0% found this document useful (0 votes)

60 views

GEMB BIA Report 1.0

Uploaded by

Xavi Milan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOC, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

60 views

GEMB BIA Report 1.0

Uploaded by

Xavi Milan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOC, PDF, TXT or read online on Scribd

You are on page 1/ 51

Hewlett-Packard Company

Business Impact Analysis

Report for GEMB

Prepared by: R.P. Draper FBCI

Pentire Solutions Ltd

Project Document Id: BIA Report

Date Prepared: 10th June, 2010
BIA Report
Project ID No.:

Document Information
Project Name: Business Impact Analysis
Prepared By: R.P. Draper FBCI Document Version No: 1.0
Title: Senior Consultant Document Version Date: 10th June, 2010
Reviewed By: Review Date:

Distribution List
From Date Phone/Fax/Email
R.P. Draper 10th June, 2010 bob.draper@pentire.co.uk

To Action* Due Date Phone/Fax/Email

Martin Koch GEMB Action martin.koch@ge.com
Bill Crichton Inform bill.crichton@hp.com
Tomas Nilsson Inform tomas.nilsson@hp.com

* Action Types: Approve, Review, Inform, File, Action Required, Attend Meeting, Other (please specify)

Version History
Ver. No. Ver. Date Revised By Description Reviewer Status
th
1.0 10 June, 2010 RPD BIA Report RPD Completed

HP Global Method HP Restricted Page 2 of 51

Document Version: 1.0 / 10th June, 2010 © Copyright 2021 Hewlett-Packard Development Company, L.P. 519323168.doc
Project Document Id: BIA Report Valid agreement required. Last changed: 19/04/2021 at 10:05 AM
BIA Report
Project ID No.:

Table of Contents
Proprietary Notice.............................................................................................................................................. 4
Executive Summary........................................................................................................................................... 5
1 Introduction And Scope............................................................................................................................. 5
2 Summary of Key Findings......................................................................................................................... 6
3 Summary of Main Recommendations...................................................................................................... 7
BIA Report.......................................................................................................................................................... 8
1 Introduction................................................................................................................................................ 8
2 Acknowledgements.................................................................................................................................... 9
3 Scope, Objectives and Approach............................................................................................................. 9
4 Business Impact Analysis....................................................................................................................... 10
5 Outage Tolerance and Recovery Timescales........................................................................................ 12
6 Outage Impacts........................................................................................................................................ 12
7 Overall Criticality Rating.......................................................................................................................... 12
8 Priorities.................................................................................................................................................... 13
9 Systems / Applications Requirements................................................................................................... 14
10 Critical Data.............................................................................................................................................. 18
11 Critical Staff by Department.................................................................................................................... 18
12 Financial Impact(s)................................................................................................................................... 19
13 Impact Upon Reputation / Image............................................................................................................. 19
14 Critical Documentation............................................................................................................................ 19
15 Comments / Observations....................................................................................................................... 20
16 Recommended Actions........................................................................................................................... 24
Appendix A BIA Participants...................................................................................................................... 25
Appendix B Business Areas included in the BIA......................................................................................27
Appendix C Critical Business Areas Ranked by Recovery Timescales and Outage Tolerances.........28
Appendix D Critical Business Areas Ranked by Potential Impact(s)......................................................32
Appendix E Overall Criticality of Business Areas....................................................................................36
Appendix F Critical IT Applications by Time Scale..................................................................................37
Appendix G HP Servers............................................................................................................................... 43
Appendix H Information Collection Questionnaire (for reference)................................................................52

HP Global Method HP Restricted Page 3 of 51

Project Document Id: BIA Report © Copyright 2021 Hewlett-Packard Development Company, L.P. 519323168.doc
Valid agreement required. Last changed: 19/04/2021 at 10:05 AM
BIA Report
Project ID No.:

Proprietary Notice
No part of this document (including any designs) may be reproduced in any form, published, broadcast or
transmitted or have an adaptation made of it, except with the prior written permission of Hewlett-Packard
Company to parties outside of GE Money Bank.

Hewlett Packard makes no warranty of any kind concerning this document, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose. Hewlett Packard shall not be liable for
errors contained herein or direct indirect, special incidental or consequential damages concerning the
furnishing, performance, or use of this material.

© Copyright 2010 Hewlett-Packard Company

HP Global Method HP Restricted Page 4 of 51

Document Version: 1.0 / 10/06/2010 © Copyright 2021 Hewlett-Packard Development Company, L.P. 519323168.doc
Project Document Id: BIA Report Valid agreement required. Last changed: 19/04/2021 at 10:05 AM
BIA Report
Project ID No.:

Executive Summary

1 Introduction And Scope

GE Money Bank (GEMB) has outsourced IT operations in Sweden, Norway and Denmark to Hewlett-
Packard (HP). It has been recognised that, although IT Service Continuity had not been included in
the development of the transformation of the IT infrastructure to HP, there is a need to have this
provision in place in the event of a disruption to HP’s services supporting the GEMB Nordic business
operations
In order to identify recovery requirements, GEMB initiated a Business Impact Analysis (BIA) project
with the objective to define the recovery requirements and priorities of the three Nordic Region
countries. Due to resourcing constraints within HP in the timescales required by GEMB, HP engaged
Pentire Solutions Ltd, a UK-based partner company, to carry out the BIA.
The primary purpose of the BIA review has been to identify the critical business functions / processes
in each of the countries and, for each, to establish :
• the main IT systems / applications supporting the business function / process
• the Recovery Time Objective (RTO), defined as the time within which a minimum level of
business function must be active.
• the Recovery Point Objective (RPO), defined as the maximum tolerable data loss that can be
sustained in order to provide an acceptable level of service / functionality.
• the IT recovery requirements over time
• vital records / data required for recovery
Using the information obtained in the BIA, it has also been possible to identify the Maximum
Tolerable Outage (MTO) for each participating business area. This is defined as the time after which
there will be severe impact(s) upon the local, regional or global business operation, from which it may
be difficult to recover with any degree of success.
The BIA was conducted by Bob Draper FBCI. The information collection was carried out between
17th June and 4th July, 2010. Information was gathered via questionnaire and interviews with client-
selected personnel. The business functions / processes that were covered by the BIA in each country
were selected by local management.
The results were validated by on-site meetings with key function / process personnel in Norway and
Sweden. There was a “close-out” / summary meeting in each country to present the local outcomes
to each country’s management team at the end of each stage of the BIA process. The responses for
the Danish business operation were submitted by the local co-ordinator; there were no validation
meetings with the business functions. The outcomes from each country were also reviewed, in
outline, with the GEMB project lead, Martin Koch.
The full BIA report provides information related to the criticality of business functions / processes in
each country and provides, primarily, information about the Recovery Time Objectives (RTOs) and
Recovery Point Objectives (RPOs). The report also provides information regarding the potential
financial, operational and reputational impacts of disruption to business operations. By its nature, the
BIA included review of preparedness for disruption and GEMB’s Business Continuity Management
(BCM) strategies; the report also makes recommendations for ensuring the strategy and recovery
solutions meet the requirements of the business.
An additional benefit arising from the review is that it has presented GEMB with the base-line
information for further development of its Business Continuity Management strategy and planning for
the region. The internal co-ordinators for each country have retained copies of the validated
responses from each participating business area for use in future business continuity development.

