Using Operational Scenario Analysis
The Operational Scenario Analysis use case supports the following processes:
On this page
BIA Creation
BIA Campaign Generation
The BIA Campaign automates the creation of Business Impact Analysis records based on the selected scoping methodology. Depending on the chosen scoping methodology, the BIA campaign will create BIA records for either the selected Business Processes, Products and Services, or Business Units. You can associate a BIA record to more than one campaign at a time but only to a single business process or product and service. If a business process or product and service already has a BIA created, the system links the existing BIA record to the new BIA campaign after the campaign starts. To start the campaign, click Generate BIA. This action enrolls the campaign record into advanced workflow and triggers the BIA Campaign JS Data Feed, which then generates BIA records. All BIAs associated with a BIA campaign are listed in the Related Business Impact Analysis section of the campaign record.
BIA Manual Creation and Submission
During manual creation, you must first select to scope by either business processes or products and services. You are prompted to select either the business process or the product and service to evaluate. Once you update the general information section, the record is enrolled in the advanced workflow upon save. During this period any dependency mapping that was performed in the evaluated business process or product and service is copied to the Supporting Infrastructure tab of the Business Impact Analysis (BIA) record using a data feed. Once the data feed is complete, the Criticality Assessment tab is displayed. Depending on the selected scoping method, either the Business Process Manager or Product and Service Manager will answer questions related to the impact categories. After all the questions are complete and the record is saved, an Overall Criticality Rating is calculated for the BIA. The Supporting Infrastructure tab is displayed. You can either validate the supporting infrastructure that was copied from the corresponding record or perform dependency mapping if it has not yet been completed. The record is then sent to the Business Process Owner or Product and Service Owner for their review by clicking Submit under the Actions drop-down. The record is advanced in the workflow and a notification sent to the corresponding Business Process Owner or Product and Service Owner. The reviewer can either reject the record, return it to the submitter for more information, or approve the submission. Approved BIA records initiate a data feed that copies the supporting infrastructure contained in the BIA to the corresponding business process or product and service. Additionally, the Overall Criticality Rating is inherited by the business process or product and service and cascades down to all pieces of supporting infrastructure.
BIA Review Phase
A BIA record undergoes a single level of approval. The Business Process Owner or the Product and Service Owner of the corresponding evaluated business process or product and service receives a notification. They can approve or reject the BIA record or send it back to the submitter for more information.
After a BIA has been approved, the Actual Date of Completion is populated, and the review date for the next assessment is set based on the overall criticality of the BIA record. At this point, the supporting infrastructure contained in the BIA record and the Overall Criticality Rating are copied to the corresponding evaluated record. The Business Impact Analysis - Archive Feed is preconfigured to copy approved Business Impact Analysis records into the BIA Archive on a daily basis.
Impact Tolerance Definition
Each product and service can have multiple impact tolerances. Either the Product and Service Manager or the Product and Service Owner can create impact tolerances for their corresponding products and services. On creating an impact tolerance record, they choose the impact type, select the corresponding product and service, and identify the maximum tolerable period of disruption (MTPD) for the impact tolerance. On saving the record it is enrolled in the advanced workflow. While every impact tolerance must have a time-based metric, regulatory guidance is clear that they can also include additional quantitative or qualitative values. You can identify these values by selecting either the quantitative or qualitative type and entering the appropriate value to be tested. Additionally, you can define the impact over time used to document the tolerance for disruption during each period. Once the necessary information is updated in the record, submit it for review by clicking Submit under the Actions drop-down. A notification is sent to the selected BCM program leader member for review. The reviewer can either reject the record, return it to the submitter for more information, or approve the submission. Once an impact tolerance record is approved, it is set to the current status and will expire one year from its approval date. Impact Tolerances can be re-enrolled in advanced workflow at any time.
Operational Scenario Analysis Creation
Operational Scenario Generation from Library
The Operational Scenario Library application serves as a catalog of Operational Scenario templates. You can use these templates to generate new Operational Scenario Analysis records, instead of creating them from scratch. You can then use them to test impact tolerances against the defined scenario types.
You can use the Operational Scenario Library application to automate the creation of Scenarios for each for the products and services selected.
Operational Scenario Analysis Creation and Submission
A Scenario Analysis can be performed on multiple products and services by users associated to the Scenario Lead record permission. On creating a new record, select the type of scenario to conduct one or more products and services to test, and the impact tolerances related to the products and services to test. Only approved impact tolerances are selected for testing. Saving the record enrolls it in the advanced workflow. A data feed runs that generates a Scenario Results record for each selected impact tolerance. Once the data feed is complete, the Analysis tab is displayed where the scenario results can be interacted with in two ways:
-
Inline edit is used to enter the actual period of disruption, actual quantitative impact, and actual qualitative impact. Once all scenario results are acted on through inline edit and saved, the Overall Result is calculated by comparing the input numbers to the impact tolerances. Any scenario result with metrics that exceed the defined impact tolerance thresholds will fail, which causes the overall Scenario Analysis record to be outside tolerance.
-
Drilling into the record, you can enter the actual period of disruption, actual quantitative impact, and actual qualitative impact. On saving the record, if any of the impact tolerance metrics are exceeded, the scenario result fails. This causes the point of failure values list to appear. From a list of dependency values, you can select where the point of failure occurred. A cross-reference is displayed for each selected point of failure. You can then select the point of failure in each cross-reference that was identified as supporting infrastructure for the product and service during the dependency mapping stage. Once the record is saved, the identified points of failure cascade up to the related Operational Scenario Analysis record.
Once the Scenario Analysis record is complete, it is submitted to the Scenario Owner for review by clicking Submit under the Actions drop-down. A notification is sent to the selected Scenario Owner member for their review.
Operational Scenario Analysis Review Phase
The reviewer can either reject the record, return it to the submitter for more information, or approve the submission. Once an Operational Scenario Analysis record is approved, findings are generated for any failed scenario result which roll up to the corresponding Scenario Analysis record.
Note: You can use the Third Party Resilience Assessment to view the Overall Resilience of your business units, divisions, and company across the five resilience pillars, if you have the Third Party Risk Management license.