Task: Undertake Business Impact Analysis And Determine Need For Business Continuity Plan
The purpose of this task is to review the Capgemini business continuity requirements and those documented in the Client contract, undertake Business Impact Analysis, and determine whether a Business Continuity Plan is required for the engagement.
Relationships
RolesPrimary Performer: Additional Performers:
Outputs
    Main Description

    At the start of the engagement, the Engagement Manager should understand the business continuity requirements and obligations so that the delivery set up can be adequately shaped to ensure continuity. The Client contract (master agreement, Statement of Work and any appendices) must be reviewed to understand business continuity requirements. The requirements may be listed in various ways, such as

    • Explicit business continuity obligation with Recovery Time Objectives and/or Recovery Point Objectives or Maximum Acceptable Outages
    • Reference to ISO 22301
    • Obligation of "resilience"

    The Business Continuity profile should be updated in the Group Tool and business continuity assessment should be filled in if it is applicable. The assessment will provide clear visibility into potential actions that may be required to comply with the continuity obligations.

    The Business Impact Analysis must then be initiated for the engagement to analyze the criticality of the continuity of the services/products delivered to the Client as a part of the engagement. For this the Engagement Manager must identify which of the Client’s critical business services are underpinned by Capgemini services, and would be directly impacted in case of a disruption. The Engagement Manager must also check if there are any specific continuity obligations in the contact. If the outcome of the Business Impact Analysis indicates that there is no criticality and no specific obligations, and the unit does not have any default continuity commitments, no further action is required from the engagement.

    If there is a criticality or obligation, the Engagement Manager should proceed with the Business Impact Analysis and prepare a Business Continuity Plan for the engagement. Risk assessments must be carried to identify the types of incidents that the engagement can be exposed to, and which of these may lead to disruptions. The business impact analysis must focus on consequences of these incidents.

    The Engagement Manager should analyze:

    • The impact of the disruption to Client and Capgemini including hard losses like SLA fines, regulatory judgements, financial losses; as well as soft losses like reputation loss, loss of competitive advantage, etc.
    • the dependency of potential critical / vital services to assets, sub services, providers, people, location
    • interdependencies between critical services
    • key external and internal resources
    • the facilities or locations that could be under threat or unavailable or inaccessible
    • The data availability needed for the continuity of the services
    • the availability and reputation (negative press) of suppliers
    • the ability of suppliers (internal and external) to restore services as per strategies and the agreed service continuity indicators
    • the means (location, people, network connectivity, assets, third parties etc.) needed to be mobilized to achieve continuity
    • The sensitivity of client systems and data, and the system architecture (risk of the data being compromised because of a cyber incident)
    • Different regulatory protocols across multiple locations 
    • the ability to meet the continuity requirements if there is a gap between what the client requires and what continuity time objectives the engagement can take. This includes understanding minimum target service level (s) as continuity requirement.
    More Information
    Guidelines
    Tool Mentors

    Copyright © 2022 Capgemini. All Rights Reserved.