What is a Business Impact Analysis (BIA)?
What is a Business Impact Analysis (BIA)? The EBA Guide EBA/GL/2019/04 provides guidelines for the management of ICT and security risks. In the business impact analysis, serious business interruptions are analyzed and their potential impact (including the impact on confidentiality, integrity and availability) is evaluated quantitatively and qualitatively.
They should use internal and/or external data (e.g. data from third-party providers relevant to the business process or publicly available data that may be relevant for the BIA) and scenario analyses.
The BIA should also take into account the criticality of the identified and classified business functions, the support processes, third parties and IT assets and their dependencies.
The ICT systems and ICT services should be designed and aligned with your BIA in such a way that, for example, certain critical components are designed to be redundant in order to prevent disruptions caused by events affecting the components.
The seminar What is a Business Impact Analysis (BIA)? online booking; conveniently and easily with the online seminar form and product no. A04.
Target group for the seminar What is a Business Impact Analysis (BIA)?
- Board members and managing directors at banks, financial service providers, capital investment and fund companies, leasing and factoring companies
- Managers and specialists from the areas of emergency management, outsourcing management, IT compliance, compliance officers and internal audit.
How you benefit from the seminar What is a Business Impact Analysis (BIA)?
#1 Tasks and duties of the business continuity manager
#2 Business impact analyzes and risk impact analyzes
#3 Ongoing monitoring duties of the business continuity manager
Get a head start with the seminar What is a Business Impact Analysis (BIA)?
Each participant receives the S+P Tool Box with the seminar:
+ Guide to BCM (approx. 30 pages)
+ Sample reporting for Business Continuity Manager
+ S+P Tool Risk Impact Analysis for more audit security
#1 Duties and Responsibilities of the Business Continuity Manager
MaRisk AT 7.3: The significantly expanded range of tasks of the BCM :
o Objectives for business continuity management and derivation of a business continuity management
process o Business continuity concept for time-critical activities and processes
o Determination of suitable measures to reduce damage
New reporting obligations: at least quarterly reporting on the state of emergency management
Contingency concept with business continuity and recovery plans
Outsourcing interface: Outsourcers and insourcers must have coordinated contingency plans.
#2 Business Impact Analysis and Risk Impact Analysis
Stricter requirements for business impact analyses:
o Impairment of activities and processes
o Type and scope of the (im)material damage
o Time of the failure.
Risk impact analyzes for the identified time-critical activities and processes:
o Identifying and evaluating potential threats
o Carrying out the qualitatively tightened risk analysis based on uniform scoring criteria
Consideration of emergency scenarios
o (Partial) failure of a site (e.g. due to flooding, major fire, area closure, failure of access control)
o Significant failure of IT systems or communication infrastructure
o Failure of a critical number of employees
o Failure of service providers (e.g. B. suppliers, electricity suppliers)
#3 Ongoing monitoring duties of the business continuity manager
MaRisk + BAIT: Requirements for monitoring and control actions
Standards for management and control activities and their implementation
Audit-proof assessment of the impact and risk analyzes
o The effectiveness and appropriateness of the emergency plan must be checked regularly.
o For time-critical activities and processes, the relevant scenarios must be verified at least annually and as required.
Reviews of the emergency concept are to be logged.
o Results are to be analyzed with regard to necessary improvements.
o The results are to be communicated in writing to the responsible persons.
The seminar What is a Business Impact Analysis (BIA)? online booking; conveniently and easily with the online seminar form and product no. A04.
This could also interest you as a business continuity manager
MaRisk 6.0: Stricter requirements for emergency management. Requirements for business continuity management from the ICT Guidelines are implemented in the newly drafted section AT 7.3.
Risk analyzes must first be carried out for all time-critical activities and processes identified as part of an impact analysis to be carried out. The emergency concept must show which alternative solutions are available promptly in an emergency and how a return to normal operation should proceed.
This is based on an overview of all activities and processes (e.g. in the form of a process map). The effectiveness and appropriateness of the emergency plan must be checked regularly.
#1 MaRisk 6.0: Stricter requirements for business continuity management
Chapter AT 7.3 Emergency management has now been worded as follows:
- The institute has to define goals for business continuity management and, derived from these, to define a business continuity management process. Provisions must be made for emergencies in time-critical activities and processes (emergency concept). The measures defined in the emergency plan must be suitable for reducing the extent of possible damage. The emergency plan must be updated as required, checked annually to ensure it is up-to-date and communicated appropriately. Management must receive written reports on the state of emergency management at least quarterly and as required.