HP Global Method HP Restricted Page 5 of 51

2 Summary of Key Findings

The following points summarise the key conclusions of this review. A more comprehensive, detailed,
list of the review findings is included in the main body of the BIA report.
 As stated in the introduction, there are currently no provisions for recovery / continuity of the IT
services that are hosted by HP and which support GEMB’s Nordic business operations.
 As might be expected, the review has shown that the most critical business functions and
processes in each country are those that are directly customer facing. A failure, or severe
disruption, of the functions or processes ranked as being the five most important in each country
would have an effect upon business operations either immediately or within less than one day.
 The five most critical functions or processes per country were identified as those shown in the
following tables.
The table columns are :
Overall Criticality Rating : The ranking of the business area in the scoring applied to responses
received from respondents and validated by meetings / discussions.
RPO : Recovery Point Objective : The maximum tolerable data loss.
MTO : Maximum Tolerable Outage
Operational Impact : The timescale in which disruption or failure will have a significant impact
upon GEMB business operations
Denmark
Overall
Op.
Function / Process Criticality RPO MTO
Impact
Rating
Operations - Authorization Processing 97.00 1 Hour Zero Immediate
Risk - Risk Origination - Scorecard 74.28 1 Day < 1 Day Immediate
Collection - Early Collection 71.33 < 1 Day < 1 Day < 1 Day
Operations - Origination 70.92 3 Days < 1 Day Immediate
Operations – Customer Service - Customer support 63.45 3 Days 3 Days < 1 Day

Norway
Overall
Op.
Function / Process Criticality RPO MTO
Impact
Rating
Originate 89.50 1 Hour < 1 Day Immediate
Collections 88.17 < 1 Day 1 Day Immediate
Marketing 86.73 < 1 Day < 1 day Immediate
Customer Service 73.88 < 1 Day 3 Days Immediate
IT 73.05 3 Days Zero Immediate

Sweden
Overall
Op.
Function / Process Criticality RPO MTO
Impact
Rating
Operations 100.23 1 Hour < 1 Day Immediate
B2B Sales / Instore Origination Process 92.73 1 Hour < 1 Day Immediate
Marketing & Consumer Sales/ DTC Acquisition 92.73 1 Hour < 1 Day Immediate
Underwriting (NBSM process) 85.30 < 1 Day < 1 Day Immediate
IT 74.52 3 Days 1 Day Immediate

Note : The ranking scores shown are the figures used in the analysis process to assess criticality. It must be noted that
they are not intended to be used as a comparison to any standards, best practices or regulatory requirements

HP Global Method HP Restricted Page 6 of 51

 For the majority of these areas, the maximum tolerable outage is less than one day. For the
processes in this top five ranking that show a longer tolerance to outage, it has been agreed that
this is probably due to information submitted in the review response.
 The participating business areas’ perception of the business Recovery Time Objectives (i.e. the
time in which a minimum acceptable level of operation should be restored - RTO) for IT systems
range from virtually zero to longer than one week, the latter being predominantly in “back office”
or support functions. If the selected recovery solutions cannot meet the perceived business
requirements for critical functions or processes, a program to develop and maintain manual
fallback procedures should be considered.
 The IT Recovery Time Objective for the systems supporting critical functions or processes
identified as critical was agreed as being the same as the application recovery timescales
(between “less than one day” and twenty four hours)
 The review highlighted a potential exposure to effective recovery as a consequence of the current
back-up cycles. Where there is a stated Recovery Point Objective (RPO) of less than one day,
but the stated current data back up cycles are daily, there is a high probability that the loss of
transactions / data will be greater than has been stated as tolerable in the event of a failure of
the systems supporting that business function
 Business Continuity Planning (BCP) awareness is high, and all respondents and meeting
attendees appreciate the need for improvement to the current situation (no current plan in place /
no work area recovery). At the time of the review, there were no resources specifically allocated
to implement and maintain a full Nordic business continuity programme, although in discussions,
it was indicated that this would be given future priority.
 It was noted that few functions have adequate, formally documented, manual fallback or “work-
around” procedures that could be implemented in an incident / emergency that might result in IT
services being unavailable, thereby increasing the perceived dependency upon IT. This, in turn,
increases the necessity to recover IT systems within a very short time following an incident that
might cause their failure.
 It must be noted that the recovery of IT systems has been reviewed on an “all or nothing” basis,
meaning that an application, and its associated data, would be recovered completely in the
timeframe required. Therefore, recovery does not have to be repeated for any requirement for
the system, application or data shown as a requirement for a function or process at a later time.
This will allow flexibility when considering priorities of recovery of business operations after the
initial restore of critical functions / processes, as identified in this review.

