Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

multi location vs BIA and RA performing

  Quote
Guest
Ernst Created:   Jun 10, 2021 Last commented:   Jul 12, 2021

multi location vs BIA and RA performing

Hi, I would like to perform a BIA analysis based on the Advisera form. I have read your article - How to define activities when implementing business continuity according to ISO 22301. He's great and translates a lot. However, I have a problem with the approach to analysis in my case.

The company has a department which comprises 40 locations. They carry out the same activities but independently. An average of 100-150 people in one location.

1. Should I analyze the entire department at once and sum up the effects of losses (qualitative and financial) from all 40 locations?
2. Should I choose the largest location and analyze only one?
3. Or maybe I should complete 40 questionnaires?

I would like my approach to be in line with good business continuity practices.

How to conduct a risk analysis in this case? I understand that I need to analyze the risks for 40 locations?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 14, 2021

Hi, I would like to perform a BIA analysis based on the Advisera form. I have read your article - How to define activities when implementing business continuity according to ISO 22301. He's great and translates a lot.

However, I have a problem with the approach to analysis in my case.

The company has a department which comprises 40 locations. They carry out the same activities but independently. An average of 100-150 people in one location.

Should I analyze the entire department at once and sum up the effects of losses (qualitative and financial) from all 40 locations?
Should I choose the largest location and analyze only one?
Or maybe I should complete 40 questionnaires?
I would like my approach to be in line with good business continuity practices.

A good approach would be to group locations with similar characteristics (e.g., number of employees, geographic location, etc.) and use a single analysis, identifying in the questionnaire to which locations it is applied. In terms of resources, you need to specify the resources used by each location (using averaged data can lead to errors in resource estimation in the definition of business continuity plans).

For further information, see:

How to conduct a risk analysis in this case? I understand that I need to analyze the risks for 40 locations?

To perform risk analysis you can use the same approach for BIA, i.e., perform risk assessment over the groups you have identified.

This article will provide you a further explanation about risk assessment:

This material will also help you regarding risk assessment:

Quote
0 1
Guest
Ernst Jul 06, 2021

Dear Rhand,

Thank you very much for your answer. I really appreciate your contribution to the development of the business continuity community.

In reference to the answer regarding the business impact analysis. As suggested, I divided my locations by the size - the number of employees and customers. And I will deal with the largest ones in the first place and, in accordance with your advice, I will analyze the resources of each of them separately.

There is one thing that puzzles me. Should I count financial losses on the form collectively (add up) or calculate the average loss? Is this consideration at all relevant to the idea of business impact analysis?

 

Best regards

Quote
0 0
Expert
Rhand Leal Jul 07, 2021

Like the definition of resources approach, I suggest you identify financial losses by each location (using collective or averaged data related to financial losses can lead to errors in impact estimation and in the definition of business priorities).

Quote
0 0
Guest
Ernst Jul 09, 2021

Sorry, but I don't really understand. Let me make sure.

I have 1 large process carried out separately in several dozen locations. I group these locations by size. I want to deal with the top five first. In the first part of the form, I analyze the mentioned 5 locations, but I duplicate the table with financial losses according to the number of locations analyzed during the analysis?

In the next step, I duplicate part 2 of the sheet and analyze the resources of each location separately?

Quote
0 0
Expert
Rhand Leal Jul 12, 2021

Table duplication although feasible, won’t help you as much.

You should consider keeping all data in the same table, splitting the lines related to the issues you want to have by location. For example:

Instead of

https://i.imgur.com/u409PB5.png

or

https://i.imgur.com/DJ7Ta3U.png

You should adjust this line to

https://i.imgur.com/FrjgAmm.png 

and

https://i.imgur.com/0EOAwgf.png

*: you apply this example to all resources you need to evaluate (e.g., data, servers, documents, services, etc.)

This way you will have all information you need in a single view.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 10, 2021

Jul 12, 2021

Suggested Topics

Guest user Created:   Jul 20, 2021 ISO 27001 & 22301
Replies: 1
0 0

Question about BIA form

Bills Created:   May 25, 2021 ISO 27001 & 22301
Replies: 3
0 0

BIA and Risk Assessement