Technology Models

Business Impact Analysis

Version: 3.0
Status: Approved: 07/29/03
Contact:  Valerie Adkins

PURPOSE

To complete the process that identifies and prioritizes critical business functions and to comply with COV ITRM Standard SEC2001-01.1.

SCOPE

This process covers all System Office, VCC Utility and college business processes and the applications that support them.

APPLICABILITY

This process is applicable to the System Office, VCC Utility, and the twenty-three colleges.

MODEL

The model developed in this document define a minimum set of expectations. The model will be reviewed as necessary to reflect changes in the use of technology, State and Federal Laws and State Policies, and Directives.

EXPECTATIONS

The System Office, VCC Utility, and each college will allocate the appropriate resources to conduct a Business Impact Analysis and Risk Analysis if necessary.  It is not expected that each college will follow these guidelines in total, only to the extent that the purpose noted above is fulfilled.

GUIDELINES

The parties responsible  for conducting a Business Impact Analysis are the College Presidents and the System Office Vice Chancellors.  Initially, all business functions and systems must be reviewed; however, additional reviews can often isolate specific business functions, and/or systems at the discretion of the President or Vice Chancellor.  The following steps listed below describe how the Business Impact Analysis and Risk Analysis should be conducted:

Risk Assessment Coordinator

A Risk Assessment Coordinator is appointed to coordinate this review. The person selected should be a mid-level manager that has a good understanding of business activities applications and support services. This person will serve as the single point of contact for ensuring that a Business Impact Analysis is completed.

Forms to assist with the Business Impact Analysis are listed below:  

• Business Impact Analysis, Form 1 
• Business Impact Analysis, Form 2
• Business Impact Analysis, Form 3

* These forms can be download, completed, and emailed to the designated Risk Assessment Coordinator.

Business Impact Analysis: Form 1

Business Impact Analysis Form 1 is completed to:

1. Identify ALL business activities (i.e., Academic activities, Accounting activities, Budget and planning activities, etc.)
2. Ranks their importance to the agency from 1 being most important to 3  being least important.

* Example Business Activities

Business Impact Analysis: Form 2

Business Impact Analysis Form 2 is prepared for each business activity identified as a Weight of "1" on Form 1.  Form 2 is distributed to the individual deemed to be the "Application Owner", who then completes and returns the Form 2 to the Risk Assessment Coordinator.  All applications or manual processes upon which the business activity is dependent to produce its product(s) and/or service(s) must be listed.

          Business Impact Analysis: Form 3

Business Impact Analysis (Form 3 - "Business Impact Analysis Application Profile Sheet") are prepared for each application identified as critical and/or confidential on Form 2. Form 3 is distributed to the individual deemed to be the "Application Owner", who then completes and returns Form 3 to the Risk Assessment Coordinator.

Summary of the Business Impact Analysis

An Executive Summary should be prepared to advise the College President or Vice Chancellor of the findings and to carefully document all the business activities that have been identified as being critical to ongoing operation of the college, VCC Utility, or System Office. The Executive Summary could contain the following components:

1. From Form 1, identify all business activities, their owner, and the appropriate weight from 1 (highly critical) to 3 (not critical for business operations). Document the specific office or business unit that completed the forms (i.e., Fiscal Services, Human Resources, etc.). For each business unit or office, document the number of business activities, the relative weight assigned and the percentages for each weight.
2. From Form 2, identify all applications associated with the business activities identified on Form 1. Determine which applications support critical and/or confidential business activities. Document the number of unique applications that were identified as being critical to a business activity. Describe the type of environment (i.e., mainframe, LAN, desktop, manual, etc.) supporting each application and the total number of applications for each environment. Also document the  the acceptable down time (denotes how long this application can be inaccessible without causing critical problems to business activity) assigned to each application .
3. From Form 3, identify and rank the most critical applications.
4. Identify potential exposures, threats or problems. Distinguish between those that can easily be corrected and those that will require additional action. Provide and action plan with associated target dates for corrective action.

Final Review

The College President or Vice Chancellor should review and approve the results.  Copies of the completed Forms 1, 2, 3 and Executive Summary must be kept by the College for audit review.

---

Return to Technology Models