP: those processes that have to restart within two working days;
- EP: those processes that do not have to restart within two days, but within two weeks;
- NP: those processes that do not have to restart within two weeks, but within two months.
- UP: those processes that do not have to restart within two months
Different Approach
How critical a process is, can also be approached in a different way: if the impact of a too long outage (eg > 2 days) of the process becomes too much to handle, then you have to quickly (eg in <2 days ) restart the process.
The question here is: how do you determine the criticality of a process?
Proceed as follows (see table below):
The ‘process’ column and the ‘impact-time’ columns
- List the processes in the [process] column;
- Determine the impact on your service if the process threatens to fall out in the following columns.
- If the impact is of such a nature that it seriously compromises the service in the event of an outage that would last for more than 2 days or if there is a legal provision that requires a restart within a period of 2 days, you describe that impact in the column. [impact when outage > 2 days]. in. There is then a time-critical process. In the [process criticality] column, enter TCP.
- 2 dagen].”>when outage > 2 days]. You can also state here what measures you will take to minimize the effect or how you can still guarantee the intended service
- If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last more than 2 weeks or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column [impact If the impact is such that the service is seriously compromised in the event of an outage that would last for more than 2 months or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 months]. It is then a necessary process. In the [process criticality] column, enter NP.
The ‘dependencies’ column
In the column [dependencies] you enter which expertise, logistic means, IT resources, … you need.
As described under point 2), you enter in column [criticality process] to which category the process belongs: time-critical, essential, or necessary.
Process | Impact when outage > 2 days | Impact when outage > 2 weeks | Impact when outage > 2 months | Dependencies | criticity process |
[name process] | [Description] | [Description] | [Description] | TCP/EP/NP | |
Two examples:
- The crisis management process. If this starts only after an hour, serious reputational damage is already a fact because of, for example, incorrect communication in the media. It must therefore certainly start within the two days. You can place this comment (RTO = 1h) in the column ‘Impact he 2 columns next to it anymore. With the dependencies, you put eg the expertises, the meeting room, laptops, smartphones, communication tools etc. In the last column you place the decision of the chosen type of process, in this case TCP.
- Process X must be able to start up within 5 days in August, because otherwise this violates a rule from the legislation, with corresponding fines and reputational damage. Then this comment can be put in the column ‘Impact In dependencies you can, for example, write communication with the bank, the name of an an administrative employee and the right software program.
This is a method of how to determine the criticality of a process in a BIA
One by one, you can determine the criticality of the processes in the Business Impact Analysis (TCP, EP, NP or UP). You can use the dependencies there.