Business Impact Analysis for a Payroll System
Added on 2022-11-30
6 Pages2006 Words77 Views
Business Impact Analysis for a Payroll System
1. Overview
This BIA (Business Impact Analysis) is developed as component of the contingency planning process for
a payroll system (PS) for a medium sized company. It was prepared on September 10th 2019.
1.1 Purpose
The purpose of the BIA is to identify and prioritize system components by correlating them to the
mission/business process(es) the system supports, and using this information to characterize the impact on
the process(es) if the system were unavailable.
The BIA is composed of the following three steps:
1. Determine mission/business processes and recovery criticality. Mission/business processes
supported by the system are identified and the impact of a system disruption to those processes is
determined along with outage impacts and estimated downtime. The downtime should reflect the
maximum that an organization can tolerate while still maintaining the mission.
2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the
resources required to resume mission/business processes and related interdependencies as quickly
as possible. Examples of resources that should be identified include facilities, personnel,
equipment, software, data files, system components, and vital records.
3. Identify recovery priorities for system resources. Based upon the results from the previous
activities, system resources can more clearly be linked to critical mission/business processes.
Priority levels can be established for sequencing recovery activities and resources.
This document is used to build the {system name} Information System Contingency Plan (ISCP) and is
included as a key component of the ISCP. It also may be used to support the development of other
contingency plans associated with the system, including, but not limited to, the Disaster Recovery Plan
(DRP) or Cyber Incident Response Plan.
2. System Description
The overall architecture of the PS is a client- sever Architecture; the company has several divisions and
different branches distributed within one city and also in other cities. The PS is based on a cloud
architecture in which the application is installed within a hybrid cloud system to enable access to
information from any department/ branch from the central Human Resource office located at the head
office of the company. The application is thus implemented as a SaaS (software as a service) and also has
a physical server located in the company’s data center with a bridge to the public cloud. It is implemented
in a WAN (wide area network) and linked to the LANs (local area networks) found at each branch and
department. The PS gathers employee data from the attendance management system as well as from the
CRM/ sales management system (for sales staff) and updates these to the central database which contains
detailed employee information and data, including role, remuneration rate, benefits, leave days,
performance bonuses, qualifications, trainings attended, as well as personal details. When a new
employee is hired, all their information is entered into the main database and are assigned a unique
employee number as well as their pay rates, bonuses, and leave days. Each time an employee checks in to
work, they must swipe or touch a finger print employee attendance system that clocks in the time they
started work, and they swipe or touch it when they leave or at the end of the work day. This information
is then automatically uploaded and updated to the hybrid cloud worked employee and HR database over a
1. Overview
This BIA (Business Impact Analysis) is developed as component of the contingency planning process for
a payroll system (PS) for a medium sized company. It was prepared on September 10th 2019.
1.1 Purpose
The purpose of the BIA is to identify and prioritize system components by correlating them to the
mission/business process(es) the system supports, and using this information to characterize the impact on
the process(es) if the system were unavailable.
The BIA is composed of the following three steps:
1. Determine mission/business processes and recovery criticality. Mission/business processes
supported by the system are identified and the impact of a system disruption to those processes is
determined along with outage impacts and estimated downtime. The downtime should reflect the
maximum that an organization can tolerate while still maintaining the mission.
2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the
resources required to resume mission/business processes and related interdependencies as quickly
as possible. Examples of resources that should be identified include facilities, personnel,
equipment, software, data files, system components, and vital records.
3. Identify recovery priorities for system resources. Based upon the results from the previous
activities, system resources can more clearly be linked to critical mission/business processes.
Priority levels can be established for sequencing recovery activities and resources.
This document is used to build the {system name} Information System Contingency Plan (ISCP) and is
included as a key component of the ISCP. It also may be used to support the development of other
contingency plans associated with the system, including, but not limited to, the Disaster Recovery Plan
(DRP) or Cyber Incident Response Plan.