3 Summary of Main Recommendations

GEMB should request HP to provide a proposal for an IT Disaster Recovery Solution to cater for the
potential loss of IT services for the critical systems and applications in each country. This proposal
should meet the perceived business requirements (i.e. within twelve hours or one day). Alternative
solutions should also be presented to show the costs of recovery within 24 and 36 hours. The
solution(s) should also take consideration of the Recovery Point Objectives as identified by the
business areas. This may involve changes to back-up procedures.
GEMB should review the proposed solutions. If the primary solution is not considered acceptable
(e.g. for reasons of cost), GEMB should review the business areas’ Recovery Time and Recovery
Point Objectives to adjust requirements to meet the most acceptable recovery solution.
GEMB and HP should implement the most suitable solution and procedures as soon as possible.
GEMB should implement a programme to develop a regional standard Business Continuity
Management Strategy, with appropriate levels of planning. This may be in the form of a regional plan
with sections for each country, or separate plans for each location. Plans should also include local
(country) escalation of incident / problem management to regional and then to corporate
management levels.

HP Global Method HP Restricted Page 7 of 51

BIA Report
1 Introduction
As one of the world’s largest retailer finance program providers, GE Money prides itself on being able
to deliver fast, dependable financial solutions to consumers, businesses and merchants. GE Money
has more than 130 million customers in 55 countries around the world.
GE Money Bank (GEMB) has outsourced IT Operations in Sweden, Norway and Denmark to
Hewlett-Packard (HP). IT Service Continuity had not been included in the development of the
transformation of the IT infrastructure to HP and, as the transformation progressed, GEMB became
aware of the need to complement the IT Infrastructure solution with IT Disaster Recovery (DR)
measures sufficient to meet business and regulatory requirements.
GEMB and HP discussed various possible DR solutions and reached a common understanding that
accurate DR requirements, expressed in terms of Recovery Time Objectives (RTO) and Recovery
Point Objectives (RPO) should be defined for GEMB’s critical IT systems in order to design and
implement cost effective DR solutions.
GEMB, therefore, initiated a Business Impact Analysis (BIA) project with the objective to define the
business requirements for IT disaster recovery in the three Nordic Region countries of Denmark,
Norway and Sweden. Due to resourcing constraints within HP in the timescales required by GEMB,
HP engaged Pentire Solutions Ltd, a UK-based partner company, to carry out the BIA.
The primary purpose of the BIA was to identify the critical business functions / processes in each of
the Nordic Region countries, and for each :
• the main systems / applications supporting the activity
• the Recovery Time Objective (RTO). This is defined as the time within which a minimum level
of function / service must be operational.
• the Recovery Point Objective (RPO). This is defined as the maximum tolerable data loss that
can be sustained in order to provide an acceptable level of service / functionality.
• the IT recovery requirements over time
• vital records / data required for recovery
Using the information obtained in the BIA, it is also possible to identify the Maximum Tolerable
Outage (MTO) for each participating business area. This is defined as the time, after which, there
will be severe impact(s) upon the local, regional or global business operation, from which it may be
difficult to recover with any degree of success.
The BIA information collection process was conducted by Bob Draper FBCI between 17 th June and
4th July, 2010. Information was gathered via questionnaire and interviews with client-selected
personnel. The business functions / processes that were covered by the BIA were selected by each
country. The results were validated by meetings with key function / process personnel in Norway
and Sweden; the responses for the Danish business operation were submitted by the local co-
ordinator; there were no validation meetings with the business functions in Denmark. There was a
close-out / summary meeting to present the local outcomes to each country’s management team at
the end of each stage of the BIA process. The outcomes from each country were also reviewed with
the GEMB project lead, Martin Koch.
This document summarises the findings from the BIA in each of the three countries covered by the
project. It presents information relating to the relative criticality of business functions / processes in
each country and provides, primarily, information about the Recovery Time Objectives (RTOs) and
Recovery Point Objectives (RPOs), with information regarding the potential financial, operational and
reputational impacts of disruption to business operations. The report also considers GEMB’s
Business Continuity Management (BCM) strategies and makes recommendations for ensuring the
strategy and recovery solutions meet the requirements of the business.

HP Global Method HP Restricted Page 8 of 51

2 Acknowledgements
The author would like to take this opportunity to thank all GEMB participants and contributors to the
BIA process - a list can be found in Appendix A – who gave their time and responded positively to
requests for information, and in particular those personnel in each country who co-ordinated this
effort and for their hospitality.

3 Scope, Objectives and Approach

3.1 Scope
The BIA was carried out on functions / processes in Denmark, Norway and Sweden that were
identified as critical to each country’s business operation by local management. An overview of
departments/functions that participated in the review is in Appendix B.
The functions / processes selected for inclusion by each country differed (see 3.3 below), making
direct comparison of functions across the region more complex than had there been a direct
requirement from GEMB Nordic management for a standard approach. It was agreed that the BIA
report would be not compare functions / processes across the three countries.
Not in scope:
 Any GEMB location, business function or process that was not designated as a participating unit
in the BIA by GEMB management . Review discussions identified that there may be functions or
processes that were not included in the BIA review which may be considered critical. For
example, in Sweden, it was noted that the Operations fraud monitoring and the bank transfer
payments processes were not included.

3.2 Objectives
 Identify critical business functions and supporting systems
 Identify Recovery Time and Recovery Point Objectives (RTO and RPO)
 Summarise recovery requirements over time (people, facilities, IT)
 Identify vital records required for recovery
 Produce BIA report

3.3 Approach

Due to timescales imposed upon the project, there was no opportunity to develop a GEMB-specific
information collection questionnaire. It was agreed with GEMB that an adaptation of a suitable
“generic” document would be used to collect the required information. A copy of the information
collection questionnaire is included in Appendix H. With hindsight, it has been recognised that this
has had the additional benefit of obtaining valuable baseline information relating to the status of
business continuity planning in the region. The findings of this BIA report include comment /
recommendations on this subject.
Information was gathered from key personnel from each business area via responses to the BIA
questionnaire that was supplied to them via the designated co-ordinators in each of the there GE
business units.
As stated above, the business functions / processes to be included in the project were selected by
each country. There were also differences in the method of validation of responses.

