- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2025 08:57 AM
Dear Community,
recently I had a case where the business organization is such that one company provides IT applications to multiple consuming companies, who then provide their own set of services to their own end users. Those consuming companies are the business users and as such need to provide BIA assessments each year for the business applications they are consuming. The problem is they are multiple consuming companies, but there is just one business app, so if the BIAs have different values in them, how do we reconcile this to the app, which is just one? So my specific questions are: 1. Is it possible to send multiple BIA assessments for the same business app 2. If yes, would there be a way to aggregate the different scores into unique RTO/RPO values and Confidentiality, Integrity, Availability values 3. If no, please share some recommended workarounds!
Many thanks in advance!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2025 07:52 AM
@Iva Dincheva glad I was able to help! Just to add having multiple BSOs depending on a single business app/app service instance isnt an issue. With this approach it will help you see where there are RTO gaps.
For example BSO 1 might need a recovery time of 4 hours and BSO 2 may only need 8 hours but the business application RTO is 6. You can now report on where there are gaps, such as the Business app not being able to meet BSO 1's RTO so you can work to get Business apps RTO down to 4 to meet the requirement. This can also be really helpful for Application owners to make the case for investment to improve their RTO times as generally this can take a fair bit of investment to reduce. Splitting it out like this also allows you to make the business decision to accept the risk and not reduce the RTO as BSO 1 might be a very small amount of revenue while BSO 2 is a large revenue source
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2025 03:20 AM
@Iva Dincheva the newest version of BCM allows you to use smart assessments for BIAs which can trigger as many assessments as you want against a single BIA. You can then build your own flow to take the results and calculate the RTO/RPO values
However, what would be suggested is to create a Business Service to represent the service provided to each company and then a Business Service Offering for each instance of the Business Service being provided to each company. That way a BIA can be performed on each Business Service Offering (so you can capture the individual RTOs and capture dependencies to be used in ITSM and other areas) as part of this you can also capture the Business applications the Service Offering may depend on (as it may require multiple applications to deliver the service). You can then use this to auto calculate the business application's RTO. This approach is more aligned to the CSDM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2025 07:43 AM
Many thanks, Connor! This helps, and we are indeed planning to create individual BSOs, but what worries me is that those multiple BSO are normally dependent on one and the same business app/app service instance (we have a product-centric CSDM), and so if we have multiple RTO/RPO values coming from the multiple assessments, there will be a mismatch between what is expected (by consuming companies) and what is delivered (by the provider companies) as a service, unless the business app/app service is always configured with the highest parameters (which might not be always possible for a given app plus creates a cost problem). If you have any thoughts on that, please let me know, thanks again!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2025 07:52 AM
@Iva Dincheva glad I was able to help! Just to add having multiple BSOs depending on a single business app/app service instance isnt an issue. With this approach it will help you see where there are RTO gaps.
For example BSO 1 might need a recovery time of 4 hours and BSO 2 may only need 8 hours but the business application RTO is 6. You can now report on where there are gaps, such as the Business app not being able to meet BSO 1's RTO so you can work to get Business apps RTO down to 4 to meet the requirement. This can also be really helpful for Application owners to make the case for investment to improve their RTO times as generally this can take a fair bit of investment to reduce. Splitting it out like this also allows you to make the business decision to accept the risk and not reduce the RTO as BSO 1 might be a very small amount of revenue while BSO 2 is a large revenue source
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2025 12:38 PM
Thanks again, @Connor Levien. This really put my mind at ease! There needs to be a process on both the demand and supply sides to manage the discrepancy, but this makes sense. Much appreciated!