2. System Description
The overall architecture of the PS is a client- sever Architecture; the company has several divisions and
different branches distributed within one city and also in other cities. The PS is based on a cloud
architecture in which the application is installed within a hybrid cloud system to enable access to
information from any department/ branch from the central Human Resource office located at the head
office of the company. The application is thus implemented as a SaaS (software as a service) and also has
a physical server located in the company’s data center with a bridge to the public cloud. It is implemented
in a WAN (wide area network) and linked to the LANs (local area networks) found at each branch and
department. The PS gathers employee data from the attendance management system as well as from the
CRM/ sales management system (for sales staff) and updates these to the central database which contains
detailed employee information and data, including role, remuneration rate, benefits, leave days,
performance bonuses, qualifications, trainings attended, as well as personal details. When a new
employee is hired, all their information is entered into the main database and are assigned a unique
employee number as well as their pay rates, bonuses, and leave days. Each time an employee checks in to
work, they must swipe or touch a finger print employee attendance system that clocks in the time they
started work, and they swipe or touch it when they leave or at the end of the work day. This information
is then automatically uploaded and updated to the hybrid cloud worked employee and HR database over a
WAN. At the end of a given period or week; the payroll system automatically computes the employee
pay; the HR officer can add parameters for additional bonuses, commissions, or leave days and these
compute the employee payment. The system then automatically makes statutory deductions including
taxes, membership fees, or loans advanced to the employee and computes the final pay, which can be
printed.
3. BIA Data Collection
3.1 Determine Process and System Criticality
Step one of the BIA process - Working with input from users, managers, mission/business process
owners, and other internal or external points of contact (POC), identify the specific mission/business
processes that depend on or support the information system.
Mission/Business Process Description
Record and store employee details
This involves recording employee personal data such as
academic and industry qualifications, date hired, role,
base pay, bonus pay, performance based bonuses such as
commissions, their address, and work station/
department/ branch.
Record and store employee attendance
data
Involves capturing using the integrated attendance
system, employee attendance times (work hours).
Record and store performance based
bonuses
Involves capturing performance bonuses such as
commissions due to employees and sales staff.
Record and store leave days
Involves recording and storing applications for leave
days (or lack of them, thereof) and storing in the
database.
Compute overtime Involves recording and computing total over time
worked.
Compute statutory deductions
Involves calculating all statutory deductions such as
taxes, automatic membership fees, and loan deductions
for every employee.
Generate reports of final pay Involves the system creating a payslip report for every
employee and sending them to accounts department.
Update employee details
Involves system updating employee details such as
trainings attended, promotions, additional roles, or the
employee leaving or being transferred to another work
station.
3.1.1 Identify Outage Impacts and Estimated Downtime
Outage Impacts
The following impact categories represent important areas for consideration in the event of a disruption or
impact.
pay; the HR officer can add parameters for additional bonuses, commissions, or leave days and these
compute the employee payment. The system then automatically makes statutory deductions including
taxes, membership fees, or loans advanced to the employee and computes the final pay, which can be
printed.
3. BIA Data Collection
3.1 Determine Process and System Criticality
Step one of the BIA process - Working with input from users, managers, mission/business process
owners, and other internal or external points of contact (POC), identify the specific mission/business
processes that depend on or support the information system.
Mission/Business Process Description
Record and store employee details
This involves recording employee personal data such as
academic and industry qualifications, date hired, role,
base pay, bonus pay, performance based bonuses such as
commissions, their address, and work station/
department/ branch.
Record and store employee attendance
data
Involves capturing using the integrated attendance
system, employee attendance times (work hours).
Record and store performance based
bonuses
Involves capturing performance bonuses such as
commissions due to employees and sales staff.
Record and store leave days
Involves recording and storing applications for leave
days (or lack of them, thereof) and storing in the
database.
Compute overtime Involves recording and computing total over time
worked.
Compute statutory deductions
Involves calculating all statutory deductions such as
taxes, automatic membership fees, and loan deductions
for every employee.
Generate reports of final pay Involves the system creating a payslip report for every
employee and sending them to accounts department.
Update employee details
Involves system updating employee details such as
trainings attended, promotions, additional roles, or the
employee leaving or being transferred to another work
station.
