Business Impact Analysis Questionnaire

Date:

Interviewee:

1. Function Name:

2. High Level Business Process(es) Description - objectives, number of people, etc.

2.1 Run a SIPOC Analysis to document process steps (Optional)

Supplier Input Process Output Customer

2.2 Define the severity of Impact for each of the following categories 0 = No Impact
4 = Severe Impact

Impact Area Score

Cash Flow
Competitive Advantage
Shareholder Confidence
Financial Reporting
Regulatory
Image/Reputation
Employee Morale
Customer Service
Employee Resignations
Vendor Relations
Increases in Liability

3. Supporting Technology (Applications, Hardware):

3.1 Describe critical data/records required to run the process, including alternate source when available.

3.2 What types of reports are necessary? (Name, Frequency, Recipient) - i.e. Regulatory Reporting incl. Description of penalties

Name Frequeny Recipient

4. Indicate the peak and/or critical time of year and/or day of the week, if any, for this Business Process:

January Monday Beg/End of Week

February Tuesday Beg/End of Month
March Wednesday Beg/End of Quarter
April Thursday Beg/End of Year
May Friday Other
June
July
August
September
October
November
December

Please explain what causes this peak:

5. During this peak period, how long can your Business Process continue to function effectively without information systems?

< day Up to 2 weeks

Up to 2 days Up to 1 month
Up to 4 days Up to 3 months
Up to 1 week Up to 6 months

Monthly Impact Probe

For each month, define the severity of outage where 0 = No Impact, and 4 = Severe Impact

Jan Feb Mar Apr May Jun

Jul Aug Sept Oct Nov Dec

6. Using the following labels, indicate the relative impact of the loss of this business process for each of the time frame slots below.
Assume the outage is continuous and occurs during a time of peak business activity.

Fundamental Extreme financial losses, irrecoverable damage to the company reputation, potentially out of business
Major Severe financial losses & damage to the company reputation/competitive edge
Moderate Loss of competitive edge and major impact on long term financial status
Minor Major impact on the long term financial status
Insignificant Major impact of the short term financial status

1 Hour
8 Hours Why:
24 Hours Why:
48 Hours Why:
1 Week Why:
1 Month Why:

Impact Probe:
How long will it take (in hours, days) to handle the backlog for each day of downtime?

Concurrent or sequential backlog processing?

7. Interaction & interfaces with other Business Processes, Clients, Vendors (if not already done in SIPOC)

8. Future Business Process changes & Timeframe - incl. Source of initation (regulatory body, internal, customer, etc.)

9. Describe the types of decisions affected by lack of information system support/access to key data:

10. Tangible Impact (loss estimation) of 1 week of Business Process Downtime?

Reduced Income/Revenues
Loss of Productivity
Increased Cost of Sales
Increased Operating Costs
Increased Labor Costs
Remediation Costs (recup. efforts)
Loss of Efficiency, Staff immob.
Legal Costs, Fines, Late Fees

Restoration Probe
Define restoration complexity as easily recoverable, somewhat recoverable, difficult to recover, extremely difficult to recover:

Please identify any unique issues or concerns about recovering your business unit that have not been discussed:
Daily Business Impact Analysis

Purpose Instructions Outputs

Identify the financial impact that one
week of Business Process Downtime Business Impact Rating, which is exported to
Follow the instructions given for each table.
would have on the business during peak Business Risk Quotient.
operation.

1. Enter the cost information obtained in Question 10 "Tangible Impact" for an interruption of the Business Process for 1 week.
To be completed using the questionnaire information.
Tangible Impact Definition Costs
Reduced Income/Revenues Lost revenues can occur when a system supporting a shipping process, or a sales activity is down and the company is not able to
deliver as many units as scheduled. This can have the adverse impact of losing customers or sales opportunities impacting the
revenues of the company, and ultimately income. 10,000,000.00

Loss of Productivity The system is down, causing a production shift to stand around or make work to keep busy rather than doing whatever it is they
were hired to do. Call Center staff cant take manage calls if the phones are down or their call management (CRM) systems arent
available. Production staff cant produce the product if the production line isnt functioning. Since staff still has to be paid, this time is 1,000,000.00
considered a loss.

