multi location vs BIA and RA performing

Hi, I would like to perform a BIA analysis based on the Advisera form. I have read your article - How to define activities when implementing business continuity according to ISO 22301. He's great and translates a lot.

However, I have a problem with the approach to analysis in my case.

The company has a department which comprises 40 locations. They carry out the same activities but independently. An average of 100-150 people in one location.

Should I analyze the entire department at once and sum up the effects of losses (qualitative and financial) from all 40 locations?
Should I choose the largest location and analyze only one?
Or maybe I should complete 40 questionnaires?
I would like my approach to be in line with good business continuity practices.

A good approach would be to group locations with similar characteristics (e.g., number of employees, geographic location, etc.) and use a single analysis, identifying in the questionnaire to which locations it is applied. In terms of resources, you need to specify the resources used by each location (using averaged data can lead to errors in resource estimation in the definition of business continuity plans).

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

How to conduct a risk analysis in this case? I understand that I need to analyze the risks for 40 locations?

To perform risk analysis you can use the same approach for BIA, i.e., perform risk assessment over the groups you have identified.

This article will provide you a further explanation about risk assessment:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This material will also help you regarding risk assessment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Dear Rhand,

Thank you very much for your answer. I really appreciate your contribution to the development of the business continuity community.

In reference to the answer regarding the business impact analysis. As suggested, I divided my locations by the size - the number of employees and customers. And I will deal with the largest ones in the first place and, in accordance with your advice, I will analyze the resources of each of them separately.

There is one thing that puzzles me. Should I count financial losses on the form collectively (add up) or calculate the average loss? Is this consideration at all relevant to the idea of business impact analysis?

Best regards

Like the definition of resources approach, I suggest you identify financial losses by each location (using collective or averaged data related to financial losses can lead to errors in impact estimation and in the definition of business priorities).

Sorry, but I don't really understand. Let me make sure.

I have 1 large process carried out separately in several dozen locations. I group these locations by size. I want to deal with the top five first. In the first part of the form, I analyze the mentioned 5 locations, but I duplicate the table with financial losses according to the number of locations analyzed during the analysis?

In the next step, I duplicate part 2 of the sheet and analyze the resources of each location separately?

Table duplication although feasible, won’t help you as much.

You should consider keeping all data in the same table, splitting the lines related to the issues you want to have by location. For example:

Instead of

or

You should adjust this line to

and

*: you apply this example to all resources you need to evaluate (e.g., data, servers, documents, services, etc.)

This way you will have all information you need in a single view.