Modeling business impacts
Posted: 13 Mar 2015, 21:19
I am trying to use a Business Impact Analysis which was developed for our organization, which is a state transportation agency. Business users (SMEs) were asked to provide a list of the central business processes and then rate the consequences of not performing a process with regards to its impact on seven different categories, including life, safety, legality and several others. The rating values were from 0 to 3 on likelihood of occurrence and on impact. Each process was then tied to a particular application so that we could determine the impact of the loss of a given application on the agency. Finally, a recovery point objective and a return to operations time objective was determined for each application.
My question is how best to model this in the Essential meta-model. My initial thought was to create each of the impacts (life, safety, etc.) as a security principle, but that does not seem to give me a link to the application or technology resources. I could put it in as a security classification, but each application should be rated on each of the seven impacts. We tend to classify our systems as either sensitive or nonsensitive, which is the expected outcome of this entire exercise.
My other option seems to be to enter the impacts as business performance measures, and the RTO and RPO as application performance measures. Would I then classify each application in security classification? And would I tie the performance measures to the security classification or to the application itself?
In any case, I assume that I will have to develop a custom report to display this information in the Essential Viewer.
Thank you for your answer.
My question is how best to model this in the Essential meta-model. My initial thought was to create each of the impacts (life, safety, etc.) as a security principle, but that does not seem to give me a link to the application or technology resources. I could put it in as a security classification, but each application should be rated on each of the seven impacts. We tend to classify our systems as either sensitive or nonsensitive, which is the expected outcome of this entire exercise.
My other option seems to be to enter the impacts as business performance measures, and the RTO and RPO as application performance measures. Would I then classify each application in security classification? And would I tie the performance measures to the security classification or to the application itself?
In any case, I assume that I will have to develop a custom report to display this information in the Essential Viewer.
Thank you for your answer.