Increased Cost of Sales This can occur as a result of extra communication that is required to inform customers of your inability to take orders. Or, it could be
the result of extra effort/time required to complete a sale. Any interruption of service that delays the sales cycle would potentially
0.00
increase the cost of sales.

Increased Operating Costs If extra shifts are added to make up for the downtime, operating costs are going to increase. Extra utility costs or paying your support
staff to stay late and finish a process are two examples of how operating costs are likely to increase when a company goes into
1,000,000.00
overtime to make a product they anticipated making during a single shift.

Increased Labor Costs If the production staff has to stay overtime to produce the product, they are likely going to cost time and a half for the second shift
they work. The result is the expected cost to produce the product being potentially 2.5 times higher than anticipated. 0.00

Remediation Costs If customers are lost, there will need to be an increased effort to regain sales from new accounts. This will cost additional resource
time from all areas of the business, in particular marketing and sales. This may also entail startup costs after an interruption of 0.00
service.

Loss of Efficiency Manual workarounds are obviously less efficient than using an automated system. When the workflow is temporarily slowed, staff
become less effective and less efficient. This slowdown can be measured by the percentage of loss associated with their
performance. Staff, whose operating cost is $1000 per hour, would incur a loss of $500 per hour if they lost 50% of their efficiency 2,000,000.00
due to an interruption of service.

Legal Fines, Late fees or Depending on the nature of the interruption and its impact outside your organization, legal costs could be a serious factor. For
Regulatory example, if a systems that supports key regulatory data is down, or there is lateness to pay a vendor, the organization could incur 0.00
costs related to fines or late fees.

Total Dollar Impact 11,000,000.00

Weekly Revenue 120,365,384.62

Weekly Impact 9.14%

2. The total financial impact is shown beside its corresponding rating. This is the Business Impact rating for the Business Process. This rating has been
automatically exported to the "Business Impact" column on Sheet - Business Process Risk Quotient:

Weekly Impact Definition Rating Financial Impact

0% to 2.99% Negligeable Impact 0.5

3% to 5.99% Insignificant Impact 1.0

6% to 9.99% Minor Impact 1.5 9.1%

10% to 12.99% Visible Impact 2.0 9.1%

13% to 19.99% Medium Impact 2.5

20% to 25.99% Moderate Impact 3.0

26% to 34.99% Significant Impact 3.5

35% to 49.99% High Impact 4.0

50% to 74.99% Major Impact 4.5

Over 75% Fundamental Impact 5.0

Business Process Impact Weightings

Purpose Instructions Outputs

Determines the weighted scoring of categories Type in new weightings in the areas New weightings are automatically updated
Vulnerability Worksheet The categories shaded in gray. Base these numbers on in the Vulnerability Worksheet.
represent the various areas of impact to the the specific context of the business
business if a risk were to materialize. process impact on the defined category.

Assessed Weighting Default Weight

1 Strategy 20.00% 14.30%

2 Operational 25.00% 14.30%
3 Regulatory 20.00% 14.30%
4 Financial 15.00% 14.30%
5 Image/Reputation 5.00% 14.30%
6 Interface 10.00% 14.30%
7 Security 5.00% 14.30%
Total 100% 100%
Business Process Vulnerability

Instructions and Definitions

Weight: Represents the percentage of each question as a portion of the category total. Each category has its own weight in relation to the Questionnaire's overall score.

Score: This tool calculates weighting and scoring automatically. Refer to the bottom of each category (shaded in gray) to view your score for that area.
Questions: Carefully read the questions in each category. Answer each to the best of your ability.
Responses: To answer the questions, click once on the corresponding Response cell on the arrow and select an answer from the drop-down menu. "Yes" answers add to
your mark in the "Score" column. "No" answers will generate a score expressed as a percentage, which increases the business process vulnerability assessment. "N/A"
answers (not applicable) are discounted from the audit, and the "Weight" column will automatically adjust to reflect their omission.

