So what is impact analysis? It's basically identifying characterizing the impact of any business function and supporting system
in a business function that's critical to your organization.
Now some of the documents that cover
impact analysis and more death actually kind of split
across the federal space. Um, one of them missed 830 is specifically tailored to risk management, and the other one missed 861 is specifically tailored. Toe incident Management
Impact analysis occurs both before and after incidents air discovered, so it has feet both in risk management and in the carrying out of incident management.
So impact analysis and risk management, A Z said before missed 830 is
spells up part of why impact analysis involves such a heavy preparation phase.
so in risk management,
part of what you look for in determining risk
is both likelihood of an incident of a particular incident that is
occurring on a particular organizational function
as well as its impact. So you look for likelihood times impact equals risk.
So part of the preparation
in determining what risk your organization is dealing with
preparatory impact analysis. Assessment is the first step in impact analysis the preparation to conduct the impact analysis.
Second is the actual conduction of impact analysis itself. This happens when incidents are taking place or when impact is occurring on your organization. After you measure that potential impact, the next step is measuring the impact of individual incidents or groups of incidents as they're occurring or after they've occurred.
So just 861 specifically references this partisan. The handling of the incident is perhaps the most important critical decision point the incident handling process.
impact analysis section of incident handling
basically lets you triage incidents
brings it up in sophistication from simply being a first in first out way of Hansel handling incidents. You wanna handle incidents in the order in which they
our most impactful to your organization, like whatever your critical functions are
and what that whatever is impacting them? You wanna handle those incidents first,
So we kind of gave a little intro to this, but now we're gonna talk a little bit more about how to prepare to conduct impact analysis on your organization and its organizational functions.
How do you determine impact
first I need to know the potential impact of failure or degradation to constituents, assets or lines of business. This can include anything from an organization, will functions, degradation or it's complete failure.
You have to understand and organizations baseline functionality to perform good impact analyses of other situations.
if your organization doesn't really understand its function or what it does,
you won't really have a good understanding of how an incident is impacting your organization.
When should your organization conduct?
And in fact, analysis, Ideally,
before an incident actually starts.
You start the preparation phase and start cataloguing your functions
impacts could potentially, uh,
So the more you know about your function is your assets, the quicker you're Ceaser came to conduct impact analysis. Once these do occur,
it is really critical toe. Take that inventory
your incident analysis process isn't just overwhelmed with trying to figure out
what the impact is to organization
during an incident when,
frankly, resource is arm or scarce than they are during down time.
Planning is valuable, Um,
but incidents will occur that require you to alter existing plans or create new plans.
Consider some things when you're Ceasar encounters a situation. But what you have no plan. How do you respond?
Kind of. It's the idea of planning for not having a plan. Do you have
ideas for how to build plans on the fly?
during your preparation phase, do you have notification? You need to make a list of notification requirements?
a way to alter those requirements on the fly? Can you,
easily like this may sound trivial, but
with the way your information set up, can you easily bring to contact list together in orderto notify a constituent about impact of incident?
Can you get in touch with your consistent quickly to determine a course of action?
Part of the preparation phase might be planning for
a potential impact to a function
and putting a contact list together for each individual function and
making sure that those lists exists in the same spot and are accessible to everybody on your incident management team or any other constituent that might have ah need toe have access to it.
Um, finally, a plan like we said before for not having a plan plan to be able to,
document things on the fly
Thio. Determine impact on the fly.
Really Take the time to
learn how your organization works and learn how your impact preparation
worked. So they when you need to do it quickly, you can.
Some considerations fridge process asked these, um,
what dependencies exist for? Service is in functions. When you're conducting impact analysis,
you might be looking at a particular organizational function
and ignoring dependencies that exists below it, that will, if impacted themselves, degrade the performance of that particular organization function.
Um, it's important tohave
a idea of what dependencies, existing organisation have it mapped out and ready as part of your plan.
In addition to having a dependency chart, you need to understand
assuming a function is impacted. How long can your constituents deal without that particular function?
part of impact analysis is not only determining
it will impact your constituents, but how long you can do without something if you can. If a process is particularly critical, it may be important no matter what to keep it online and even a degradation fashion
if it's not particularly important, or if it's more important to get it back to a full functionality.
It may be best to leave a process. Bring a process off line, and you need to have a record
on hand about how long a particular constituent can deal
with an incident while that process is off line.
So some considerations
a lot of, ah healthcare providers, for instance, have processes that, if taken off line,
our life threatening. So how do you deal
with impact to systems that have taken off line?
Might actually pose a threat or oppose a physical harm to your employees or to your constituents?
And finally, does your organization have a legal requirement to function at a certain level?
Certain places are legally mandated. Thio meet a certain level of service. You always have to be able to provide information to constituents in some areas,
so maintaining that minimum level of service
might be your absolute,
absolute top line requirement.
So how do you maintain even a degradation form of service,
when you're dealing with an incident