Status: Approved: 07/29/03
Contact: Valerie Adkins
Risk Assessment Coordinator
A Risk Assessment Coordinator is appointed to coordinate this review. The person selected should be a mid-level manager that has a good understanding of business activities applications and support services. This person will serve as the single point of contact for ensuring that a Business Impact Analysis is completed.
Forms to assist with the Business Impact Analysis are listed below:
* These forms can be download, completed, and emailed to the designated Risk Assessment Coordinator.
Business Impact Analysis: Form 1
Business Impact Analysis Form 1 is completed to:
- Identify ALL business activities (i.e., Academic activities, Accounting activities, Budget and planning activities, etc.)
- Ranks their importance to the agency from 1 being most important to 3 being least important.
* Example Business Activities
Business Impact Analysis: Form 2
Business Impact Analysis Form 2 is prepared for each business activity identified as a Weight of "1" on Form 1. Form 2 is distributed to the individual deemed to be the "Application Owner", who then completes and returns the Form 2 to the Risk Assessment Coordinator. All applications or manual processes upon which the business activity is dependent to produce its product(s) and/or service(s) must be listed.
Business Impact Analysis: Form 3
Business Impact Analysis (Form 3 - "Business Impact Analysis Application Profile Sheet") are prepared for each application identified as critical and/or confidential on Form 2. Form 3 is distributed to the individual deemed to be the "Application Owner", who then completes and returns Form 3 to the Risk Assessment Coordinator.
Summary of the Business Impact Analysis
An Executive Summary should be prepared to advise the College President or Vice Chancellor of the findings and to carefully document all the business activities that have been identified as being critical to ongoing operation of the college, VCC Utility, or System Office. The Executive Summary could contain the following components:
- From Form 1, identify all business activities, their owner, and the appropriate weight from 1 (highly critical) to 3 (not critical for business operations). Document the specific office or business unit that completed the forms (i.e., Fiscal Services, Human Resources, etc.). For each business unit or office, document the number of business activities, the relative weight assigned and the percentages for each weight.
- From Form 2, identify all applications associated with the business activities identified on Form 1. Determine which applications support critical and/or confidential business activities. Document the number of unique applications that were identified as being critical to a business activity. Describe the type of environment (i.e., mainframe, LAN, desktop, manual, etc.) supporting each application and the total number of applications for each environment. Also document the the acceptable down time (denotes how long this application can be inaccessible without causing critical problems to business activity) assigned to each application .
- From Form 3, identify and rank the most critical applications.
- Identify potential exposures, threats or problems. Distinguish between those that can easily be corrected and those that will require additional action. Provide and action plan with associated target dates for corrective action.
Final ReviewThe College President or Vice Chancellor should review and approve the results. Copies of the completed Forms 1, 2, 3 and Executive Summary must be kept by the College for audit review.
Return to Technology Models