How to determine the criticality of a process in a BIA?

How to determine the criticality of a process in a BIA? In BCM there is a lot of talk about time-critical processes (TCP), essential processes (EP), necessary processes (NP) and useful processes.In this contribution I write my own opinion, not that of any organization
Authors: Manu Steens

Definitions

Typically one uses as definitions:

  • TCP: those processes that have to restart within two working days;
  • EP: those processes that do not have to restart within two days, but within two weeks;
  • NP: those processes that do not have to restart within two weeks, but within two months.
  • UP: those processes that do not have to restart within two months

Different Approach

How critical a process is, can also be approached in a different way: if the impact of a too long outage (eg > 2 days) of the process becomes too much to handle, then you have to quickly (eg in <2 days ) restart the process.

The question here is: how do you determine the criticality of a process?

Proceed as follows (see table below):

The ‘process’ column and the ‘impact-time’ columns

  • List the processes in the [process] column;
  • Determine the impact on your service if the process threatens to fall out in the following columns.
  1. If the impact is of such a nature that it seriously compromises the service in the event of an outage that would last for more than 2 days or if there is a legal provision that requires a restart within a period of 2 days, you describe that impact in the column. [impact when outage > 2 days]. in. There is then a time-critical process. In the [process criticality] column, enter TCP.
  2. 2 dagen].”>when outage > 2 days]. You can also state here what measures you will take to minimize the effect or how you can still guarantee the intended service
  3. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last more than 2 weeks or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column [impact If the impact is such that the service is seriously compromised in the event of an outage that would last for more than 2 months or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 months]. It is then a necessary process. In the [process criticality] column, enter NP.

The ‘dependencies’ column

In the column [dependencies] you enter which expertise, logistic means, IT resources, … you need.
As described under point 2), you enter in column [criticality process] to which category the process belongs: time-critical, essential, or necessary
.

ProcessImpact when outage  > 2 daysImpact when outage > 2 weeksImpact when outage > 2 monthsDependenciescriticity process
[name process][Description][Description][Description] TCP/EP/NP
      
      
      

Two examples:

  • The crisis management process. If this starts only after an hour, serious reputational damage is already a fact because of, for example, incorrect communication in the media. It must therefore certainly start within the two days. You can place this comment (RTO = 1h) in the column ‘Impact he 2 columns next to it anymore. With the dependencies, you put eg the expertises, the meeting room, laptops, smartphones, communication tools etc. In the last column you place the decision of the chosen type of process, in this case TCP.
  • Process X must be able to start up within 5 days in August, because otherwise this violates a rule from the legislation, with corresponding fines and reputational damage. Then this comment can be put in the column ‘Impact In dependencies you can, for example, write communication with the bank, the name of an an administrative employee and the right software program.

This is a method of how to determine the criticality of a process in a BIA

One by one, you can determine the criticality of the processes in the Business Impact Analysis (TCP, EP, NP or UP). You can use the dependencies there.

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts