Operational Scenario Analysis Use Case Design

The Business Impact Analysis (BIA) application enables organizations to inventory their customer-facing products or services and their dependencies (internal business processes, systems, people, and locations). The BIA is an analysis tool designed to apply decision criteria to help organizations determine the criticality for each product or service. The BIA can also be used to determine criticality at the business process level per traditional business continuity approach. A BIA should be completed for each product and service, or for each business process, depending on the methodology used by the organization.

The resulting criticality ratings provide the focus needed to prioritize efforts to build resilience into producing and providing the products or services across the related dependencies.

The Resilience Threat Register is used to document known threats and associate them to specific Operational Scenarios or BC/DR plans. As threats are identified through various sources, for example enterprise risk management efforts, or trends, those applicable to a target of BC planning should be included in the Resilience Threat Register.

The Impact Tolerances application enables organizations to define the maximum tolerable period of disruption to important products and services. It identifies the type of impact, such as harm to consumers, market integrity, market participants, threat to financial stability, policyholder protection, and safety and soundness. Impact tolerances must always be expressed as a unit of time - hours, days, or weeks, but can also include other metrics such as financial loss, impact to reputation, regulatory impact, and consumer impact. Impact tolerances can also be defined over time to identify the resilience during each time period.

The Operational Scenario Library application serves as a catalog of Operational Scenario templates. Those templates can be used to generate new Operational Scenario Analysis records without having to create them from scratch. Those scenarios can then be used to test impact tolerances against the defined scenario types.

The Operational Scenario Analysis application enables organizations to test predefined impact tolerances against severe, yet plausible scenarios such as cyber events, pandemics, natural disasters, supply chain disruptions, or data breaches. Scenarios can be linked to key organizational pillars such as cyber resilience, IT resilience, facilities, people, or third parties. Multiple impact tolerances can be tested for each scenario, and the results are rolled up to the parent scenario. For failed impact tolerances, the point of failure among the supporting assets can be identified for reporting purposes.

The Scenario Results application leverages the Scenario Results Creation Feed to merge portions of Impact Tolerance and Operational Scenario Analysis records for testing. A record is created for each impact tolerance being tested as part of a scenario. The actual period of disruption, and quantitative and qualitative results for each scenario are input which are then compared against the predefined impact tolerance. Any metric that exceeds the predefined tolerance will result in a failed Impact Tolerance record. Additionally, users can identify the failed resource among the dependency chain. Scenario Results that fall outside of impact tolerances automatically generate findings and the formal Issues Management process can be followed.

The BIA Campaign application creates new Business Impact Analysis records based on the selected scoping methodology as well as links existing BIA records discovered during the campaign.

This serves as the archive for when Business Impact Analysis records have completed their workflow. Whenever a BIA completes a workflow and has a new approval date, a copy will be moved to this application via the Data Feed Manager. It tracks historical criticality, RTO/RPO, participants, responses, and cross-references.

The Risk Register application serves as the corporate controlled library of risks used by the entire organization. It allows you to capture the base data for a given risk statement and link risks to processes, objectives, key risk indicators, financial losses and mitigating control procedures.

The Third Party Profile application is used to document all the third party relationships used by an organization. In this application, the organizational structure of the third party relationship is established, third party contacts documented, and relationship manager, risk analyst, and procurement / legal officer accountabilities created. This application is the hub for navigation throughout the solution and contains summary metrics and reporting.

The Product and Service Manager is responsible for the day-to-day management of a specific product or service. Along with the Product and Service Owner, they are responsible for mapping the infrastructure that supports delivery of the product and service and defining impact tolerances. The Product and Service Manager creates Business Impact Analysis records for their products and services.

The Product and Service Owner is responsible for the final approval for all decisions related to the specific product or service. They are responsible for ensuring the sustainability of the asset when threatened by adverse conditions. Along with the Product and Service Manager, they map the necessary infrastructure that supports delivery of the product or service and define impact tolerances. The Product and Service Owner is responsible for reviewing Business Impact Analysis records submitted for their product and service.

The Scenario Lead is responsible for defining the conditions and parameters of a Scenario Analysis. This includes the type of scenario to be conducted, the required testing frequency, the method of testing, which impact tolerances to test, and providing all supporting documentation. For failed scenarios they must identify the points of failure and submit the results to the Scenario Owner. The Scenario Lead may be a member of the Business Continuity Management team.

The Operational Resilience Task Driver dashboard contains quick links for frequent tasks and features. It contains metrics relevant to the current user, such as BIAs, Impact Tolerances, and Scenario Analysis. This dashboard uses interactive charts to display data, such as BIAs by criticality rating, Products/Services by Manager, Dependency Mapping Status, and the BIAs Overall Status.

The Operational Resilience Task Driver dashboard is available to all business resiliency access roles as it is filtered by the current user.

The Operational Resilience Process Manager dashboard displays items relevant to users such as Product and Service Owners and Scenario Leads, to help them determine how processes are functioning and identify areas for improvement. This dashboard features metrics, such as expiring BIAs, products and services without dependency mapping, and scenarios coming due. This dashboard uses interactive charts to show data, such as dependency mapping by business unit and important products and services by category.

The Operational Resilience Process Manager dashboard is available to all users.

The Business Impact Analysis – Business Process Copy Feed is a Web Services Transporter feed that copies the supporting infrastructure from the evaluated business processes into the Business Impact Analysis application. The supporting infrastructure includes child processes, products and services, business unit, information assets, G/L accounts, and loss events. Once a BIA record is enrolled into the advanced workflow, the value of the DFM: BP/PS copy field is set to yes, which initiates the data feed. The data feed leverages the DFM_Copy Content From BP To BIA report contained in the Business Impact Analysis application.

The Business Impact Analysis – Products and Services Copy Feed is a Web Services Transporter feed that copies the supporting infrastructure from the evaluated product and service into the Business Impact Analysis application. The supporting infrastructure includes child products and services, business processes, third parties, facilities, contacts, devices, applications, and information assets. Once a BIA record is enrolled into an advanced workflow, the value of the DFM: BP/PS copy field is set to yes, which initiates the data feed. The data feed leverages the DFM_Copy Content From P&S To BIA report contained in the Business Impact Analysis application.

Business Process Copy Feed is a Web Services Transporter feed that copies the supporting infrastructure from the evaluated business processes into the Business Impact Analysis application. The supporting infrastructure includes child processes, products and services, business unit, information assets, G/L accounts, and loss events. Once a BIA record is enrolled into the advanced workflow, the value of the DFM: BP/PS copy field is set to yes, which initiates the data feed. The data feed leverages the DFM_Copy Content From BP To BIA report contained in the Business Impact Analysis application.

The Copy BIA Supporting Infrastructure to Products or Services Feed is a Web Services Transporter feed that copies the supporting infrastructure from the product and service being evaluated as part of a Business Impact Analysis into the corresponding Product and Service record. The supporting infrastructure includes child products and services, business processes, third parties, facilities, contacts, devices, applications, and information assets. Once the BIA is approved by the Product and Service Owner, the data feed runs to copy the supporting infrastructure.

The Business Impact Analysis – Archive Feed is a Web Services Transporter feed that copies approved Business Impact Analysis records into the BIA Archive application. This preserves historical information such as criticality, RTO/RPO, participants, and responses that may be altered over time in the original record. Once a BIA record is approved, the value of the DFM: Archive Flag field is set to yes, which initiates the data feed. The data feed leverages the DFM Archive report contained in the Business Impact Analysis application.

The Operational Scenario Analysis Data Creation feed is used to automate the creation of Operational Scenario Analysis records. Based on the scenario type an Operational Scenario Analysis record is created for each product and service selected. Additional data points such as the resilience pillars, scenario of stress, threats, risk, and controls are also copied to the new records.

The Scenario Results Creation Feed is a Web Services Transporter feed that copies portions of Operational Scenario Analysis records and the impact tolerances being tested into the Scenario Results application. The data feed leverages the DFM – Create Scenario Results report contained in the Scenario Results application.