Modeling business impacts

Post Reply
jcwillard
Posts: 9
Joined: 27 Mar 2014, 15:18

I am trying to use a Business Impact Analysis which was developed for our organization, which is a state transportation agency. Business users (SMEs) were asked to provide a list of the central business processes and then rate the consequences of not performing a process with regards to its impact on seven different categories, including life, safety, legality and several others. The rating values were from 0 to 3 on likelihood of occurrence and on impact. Each process was then tied to a particular application so that we could determine the impact of the loss of a given application on the agency. Finally, a recovery point objective and a return to operations time objective was determined for each application.

My question is how best to model this in the Essential meta-model. My initial thought was to create each of the impacts (life, safety, etc.) as a security principle, but that does not seem to give me a link to the application or technology resources. I could put it in as a security classification, but each application should be rated on each of the seven impacts. We tend to classify our systems as either sensitive or nonsensitive, which is the expected outcome of this entire exercise.

My other option seems to be to enter the impacts as business performance measures, and the RTO and RPO as application performance measures. Would I then classify each application in security classification? And would I tie the performance measures to the security classification or to the application itself?

In any case, I assume that I will have to develop a custom report to display this information in the Essential Viewer.

Thank you for your answer.
User avatar
jonathan.carter
Posts: 1087
Joined: 04 Feb 2009, 15:44

Thanks for your post.

The categories that you have described sound like risks and as such, you could capture them as instances of the Risk class. You can capture the details of a Risk and then relate it to any elements in the repository to which that Risk affects - via the ‘Related Business Elements, Related Application Elements etc.’

On these Risks, you can also capture any Controls that you have in place to manage them, and from those Controls, the Policies that you have in place to ensure that the Controls are being applied.

In terms of the Impact of each risk (the 0-3 likelihood), you could add an extension slot to capture that against each Risk. Alternatively, you could even use Taxonomy with your likelihood Terms and classify each Risk Instance accordingly.

Note also that on the Business Process to Application relationships (which are relationship classes), there is a ‘Business Criticality’ slot to capture how critical that application is to the process. These are captured as Service Qualities and Service Quality Values, which enable us to capture any qualitative measure of the criticality, each with its own set of values, e.g. availability, scalability, security… etc. which could be of use to you. Perhaps you could create RTO and RPO Service Qualities with their relevant Service Quality Values? These criticalities, are not just about the Application but the relationship between the specific process and that application (in the case of Physical Processes to Application Providers).

This is similar to what you’ve suggested about using performance measures - which also sound like a good idea. If the idea of measuring the performance of the applications rather than the criticality more naturally reflects the way your organisation sees this, then that could work, too. I’m not sure that a Security Classification makes as much sense, though. The idea of the security classes is more about things like access control - not implementing it in the tool but being able to report against the security policies and the access to any secured resource that any element has.

In terms of Views, you would be looking at a custom View to pull together what you need here. However, there should be some good examples of the types of layouts that you might need and the queries that you would need to realise your View.

Do let us know if you need any help with that

Jonathan
Essential Project Team
Post Reply