- The contingency plan must include business continuity and recovery plans. Business continuity plans must ensure that backup solutions are available in a timely manner in the event of an emergency. Recovery plans must allow for a return to normal operations within a reasonable time. Appropriate internal and external communication must be ensured in emergencies. If time-critical activities and processes are outsourced, the outsourcing institute and the outsourcing company must have coordinated contingency plans.
- The effectiveness and appropriateness of the emergency plan must be checked regularly. For time-critical activities and processes, it must be proven at least annually and as required for all relevant scenarios. Reviews of the emergency concept are to be logged. Results are to be analyzed with regard to necessary improvements. Risks must be controlled appropriately. The results are to be communicated in writing to the responsible persons.
The MaRisk provide the following explanations on the more stringent requirements for business continuity management.
#2 Time sensitive activities and processes
In principle, those activities and processes are time-critical if, if they are impaired, unacceptable damage to the institute can be expected for a defined period of time.
The Institute carries out impact analyzes and risk analyzes to identify time-critical activities and processes as well as supporting activities and processes, the IT systems and other necessary resources required for this, as well as the potential threats. This is based on an overview of all activities and processes (e.g. in the form of a process map).
#3 Impact analysis – MaRisk 6.0: Stricter requirements for business continuity management
In impact analyzes (business impact analyses), the consequences that an impairment of activities and processes can have for business operations are considered over graduated periods of time. The impact analyzes should consider the following aspects, among others:
– Type and extent of the (im)material damage
– Impact of the time of the failure on the damage (e.g. failure of payment transactions during peak business hours)
#4 Risk Analysis – Business Continuity Manager: Roles and Responsibilities
In risk analyzes (risk impact analyses) for the identified time-critical activities and processes, potential threats are identified and evaluated, which can cause an impairment of the time-critical business processes.
#5 Contingency plan – Tasks and duties of the business continuity manager
Responsibilities, goals and measures for the continuation or restoration of time-critical activities and processes are determined in the emergency concept, and criteria for classification and for triggering the plans are defined.
#6 Emergency scenarios – MaRisk 6.0: Stricter requirements for emergency management
At least the following scenarios are taken into account here:
– (Partial) failure of a location (e.g. due to flooding, major fire, area closure, failure of access control)
– Significant failure of IT systems or communication infrastructure (e.g. due to errors or attacks)
– Loss of a critical number of employees (e.g. in the event of a pandemic, food poisoning, strike)
– Failure of service providers (e.g. suppliers, electricity suppliers)
#7 Reviews of the contingency plan – tasks and duties of the business continuity manager
The frequency and scope of the checks should always be based on the risk situation. Service providers are to be involved appropriately. Checks include, among other things:
– Testing of the technical precautionary measures
– Communication, crisis management and alarm
exercises – Emergency or general exercises.
#8 What are the implementation deadlines for the new MaRisk 6.0 ?
The new version of the MaRisk comes into force upon publication. There is a transitional period until December 31 , 2021 .
This applies to the documentation requirement related to the outsourcing register in AT 9 item 14 MaRisk only insofar as the obligation to maintain an outsourcing register already applies with the entry into force of the FISG on January 1st , 2022.
Otherwise, the first day of application for the specification of this requirement in the MaRisk is based on the law.
Implementation periods that deviate from this result for the adjustment of outsourcing contracts that already exist or are being negotiated.
A separate implementation period is granted for this until December 31 , 2022.
An adjustment of contractual relationships that were concluded on the basis of a public procurement procedure can be omitted due to the special legal problems insofar as these contracts are limited and have to be re-awarded within the next five years. BaFin assumes that the new requirements will already be sufficiently taken into account in award procedures initiated from January 1, 2022 .
Institutions with a high NPL portfolio must comply with the requirements of the NPE Guidelines immediately after the end of the transition period on December 31, 2021, provided that these institutions have an NPL ratio of more than 5% on the two previous quarterly reporting dates (September 30, 2021 and December 31, 2021). .
The first quarterly reporting date relevant for classification as an institution with a high NPL portfolio is therefore September 30, 2021 .
Participants have also booked the following seminars MaRisk + SREP + Depot A:
Outsourcing controlling seminars
Risk Management Compliance Seminar