Comments: Enter your own comments, qualifications, observations, or any additional notes you have to make regarding particular questions or categories.
Results: Look under Final Score at the end of this spreadsheet (shaded in yellow) to view your total score for all categories.
Analysis: Consult the Ranking Chart at the end of the Questionnaire to determine what your scores mean. The lower your score, the lower the vulnerability of the Business
Process and consequently high scores represent higher vulnerability of the business process.

Weight Categories

1. Strategic
Question # Weight Score Question Response Yes N/A No Comments
Can the company 100% avoid deviating from current performance despite 1 week of
1 20.0% 0.0%
business process downtime?
Yes 1 0 0

Can the function 100% avoid deviating from current performance despite 1 week of
2 20.0% 0.0%
business process downtime?
Yes 1 0 0

Can 100% of strategic objectives, projects or programs remain unchanged despite 1

3 20.0% 20.0%
week of business process?
No 0 0 1

Would other corporate functions, units or processes be able to 100% achieve their
4 20.0% 20.0%
strategic objectives despite 1 week of business process downtime?
No 0 0 1

Would short-term strategic decision-making be possible despite 24 hours of system

5 20.0% 0.0%
downtime?
Yes 1 0 0

Total 100.0% 40.0%

Category
20.0% 8.0%
Weight
Vulnerability Quotient 2.00

2. Operational
Question # Weight Score Question Response Yes N/A No Comments
Can the business process continue to operate at 100% effectiveness during one
1 20.0% 20.0%
week without Information Systems?
No 0 0 1

Are staff trained in supporting the business process without the support of
2 20.0% 0.0%
Information Systems?
Yes 1 0 0

Are documented procedures in place for operating the business process in "manual
3 20.0% 20.0%
mode"?
No 0 0 1

Can the process avoid requiring an increase in resources (i.e human) when
4 20.0% 20.0%
operating in manual mode?
No 0 0 1

Could operations of other corporate functions or business processes remain

5 20.0% 20.0%
unaffected despite 24 hours of business process downtime?
No 0 0 1

Total 100.0% 80.0%

Category
25.0% 20.0%
Weight
Vulnerability Quotient 4.00

3. Regulatory
Question # Weight Score Question Response Yes N/A No Comments
Would the company be able to 100% avoid directly impacting Financial
1 20.0% 20.0%
Reporting/Regulations (I.e. SOX) despite 1 week business process downtime?
No 0 0 1

Would the company be able to 100% avoid directly impacting

2 20.0% 0.0% Manufacturing/production regulations despite 1 week of business process Yes 1 0 0
downtime?
Would 100% accurate reporting to regulatory authorities be able to continue without
3 20.0% 20.0%
the support of information systems?
No 0 0 1

Is key regulatory evidence still 100% avilable without information system support (I.e
4 20.0% 20.0%
is there a paper trail at all times)
No 0 0 1

5 20.0% 20.0% Is regulatory reporting possible without the support of information systems? No 0 0 1

Total 100.0% 80.0%

Category
20.0% 16.0%
Weight
Vulnerability Quotient 4.00
4. Financial
Question # Weight Score Question Response Yes N/A No Comments
Can the company 100% avoid incurring additional expenses despite 1 week of
1 20.0% 20.0%
business process downtime?
No 0 0 1

2 20.0% 0.0% Can the pace of sales continue despite1 week of business process downtime? Yes 1 0 0

Would fixed costs remain 100% constant despite business process downtime for 1
3 20.0% 20.0%
week?
No 0 0 1

Can the company avoid 100% incurring lateness fees, or fines despite support of
4 20.0% 0.0%
information systems for one week?
Yes 1 0 0

Would the company be able to 100% achieve its financial objectives despite 1 week
5 20.0% 0.0%
of business process downtime?
Yes 1 0 0

Total 100.0% 40.0%

Category
15.0% 6.0%
Weight
Vulnerability Quotient 2.00

5. Image/Reputation
Question # Weight Score Question Response Yes N/A No Comments
Can the company 100% avoid public scrutiny/embarassment despite 1 week of
1 20.0% 0.0%
business process downtime?
Yes 1 0 0