3.1.1 Identify Outage Impacts and Estimated Downtime
Outage Impacts
The following impact categories represent important areas for consideration in the event of a disruption or
impact.
Impact category: {Network down-time}
Impact values for assessing category impact:
Severe = {Application remains inaccessible/ non functional or unavailable for more than 24
hours}
Moderate = {Application remains inaccessible/ non functional or unavailable for between 6 and
24 hours}
Minimal = {Application remains inaccessible/ non functional or unavailable for less than 12
hours}
The table below summarizes the impact on each mission/business process if {system name} were
unavailable, based on the following criteria:
Mission/Business Process
Impact Category
{Severe} {Medium} {Low} {Inconse
quential} Impact
Log employee attendance times
and overtime >24 hours 6-24 hours 15 minutes
to 6 hours
<15
minutes Very high
Capture employee
performance bonuses >24 hours 6-24 hours 15 minutes
to 6 hours
<15
minutes High
Calculate employee salary
including statutory deductions >24 hours 6-24 hours 15 minutes
to 6 hours
<15
minutes Very high
Record and update employee
details >24 hours 6-24 hours 15 minutes
to 6 hours
<15
minutes Medium
Estimated Downtime
Working directly with mission/business process owners, departmental staff, managers, and other
stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.
Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time
leaders/managers are willing to accept for a mission/business process outage or disruption and
includes all impact considerations. Determining MTD is important because it could leave
continuity planners with imprecise direction on (1) selection of an appropriate recovery method,
and (2) the depth of detail which will be required when developing recovery procedures,
including their scope and content.
Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system
resource can remain unavailable before there is an unacceptable impact on other system
resources, supported mission/business processes, and the MTD. Determining the information
system resource RTO is important for selecting appropriate technologies that are best suited for
meeting the MTD.
Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or
system outage, to which mission/business process data must be recovered (given the most recent
backup copy of the data) after an outage.
Impact values for assessing category impact:
Severe = {Application remains inaccessible/ non functional or unavailable for more than 24
hours}
Moderate = {Application remains inaccessible/ non functional or unavailable for between 6 and
24 hours}
Minimal = {Application remains inaccessible/ non functional or unavailable for less than 12
hours}
The table below summarizes the impact on each mission/business process if {system name} were
unavailable, based on the following criteria:
Mission/Business Process
Impact Category
{Severe} {Medium} {Low} {Inconse
quential} Impact
Log employee attendance times
and overtime >24 hours 6-24 hours 15 minutes
to 6 hours
<15
minutes Very high
Capture employee
performance bonuses >24 hours 6-24 hours 15 minutes
to 6 hours
<15
minutes High
Calculate employee salary
including statutory deductions >24 hours 6-24 hours 15 minutes
to 6 hours
<15
minutes Very high
Record and update employee
details >24 hours 6-24 hours 15 minutes
to 6 hours
<15
minutes Medium
Estimated Downtime
Working directly with mission/business process owners, departmental staff, managers, and other
stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.
Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time
leaders/managers are willing to accept for a mission/business process outage or disruption and
includes all impact considerations. Determining MTD is important because it could leave
continuity planners with imprecise direction on (1) selection of an appropriate recovery method,
and (2) the depth of detail which will be required when developing recovery procedures,
including their scope and content.
Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system
resource can remain unavailable before there is an unacceptable impact on other system
resources, supported mission/business processes, and the MTD. Determining the information
system resource RTO is important for selecting appropriate technologies that are best suited for
meeting the MTD.
Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or
system outage, to which mission/business process data must be recovered (given the most recent
backup copy of the data) after an outage.
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
The Department of Administrative Services for Cloud Computing Systemslg...
|15
|4412
|475
Business Impact Analysis | Assignmentlg...
|13
|2496
|60
Contingency Planning Template for Payroll Systemlg...
|16
|5167
|347
Security of Enterprise Systems - Presentationlg...
|12
|835
|18
Cloud Security and Privacylg...
|27
|5040
|357
Disaster Recovery Assignmentlg...
|8
|1988
|188