HP Global Method HP Restricted Page 9 of 51

In Norway and Sweden, requested information was obtained from respondents in the selected
business areas and on-site validation meetings were held with each participating business function or
process. Danish management decided that all responses should be collated by the local co-ordinator
and that individual meetings with business function or process personnel would not be applicable.
In the on-site validation meetings to review responses, when assessing impacts, the interviewees
were asked to assume the worst possible scenario striking at the worst possible time (month-end,
year-end, payroll etc.).
The validation process was, in all three countries, concluded by a presentation to local management
of the initial findings of the BIA for that country’s functions or processes. Due to reasons of
availability and logistics, the close-out meetings for Norway and Denmark were conducted remotely,
via conference link, from the UK. In Sweden, the originally planned on-site meeting took place. For
each country, a PowerPoint presentation was prepared and presented. This included tables showing
the relative ranking of each function / process in each country in terms of outage tolerances and
criticality. The GEMB project lead retained copies of each meeting’s material.
In terms of participation, the approach taken by each country was :
• Denmark : Nine responses : Business processes, based upon the outcomes of previous internal
review of criticality
• Norway : Ten responses : seven business functions with responses from the three main
processes in Operations
• Sweden : Fifteen responses : Business processes (Operations : one response)
A list of the participating business functions / processes in each country is shown in Appendix B.
The findings of the review across the three countries have been consolidated into this single report,
on the basis that the outcomes have been validated for each one. It is this validated impact analysis
and IT systems information that is contained in this report.
The completed responses have been retained by the local co-ordinators. They must not be regarded
as a formal part of, or appendices to, this report.

4 Business Impact Analysis

4.1 Purpose
A Business Impact Analysis (BIA) identifies those parts of a business whose loss has the potential for
significant impact, threat to the company’s reputation or cause of internal disruption. It also identifies
the various resources needed to recover essential business functions. In this instance, the outcomes
are intended to be used to develop suitable IT Disaster Recovery solution(s) for GEMB’s Nordic
region business. However, this information that has been collected can be used as the basis for
identifying an appropriate Business Continuity Management Strategy for the region and / or each
business unit.
4.2 General Observations
IT operations for the Nordic region (Denmark, Norway and Sweden) have been outsourced to HP,
but, to date, there has been no provision of any IT disaster recovery within this service. Although the
primary purpose of this BIA was to identify the criticality of business functions or processes, and their
recovery requirements (applications, infrastructure and timescales), the information collected has
also shown that current readiness to respond to, and continue business operations through and
beyond an incident that might cause severe disruption to them, is limited. It is understood that there
is a corporate BC programme, although the BIA showed little, or no, evidence of it being
implemented across the critical business areas in the countries involved. As a result of the
responses to the BIA and the validation meetings, BCP awareness has been elevated, and all the
department heads and most interviewees are aware of, and appreciate, the need for improvement.
HP Global Method HP Restricted Page 10 of 51
Document Version: 1.0 / 10/06/2010 © Copyright 2021 Hewlett-Packard Development Company, L.P. 519323168.doc
Project Document Id: BIA Report Valid agreement required. Last changed: 19/04/2021 at 10:05 AM
BIA Report
Project ID No.:

The process management and business operations are well managed and the levels of procedural
documentation supporting these (for normal operations) are of a reasonably high standard across all
functions and processes. No evidence was presented to indicate that GEMB operates to any
recognised quality management standards (e.g. ISO900x) to manage and control documentation.

4.3 Findings by Country

The BIA process used in this project created a ranking order of priority for each business function or
process in each country to show :
• the Recovery Point Objective, the Recovery Time Objective (RTO) and also the Maximum
Tolerable Outage (MTO).
• their criticality in terms of the potential financial, operational or reputational impacts.
• the overall criticality ranking of each participating function or process.
The following sections of this BIA report show this information, by country.
The ranking scores shown in the tables in this report are the figures used in the analysis process. It
must be noted that they are not intended to be used as a comparison to any standards, best
practices or regulatory requirements. However, the figures do indicate the differences in levels of
each area in each of the categories. (e.g. if the highest ranking area shows a score of 100 in any one
table, then an area with a score of less than 50 may be half as critical). It is for this reason that they
have been presented here.
It must also be noted that the rankings shown are based upon the responses provided and
amendments made during the discussions with participating personnel. In Norway and Sweden, the
responses where discussed with departmental personnel; in Denmark, responses were collated by,
and therefore only discussed with, the project co-ordinator.
However, as the same criteria were used for each country, it is also possible to review the rankings
on a regional basis.
Note :
• In each table, the highest ranked five (or more, where the same score is achieved) are
highlighted for each category.
• The rankings are based upon the validated responses received from the participating business
areas; in some tables, there are functions or processes that are shown at levels that may not
be expected. This may be due to the responses being more, or less, complete than those of
other areas and, therefore, needing further review. The project timescales have not allowed for
this depth of analysis.

4.4 BIA Outcomes

The outcomes of the BIA, as defined by the objectives (see 3.2 above) are :
• Critical business functions and supporting systems
o Sections 7 & 9
• Recovery Time and Recovery Point Objectives (RTO and RPO)
o Recovery Time Objectives : Section 9
o Recovery Point Objectives : Sections 7 & 9
• Recovery requirements over time (people, facilities, IT)
o Sections 9 & 11 (IT applications)
• Identify vital records required for recovery
o Section 9 & 10

HP Global Method HP Restricted Page 11 of 51

5 Outage Tolerance and Recovery Timescales

The BIA identified the ranking of each participating area in terms of the following timescales
• Recovery Point Objective (RPO)
• Recovery Time Objective (RTO)
• Maximum Tolerable Outage (MTO)
Tables showing the ranking for Outage Tolerance and Recovery Timescales for all functions and
processes included in this review are found in Appendix C
Using this information, the review has also identified the overall criticality rating of the participating
areas (section 7 below), based upon the relative importance of each category. The dependency
upon data and information availability (RPO) defines the time within which services should be
available (RTO) and this must be within the threshold of the Maximum Tolerable Outage.
The information shown in Section 9 related to the recovery timescales for critical IT
applications used by each function gives the Recovery Time Objective for each application.
The review also highlighted the potential impact of the perceived (as per the responses) Recovery
Point Objectives, often given as less than one day, or one hour, and the actual back-up procedures
that are being operated. These are understood to be on a daily cycle. Therefore, in a worst case
scenario, if the business cannot tolerate data loss of more than an hour, and the only data that is
available after a restore is from the previous day, there is potential for major problems.