Would the company be able to 100% avoid media interest in the business process
2 20.0% 0.0%
downtime for one week?
Yes 1 0 0

Can the company avoid 100% affecting investor perception despite 1 week
3 20.0% 0.0%
business process downtime?
Yes 1 0 0

Can the company avoid 100% affecting customer perception (internal/external)

4 20.0% 20.0%
despite 1 week of business process downtime?
No 0 0 1

Can the company avoid 100% affecting vendor perception/relations

5 20.0% 20.0%
(internal/external) despite 1 week of business process downtime?
No 0 0 1

Total 100.0% 40.0%

Category
5.0% 2.0%
Weight
Vulnerability Quotient 2.00

6. Interfaces
Question # Weight Score Question Response Yes N/A No Comments
Can negatively impacting other business processes be 100% avoided despite 1
1 20.0% 20.0%
week of business process downtime?
No 0 0 1

Can the process interdepencies (internal and external to the business unit) continue
2 20.0% 20.0%
at 100% without the support of information systems?
No 0 0 1

Can the business process continue to function with key vendors at 100% despite 1
3 20.0% 20.0%
week of business process downtime?
No 0 0 1

Can the business process continue to function with key customers (internal/external)
4 20.0% 20.0%
at 100% despite 1 week of business process downtime?
No 0 0 1

Have all interfaces with other business processes, vendors and customers been
5 20.0% 20.0%
mapped and documented?
No 0 0 1

Total 100.0% 100.0%

Category
10.0% 10.0%
Weight
Vulnerability Quotient 5.00

7. Security
Question # Weight Score Question Response Yes N/A No Comments
Can data integrity be 100% ensured despite 1 week of information system
1 20.0% 20.0%
downtime? (i.e. someone tamper with data)
No 0 0 1

2 20.0% 20.0% Can the business process afford to experience data loss? No 0 0 1

Can data confidentiality be 100% ensured during 1 week of system downtime? (i.e
3 20.0% 20.0%
unauthorized consultation of data)
No 0 0 1

4 20.0% 0.0% Has critical business data been identified and categorized? Yes 1 0 0

Are key security measures documented and available to staff for operating during
5 20.0% 0.0%
system downtime?
Yes 1 0 0

Total 100.0% 60.0%

Category
5.0% 3.0%
Weight
Vulnerability Quotient 3.00

Final Score

All Categories 65.0%

Average Quotient (out
of 5) 3.3

Range Explanation
Vulnerability Rating is Tremendous
5
Vulnerability Rating is Critical
4.0 - 4.9
Vulnerability Rating is High
3.0 - 3.9
Vulnerability Rating is Medium
2.0 - 2.9
1.0 - 1.9 Vulnerability Rating is Low
Vulnerability Rating is Negligeable
0.0 - 0.9
Risk Likelihood and Threats

Purpose Instructions Outputs

Determines the likelihood of a Nothing to do, as likelihood is established Percentages are automatically exported into the "Probability"
threat materializing within specfic based on available information. The likelihood column of Sheet 5 - Business Risk Quotient.
timeframes on the Merck Data can change over time as new information
Center(s). becomes available, or data sources change.

Risk Likelihood Criteria Score Likelihood

Probable Risk exposure that has a greater chance of
materializing than not in the next 12-24
months.
4 75%
Possible Risk exposure that has less chance of
materializing than not in the next 12-24
months.
3 38%
Moderate Risk exposure that has a lower chance of
materializing in the next 12-24 months.
2 18%
Unlikely Risk exposure that exists but has an unlikely
chance of materializing the the next 12-24
months.
1 8%
Rare Risk exposure with virtually no chance of
materializing in the next 12-24 months 0 3%

Threat Description
People - Non Organization or planning error
Intentional Incorrect or unclear process description
Work overload, panic, psychological problems
Strike
38.0% Negligence, disregard, disinterest

Disrespect of defined policies and SOPs

People - Intentional Robbery
Sabotage/Vandalism
Threatening, blackmail, harassment
75.0% Economic or IT Crime, Virus/Trojan, Social Engineering

