On Risk Management, Business Continuity, and Security
|29 March, 2017|
Activities are what an organization or business does.
In general we prefer the term activity over process because a business process generally involves a number of activities performed at different times and places by different people. We will need to model these separately if they have differing associated threats.
Typically you will create an activity by right-clicking either on the organization unit responsible for the activity, or on the location where the activity occurs.
Not all these sections will appear in every report.
|Description||A short description of the activity.|
|Location and Responsibility||Where the activity takes place and which part of the organization is responsible for it.|
|Recovery Time Objective||A table of values relating to how fast the activity can be recovered. See Recovery Time Objective.|
|Recovery Point Objective||A table of values relating to how much data the organization is prepared to lose in the event of a disaster. See Recovery Point Objective.|
|Direct Costs of Disruption||How much it will costs if the activity is not performed to some minimum service level, and how much it will cost to relocate the activity to an alternative location. See Direct Costs of Disruption below.|
|Dependencies||A table of the activities and resources upon which this activity depends or which depend upon this activity. It is assumed that dependent activities and resources will cease operation after the impact delay, if one is specified. Mutual dependencies are activities or resources which this activity directly or indirectly depends on and which also depend directly or indirectly on this activity. If one of a set of mutual dependencies is disrupted, then all of that set of mutual dependencies will (possibly after a delay) be disrupted.|
|Threats||Direct Threats are threats which apply specifically to this activity. Indirect threats are threats which threaten the location where this activity is located, or threaten an activity or resource this activity depends on.|
|Disruption Risk||Based on the direct and indirect threats, estimates of the probability of the activity being disrupted in a single year.|
|Disruption Consequences||A list of adverse events which will happen as a direct consequence of this activity being disrupted for a period of time.|
|Disruption Timeline (With Recovery)||Assuming that only this activity is disrupted, and that the activity is recovered by its RTO, the sequence of events and costs that will be incurred until all activities are resumed.|
|Disruption Timeline (No Recovery)||Assuming that only this activity is disrupted, and that the activity is not recovered, the sequence of events and costs that will occur along with the estimated costs. This can be used to estimate what will happen if the recovery time objective is not met.|
|Activity Categories||The set of activity categories to which this activity belongs.|
|Notes||A section intended for additional notes on such topics as how any data was gathered and what assumptions were made.|
In general the costs of a disruption to an activity will be a combination of hourly losses (due to the disruption) as well as the relocation costs required to run the activity at an alternative location.
The cost model allows for hourly costs to change twice to reflect possible changes in costs during an extended disruption.
Special care needs to be taken to avoid double-counting costs. For example, lost sales should only be counted once, and not at sales, shipping, and accounts receivable.
© Albion Research Ltd. 2017