6 Outage Impacts
The BIA identified the ranking of each participating area in terms of the following potential impacts
upon the business operations in each country
• Financial Impact
• Operational Impact
• Impact upon the GEMB Reputation / Image
Tables showing the criticality of the participating areas, ranked by these criteria, are found in
Appendix D.

7 Overall Criticality Rating

Using the information from the Outage Tolerance and Recovery Timescales (section 5) and the
Outage Impacts (section 6), it is possible to rank the participating functions / processes in terms of
overall criticality to the business operation in each country.
The full tables can be found in Appendix E. The highest five ranked areas from each country are
shown below, with also the Recovery Point Objectives, the Maximum Tolerable Outages and the time
in which disruption to the function / process would have a significant impact upon the business
operation and customer service(s) in each country. It should be noted that the timescale for
operational impact is very close to the timescale for significant financial impacts for the highlighted
business functions or processes.
The definition of the Recovery Time Objective (RTO) for each of the functions, processes and
systems / applications identified during the review as being critical to business operations in each
country must be the same as the restore times for critical systems and applications (see section 9,
below) and must be within the Maximum Tolerable Outage (MTO) for each function or process.

HP Global Method HP Restricted Page 12 of 51

Denmark
Overall
Op.
Function / Process Criticality RPO MTO
Impact
Rating
Operations - Authorization Processing 97.00 1 Hour Zero Immediate
Risk - Risk Origination - Scorecard 74.28 1 Day < 1 Day Immediate
Collection - Early Collection 71.33 < 1 Day < 1 Day < 1 Day
Operations - Origination 70.92 3 Days < 1 Day Immediate
Operations – Customer Service - Customer support 63.45 3 Days 3 Days < 1 Day

8 Priorities
The tables for each country in section 7 show the relative priorities (Overall Criticality Rating) for
recovery of the key business functions within the scope of this review, and the timescales within
which each department/function should be operational. The recovery of the underpinning IT systems
should reflect this criticality.
It is important to recognise that the tables in section 7 and also in Appendix C (rankings by Recovery
Timescales) show the priorities and timescales for recovery of an acceptable level of GEMB service
that must be re-established and does not suggest that business units can “do nothing” during this
time. For instance, business partners, suppliers, regulators and other external agencies may need to
be contacted on day one. This is reflected in the critical staff requirements shown in section 10 and
must be reflected in (future) Incident Management procedures as part of each business unit’s
Business Continuity Strategy and Planning.
It is also important to note that the information shown reflects the priorities for restoration of the
critical “normal” operations of each function or process. Dependent upon the nature of a disruption,
and its potential impact(s) upon GEMB business operations, certain other departments or individuals,
such as IT and Media Communication may be required immediately to perform technical recovery
and to manage external communications. Decisions on issues of response to incidents are a factor
of effective Business Continuity Planning.

HP Global Method HP Restricted Page 13 of 51

9 Systems / Applications Requirements

Respondents were asked to identify which IT systems are critical to their business function or
process, how important these are to them and how quickly they would need to be restored in the
event of an IT disaster or major incident (e.g. total loss of IT service hardware, physical environment,
power or telecom’s), as opposed to day-to-day operational problems
The review process identified the applications required by the business functions / processes within
the following timescales of recovery.
• < 1 day
• After 24 hours
• Within 1 week
• Longer than 1 week
For each country, the most critical applications (systems required within one day and after 24 hours)
are listed in this section below, in alphabetical order of application name. The full list of applications
for each country, across all the above timescales is in Appendix F.
As stated above, the timescales shown in these lists must be taken as the Recovery Time
Objective for each application.
The data related to these applications must be considered the critical data to be recovered / restored
in the event of failure / outage, within the same timescales.
GEMB were unable to supply an accurate mapping of servers by application to identify specific HP-
hosted requirements and their interdependencies. To supply this, the information would need to have
been requested via HP, at additional cost and would not have been available within the time
constraints of this project. A list of HP production servers is found in Appendix G. This list should be
used, with the information below, and in Appendix F, as the basis for preparing the recovery solution
proposal recommended in section 16 (Recommended Actions).
The information used in this report was produced from the business area responses regarding the
various systems, and must be further validated by GEMB / HP before any decisions on recovery
strategies are taken.
Where a recovery requirement is shown as “after 24 hours” this indicates that the application, with
data, must be fully available for business use within twenty four hours of the failure.

Denmark
Note : Danish BIA responses did not identify system / applications requirements beyond the “after 24 hours”
time period; the systems identified were those deemed critical to the immediate recovery of business activities.
Denmark
Business Application User Group Criticality
AcceptCard.dk Ops Orig < 1 day
Batch (insurance) Ops Cust. Servs < 1 day
Cadre IT < 1 day
Collection < 1 day
DataWareHouse Risk Reserves < 1 day
DDB.dk Finance < 1 day
Dialer system Collection < 1 day
Excel Risk Reserves < 1 day
Formscape Ops Cust. Servs < 1 day
GE Network Ops Auth < 1 day

HP Global Method HP Restricted Page 14 of 51

Denmark
Business Application User Group Criticality
Ops Orig < 1 day
Risk Orig < 1 day
Collection < 1 day
HR < 1 day
Finance < 1 day
IT < 1 day
Risk Reserves < 1 day
GEMoneyBank.dk Ops Orig < 1 day
IC Archive Ops Cust. Servs < 1 day
InterFlex HR < 1 day
Mercury Risk Orig < 1 day
Multiløn HR < 1 day
Nice Ops Cust. Servs < 1 day
NSBM Ops Orig < 1 day
Risk Orig < 1 day
Oracle Financials Finance < 1 day
Oracle Financials AP Finance < 1 day
PBS routing Ops Auth < 1 day
Phone system Collection < 1 day
Ops Orig < 1 day
Postilion Ops Auth < 1 day
Ops Cust. Servs < 1 day
probe Risk Orig < 1 day
RKI/CPR Ops Orig < 1 day
SAS Risk Reserves < 1 day
SMASH Ops Cust. Servs < 1 day
Symposium Ops Cust. Servs < 1 day
Vision Plus Ops Auth < 1 day
Collection < 1 day
Ops Cust. Servs < 1 day
WEB indus Collection < 1 day
Formscape Ops Orig < after 24 hours
Importer Ops Orig < after 24 hours
Mercury Ops Orig < after 24 hours
Vision + Ops Orig < after 24 hours
Workflow Ops Orig < after 24 hours