Default/Obsolescence
Technical Failure Infrastructure (electric, power, water, gas, etc.)
Technical problem
38.0%
Storm, Tornado, Lightening
Environmental Flood, Fire
Earthquake
3.0%
Lack of policies & procedures
Organizational Lack of clear responsibilities
Massive change/tranformation
38.0%
Disaster in the neighborhood
Neighborhood
Demonstration, political trouble, terrorism, war

8.0%
Business Process Risk Quotient

Purpose Instructions Outputs

Uses the Business Impact , Vulnerability, and Probability to No intervention required. Outputs from Sheets Business Risk Quotient numbers
establish a Business Risk Quotient for the Business Process. 1, 3, and 4 automatically calculate the Business represent the Current State, which is then
Risk Quotient. Any negative numbers are exported to the Global Questionnaire
represented as zero. Results Sheet.

Risk
Threat (Business Impact + [Vulnerability x Probability]) / 2 BRQ
1. People - Non Intentional

1.5 3.3 38.0% 1.4

2. People - Intentional

1.5 3.3 75.0% 2.0

3. Technical Failure

1.5 3.3 38.0% 1.4

4. Environmental
1.5 3.3 3.0% 0.8

5. Organizational
1.5 3.3 38.0% 1.4

6. Neighborhood
1.5 3.3 8.0% 0.9

Avg. BRQ Score 1.3

 Accepted
Received

Booked
Sent
Application/Module Corporate Function IT Service Business Process Business Contact Status
Networks ALL Information sharing and storage (WAN, LAN, VPN) IT
Security FW ALL Protection of Information Systems IT
Lotus Domino ALL Electronic Communication IT
Citrix ALL Application Hosting & Access IT
MySerono.com ALL Remote Connectivity to Critical Applications IT
Myserono Communications Internal Communication & Information Sharing/Access Internal Communications Gillian Perini x x x x Complete
Tridion Communications Web Content Management Web Publishing Gillian Perini x x x x Complete
Serono.com Communications External Communications External Communications Gillian Perini x x x x Complete
Hyperion Enterprise Finance Financial Consolidation Financial Reporting & Planning Alban deCourville x x x x Complete
Costing & Inventory Reporting Marc Quaroni x x x x Complete
Consolidation Valerie Mandica NA - Move of Function
TMS (Integrity) Finance Cash Management Treasury Management Tearaboth Te x x x x Complete
Oracle eBusiness Human Resources (HRMS) Employee Management Employee Data Management Nicolas Gex x x Declined
Swiss Payroll Veronique Stofer x x No Answer
Finance (OF) Logistic & Finance Management Affiliates Orders to Cash Gerwin van Harskamp/Didier Weerts x x x x Complete
Purchase to Pay (Purchasing) Roland Verdon x x x x Complete
GL & Accounting Bruno Pioletti x x x x Complete
Manufacturing (OPM) Process Manufacturing Management Distribution Orders to Cash Jacques Dysli x x x x Complete
Purchasing Nazario Diaz x x x x Complete
Production Planning Armand Villadoniga x x x x Complete
Inventory Management Pascal Henri x x x x Complete
Quality Control Carlos Herrero x x x x Complete
Costing & Analysis Gareth Williams x x x x Complete
Product Catalogue Tom Austin x x x x Complete
Siebel Marketing & Sales CRM & Sales Force Effectiveness Call Center Julie Morin x x x x Complete
CRM Frederique Beguin x x x x Complete
Manugistics Manufacturing Demand & Planning Management/Supply Chain Sales Forecasting Arnaud Zuber x x x x Complete
Distribution Requirement & Master Didier Dayen x x x x Complete
Production Planning
Labeling Manufacturing Label Printing Printing of Labels Pascal Henri x x x x Complete
ARISg Clinical Safety Reporting Adverse Drug Effect Reporting Alain Micaleff x x x x Complete
Crystal Corporate Strategic Planning R&D Report & Protocol Approval R&D Report & Protocol Approval Claudia Cecalupo x x x x Complete
WWPresto Regulatory Affairs Regulatory Submissions Regulatory Submission File Philippe Berclaz x x x x Complete
Management