INDIANAPOLIS, Ind.-Impact analysis is "a daunting task," said William Hord, VP-enterprise risk management (ERM) at Finance Center FCU here.
FCFCU spent about 13 hours per business unit completing its first business impact analysis (BIA)-identifying and ranking all processes and their recovery metrics to determine how critical each process is to the enterprise.
In accounting, for example, the CFO, controller, accounting manager, financial analyst and Hord sat down and identified all business processes. The team rated each process in the light of 11 threats, or "impact areas," including data breaches, lost revenue and member satisfaction, which are customized in Quantivate ERM software.
Each impact area was rated No, Low, Medium or High Impact in seven recovery time frames, according to the degree of impact on CU operations. Recovery time frames span from less than one hour to less than one month.
The team also set factors that might mitigate the threats to each process, thus lowering its risk, Hord said. "Mitigation may come in the form of training, capital expense, technology, new processes or more employees."
The Quantivate rating process delivered a score indicating the degree of threat impact as well as labeling the process anywhere from "Mission Critical" to "Low" criticality.
Each process is then graded from 0 to 5 on the impact and likelihood of nine risk profiles, including compliance, concentration, credit, interest rate, liquidity, operational, reputation, strategic and transaction.
"What this all means is that you can have processes that are very high in priority for business continuity, but they fall very low in risk to the organization because of the mitigating factors levied against them," Hord said. "The goal is to understand the difference and be able to place your resources towards systematically lowering the risk and impact or at least understanding them."
Finance Center FCU will revisit the BIA quarterly to keep it relatively fresh, he added. Soon, the analysis will include change management to consider the risk that employees pose to the organization.