HP Global Method HP Restricted Page 15 of 51

Norway
Norway
Business Application User Group Criticality
Argus IT < 1 day
Experian Sales < 1 day
Originate < 1 day
FLS Cust Service < 1 day
NBSM Sales < 1 day
Originate < 1 day
Origo Sales < 1 day
Originate < 1 day
Phone System IT < 1 day
Readsoft Originate < 1 day
TFS Sales < 1 day
Originate < 1 day
Cust Service < 1 day
Web Shop Solution Sales < 1 day
Data Warehouse (DWH) Cust Service < after 24 hours
Dialler Collections < after 24 hours
Fermat Risk < after 24 hours
markeme Marketing < after 24 hours
Microsoft Office (+ all other
standard software) Risk < after 24 hours
Cust Service < after 24 hours
Nova Finance < after 24 hours
Collections < after 24 hours
Nova Rulle Collections < after 24 hours
Phone system Collections < after 24 hours
Originate < after 24 hours
Report Manager Finance < after 24 hours
SMTP Server Originate < after 24 hours
TFS Finance < after 24 hours
Collections < after 24 hours
View21 Collections < after 24 hours
View21 (including Auto Rulle) Risk < after 24 hours
Workflow Collections < after 24 hours

HP Global Method HP Restricted Page 16 of 51

Sweden
Sweden
Business Application User Group Criticality
Ansok B2B < 1 day
U/Wr NBSM < 1 day
M&CS DTC < 1 day
Dialer Operations < 1 day
Homepage M&CS DTC < 1 day
NBSM B2B < 1 day
M&CS DTC < 1 day
U/Wr NBSM < 1 day
NOS B2B < 1 day
Nova Operations < 1 day
U/Wr NBSM < 1 day
Telephony B2B < 1 day
M&CS DTC < 1 day
TFS B2B < 1 day
M&CS DTC < 1 day
Operations < 1 day
U/Wr NBSM < 1 day
UC Operations < 1 day
Atlas Operations < after 24 hours
Clear Interact Operations < after 24 hours
Cosmos Operations < after 24 hours
CVS (code version system) IT < after 24 hours
CWC M&CS Stat < after 24 hours
M&CS DTC < after 24 hours
DWH B2B < after 24 hours
M&CS Stat < after 24 hours
M&CS DTC < after 24 hours
FLS M&CS Stat < after 24 hours
M&CS DTC < after 24 hours
IVR B2B < after 24 hours
M&CS DTC < after 24 hours
Network & Infrastructure incl
telephony IT < after 24 hours
Opalis (Batch infrastructure job
control system) IT < after 24 hours
TFS M&CS Stat < after 24 hours
Virtual office IT < after 24 hours

HP Global Method HP Restricted Page 17 of 51

10 Critical Data
Respondents did not identify specific data recovery requirements for the same reasons as referred to
in Section 9, above, related to application / server mapping. The conclusion agreed with
interviewees and the GEMB project lead is that all data required by the critical applications must be
available upon restore / restart of recovered systems.

11 Critical Staff by Department

Respondents were asked to state the minimum staff requirements for working at an alternative,
temporary location in the event of the GEMB office not being accessible / usable, for any reason.
The following tables summarises the critical staff requirements which would need to be catered for
following a disaster or major incident affecting the main GEMB location in each country. It is
extremely important to assign staff with the appropriate key skills required in response to a disruptive
incident that causes the business continuity plan and facilities (should these exist) to be activated.
Please note that the total staff numbers are the sum of the departments represented in this BIA and
based upon figures given.
After Longer
Within
Denmark < 1 day 24 than 1
1 week
hours week
Personnel 43 43 58 64
Workspace (i.e. desk, PC, telephone) 43 43 43 49

After Longer
Within
Norway < 1 day 24 than 1
1 week
hours week
Personnel 28 85 206 233
Workspace (i.e. desk, PC, telephone) 28 85 150 177

After Longer
Within
Sweden < 1 day 24 than 1
1 week
hours week
Personnel 66 105 156 239
Workspace (i.e. desk, PC, telephone) 61 95 136 199

Note : Differences in personnel / workspace numbers are due to sharing of facilities in areas that operate
shift patterns (e.g. Customer Service).

In addition to these application systems, the IT infrastructure and services underpinning the
applications, such as firewalls and catalogue services, must be considered to have RTOs and RPOs
corresponding to the most critical applications.

HP Global Method HP Restricted Page 18 of 51

4 Financial Impact(s)
An accurate assessment of financial impacts due to failure of IT systems proved difficult for the
majority of respondents. It was agreed that this topic would be reviewed in more depth in the
development of a wider, more encompassing Business Continuity Management programme and
planning.
Responses that were supplied indicated significant potential losses, ranging from $100K per day for
Denmark (info supplied by Collections), $200K for Sweden (info supplied by Operations) and over
$400K per day in Norway (info supplied by Collections). However, as agreed, a more in-depth review
is required to establish specific levels of loss, as the financial impact would be dependent upon the
nature and length of the disruption to business activities. An incident affecting the Bank’s operational
capability would not have a major impact upon its assets or liabilities, and if effective continuity
procedures are in place, processes could be resumed within a timeframe to minimise potential
losses.
In discussions, it was also noted that a major disruption to business operations might result in the
loss of one, or more, client(s) due to an inability to meet their requirements. For example, in Norway,
the review identified that the average client contract is worth $20m over three years ($6.3m per year).
Loss of just one client due to operational failure would, therefore, have a significant impact upon
revenue.
Another consideration is the potential for direct financial impact in terms of penalties and fines. It was
noted during the review that each country’s financial regulatory body could rescind GEMB’s banking
licence in the event of prolonged failure to provide services and to submit required reports.
In spite of the difficulties obtaining hard financial numbers, it is obvious that the financial losses to
GEMB (loss of sales / new business and due to failure of the collections process) would be
significant if operations are not resumed within tolerable timescales after a disruptive incident. GEMB
is putting its survival at stake by not having an up to date and tested BCP in place in the Nordic
region. The review discussions showed that GEMB is aware of this issue and this project shows that
the intent to reduce the potential impact of an IT failure is being taken seriously.

5 Impact Upon Reputation / Image

The business areas included in the review were ranked in order of the potential impact of failure or
disruption on GEMB’s image and reputation in the eyes of the consumers, trade partners, regulators
and employees. The outcomes are shown in the table in Appendix D. It is notable that the ranking in
this case does not reflect the potential financial or operational impact rankings (also Appendix D).
This may be due to the fact that image and reputation is largely based upon a stakeholder’s
perception of the organisation’s ability to respond quickly and effectively to their requests and
requirements.

6 Critical Documentation
Although the BIA review did not include specific inspection of documentation storage in each
location, the following issues were identified during the review discussions.
1. Legal Documentation
Most critical computer data is regularly backed up, and much of it would be available following a
disaster, although this may not be as up to date as required.
The understanding gained from this review is that all data stored on what may be termed as the core
business systems is backed up to tape at least daily. This review has highlighted the potential need

HP Global Method HP Restricted Page 19 of 51

to improve the data back-up or duplication to meet the RPO requirements (reference sections 5, 7
and 9).
The review discussions identified a number of areas where critical information is held on hard copy.
The main examples of this are the legal and HR functions, where original documents (e.g. contracts)
are held. It is understood that a programme of scanning new documents has been implemented, but
not uniformly across the region. At the time of the review, many “historical”, or “legacy” documents
are still held as physical copies, ands these are only in the main office locations. Whilst only a limited
amount of work in progress might be lost in the event of an IT failure, the impact of loss of original
documents would be a long recovery process in getting copies from third parties and getting legal
confirmation of their validity. A prime example of this was stated in Norway, where obtaining copies
of legal judgements from the judicial system would be a costly and lengthy process.

2. Procedural Documentation
The review has identified that there is no consistency across the Nordic region, nor within each
country, of procedural documentation that covers critical business processes. In some cases,
detailed procedures are documented to work instruction level; in others, documentation exists only to
give a descriptive outline of the process. There was no evidence of the documentation being part of
a quality system, nor of it being compliant to any standards (e.g. regulatory or corporate).
When asked where the documentation exists, most respondents who were able to answer indicated
that it is held on shared drives. In the event of a failure of core business systems that are hosted
externally, this may not present a problem. However, in the event of an incident affecting the main
GE location in a country, and therefore the ability to access the main business systems, the
documentation required (specifically that dealing with manual work-arounds, where and if these exist)
may not be accessible within the timeframes required. In future BC planning, manual copies of
critical documentation should be held in a secure off-site location.

12 Comments / Observations
The following notes summarise the observations made during the BIA process for each country.
Each point was discussed and agreed with the participants and / or the GEMB Project Lead. In
some cases, these are not directly related to the specific objectives of this BIA review, but are
significant in that they relate to GEMB’s ability to recover and continue local business operations
following any incident that may cause them to be disrupted.
1 The most time critical functions identified are the ones directly related to daily transaction
management and are client interfacing. A failure of those functions will cause damage within a
single day and are very visible. Less time critical functions, such as reconciliation and risk
management, becomes critical after a few days, but are probably more critical to the Bank’s
survival over time.
2 Most departments are inter-dependent and the inability of one to complete its processes would
have a serious knock-on effect to the others. There is a significant reliance on the IT
infrastructure and it was recognised that the business could not survive without IT support. As the
business continues to grow, there will be an increased reliance and dependency upon the
availability and integrity of IT services supporting business operations.
3 It was noted that few functions have adequate documented manual fallback or “work-around”
procedures that could be implemented in an incident / emergency that might result in IT services
being unavailable, thereby increasing the perceived dependency upon this function. This, in turn,
increases the necessity to recover IT systems within a very short time following an incident that
might cause their failure.

HP Global Method HP Restricted Page 20 of 51

4 Recovery Time Objectives (i.e. the tolerable downtime according to users - RTO) for IT systems
range from virtually zero to longer than one week, the latter being predominantly in back office or
support functions. If recovery solutions cannot meet the perceived business requirements for
critical functions or processes, a program to develop and maintain manual fallback procedures
should be considered.
5 The recovery of IT systems has been reviewed on an “all or nothing” basis, meaning that an
application, and its associated data, would be recovered completely in the timeframe required
(reference section 5 above and Appendix F : Critical IT Applications by Timescale). Therefore,
recovery does not have to be repeated for any requirement for the system, application or data
shown at a later time.
6 It was recognised in the validation discussions that there are business processes that are cyclic,
and that criticalities are not easily stated for these instances. It is therefore important to recognise
that, in the event of disruption to, or failure of, IT services, there must be some flexibility of
response and recovery in the response process. This should be built into the initial incident
management procedure for recovery.
7 From the responses received, and from points raised in the review discussions, it was noted that
the information available relating to dependencies is not effective. Every process in an
organisation has two types of dependency.
• “Upstream” : the processes, facilities or information that must be in place, operational or
completed before this process can be operationally effective.
• “Downstream” : the functions or processes that depend upon this process being in place,
operational or completed before they can be operationally effective.
Across all the participating business areas, there were few responses with correlating upstream /
downstream dependencies. The process to develop a wider Business Continuity Management
strategy and planning should identify the specifics of each business area’s dependencies.
8 The review was intended to focus on the criticality of IT systems and, therefore, did not include
specific dependencies upon the availability of individual staff members. All departments should
review “single points of failure” to ensure that all critical work functions are adequately covered
should one or more the key persons be absent.
9 The responses highlighted a potential exposure to effective recovery as a consequence of the
current back-up cycles. Where there is a stated Recovery Point Objective (RPO) of less than one
day, but the stated current data back up cycles are daily, there is a high probability that the loss of
transactions / data will be greater than has been stated as tolerable in the event of a failure of the
systems supporting that business function. If the stated RPO’s are to be achieved, the back-up
cycles should reflect the requirement.
Examples of areas stating an RPO of one hour, but with daily (overnight) back-ups
Denmark : Operations : Authorisation Processing
Sweden : B2B Sales / Instore Origination Process
10 When reviewing the RPO requirements and back-up cycles, consideration should be given to the
potential problems that may be caused by possible inconsistency in synchronisation between data
on differing systems that is backed up at different times. Any differences may impact the ability to
recover effectively. The review highlighted the potential problem when discussing back-ups for
the Nova and TFS systems for the Collections process in Norway.
11 In all three countries (ref section 11, above), there is a requirement for alternative work space to
be made available in the event of the main location(s) being unusable or inaccessible. In the
current situation, there will be major delays in recovery of business operations whilst suitable and
sufficient accommodation is found.

HP Global Method HP Restricted Page 21 of 51

Norway has an arrangement with the Swedish office for the provision of fifty workplaces in the
event of an incident making the office in Stavanger unusable or inaccessible. These would be
used by Risk and Operations groups.
The only other participating business functions or processes that indicated that there are
designated alternative locations to which they would relocate are
• Sweden : Risk (Fraud process)
• Denmark : Operations (Authorisation) / HR / Finance
No other business functions / areas were able to state that there are arrangements in place for the
provision of alternative working space.
12 The current arrangement for Norwegian personnel to re-locate to Stockholm does not take
account of call centre operations. Discussions also highlighted that the arrangement has been
made without designation of the actual employees who might be expected to travel, nor
verification of their ability / willingness to do so.
13 In a number of the validation meetings, participants indicated that, in the event of the main office
location being unavailable, functions or processes might be continued via home working. Whilst
this may be a temporary solution for some functions, it would be impractical for others (e.g.
customer services call centre operations). It was also noted that, unless the home working culture
is already in existence, this cannot be sustained over long periods, due to needs of
communication and control.
14 Although the core business systems would be recoverable via the outsourcing provider(s), local IT
environments would need to be recovered to hardware and peripheral equipment that would need
to be obtained at the time of the incident and its aftermath. The BIA was presented with no
evidence to show that arrangements in place to guarantee availability of required hardware at
short notice.
15 In each country, there is a stated reliance upon the availability of telephony facilities, especially for
call centre / customer service operations, needing specialised equipment that may not be able to
be sourced as part of the proposed recovery solution(s) that will be considered following this
review.
16 In the event of a disruption requiring relocation of operations, there will be a need to implement
the required links to service providers (e.g. HP for business systems) to ensure that the minimum
level of business functionality can be recovered.
17 In the event of an incident impacting the GEMB office location in a country, several areas (e.g.
Norway HR / Sweden L & C) will have a reliance on hardcopy information. This may not be
available, as the only versions are held in the main office and may be inaccessible. A need to re-
create the required information may severely impact recovery of these departments’ ability to
recover business operations.
18 Although the review has not highlighted any specific areas where there are specific dependencies
upon the availability of individual staff members, all departments should review “single points of
failure” to ensure that all critical work functions are adequately covered should one or more the
key persons be absent.
19 BCP awareness is high, and all respondents and meeting attendees appreciate the need for
improvement to the current situation (no current plan in place / no work area recovery). At the time
of the review, there were no resources specifically allocated to implement and maintain a Nordic
business continuity programme, although in discussions, it was indicated that this would be given
future priority.
20 The review highlighted that, in general, business function / process owners are not fully aware of
the IT infrastructure that supports their operation. In more than one instance, the responsibility for
data and functionality was seen to be solely an IT responsibility. Assumptions were made

HP Global Method HP Restricted Page 22 of 51

regarding location of data and back-up frequencies. There is a need for business management to
take “ownership” of their systems, applications and data to enable them to more fully understand
the potential impacts of change to, or failure of, these IT services.
21 When considering IT recovery solutions, the legal / regulatory implications of transferring personal
data outside the country / region must be reviewed. Swedish law, for example, does not permit
this without the explicit consent of the individual. Whilst GEMB has obtained the permission of its
employees to have their details held and processed outside of the EU (via staff contracts), the
review discussions highlighted the need to verify that this consent is given by consumers (e.g. as
part of the loan or financial agreement). If this consent is not included, any proposed IT disaster
recovery solution must take this into consideration.
22 The review has highlighted the need to consider the phone and scanning systems to be an
integral part of the recovery requirements that would not be included in an IT disaster recovery
solution for systems hosted by HP. This should be reviewed separately and included in future
business continuity planning.

13 Recommended Actions

1 GEMB should request HP to provide a proposal for an IT Disaster Recovery Solution to cater
for the potential loss of IT services for the critical systems and applications in each country.
This proposal should include the following options :
1. IT recovery to meet the perceived business requirements as outlined above (i.e. within
twelve hours or one day)
2. An alternative to give recovery time within 24 hours
3. An alternative to give recovery time within 36 hours
The solution(s) should also take consideration of the Recovery Point Objectives as identified by
the business areas. This may involve changes to back-up procedures.
2 GEMB should review the proposed solutions. If necessary, GEMB should review the Recovery
Time and Recovery Point Objectives to adjust requirements to meet the most acceptable
effective recovery solution proposed by HP. This may necessitate the development of
structure and documented work-around procedures.
3 GEMB and HP should implement the most suitable solution as soon as possible, including
procedures to manage the response and recovery (e.g. to ensure flexibility of priorities).
4 GEMB should implement a programme to develop a regional standard Business Continuity
Management Strategy, with appropriate levels of planning. This may be in the form of a
regional plan with sections for each country, or separate plans for each location. Plans should
also include local (country) escalation of incident / problem management to regional and then
to corporate management levels.

HP Global Method HP Restricted Page 23 of 51

Appendix A BIA Participants

Denmark

Response Validation

No meetings with function / process owners.

All responses were prepared and discussed with Pierre Schwartz (IT Controller)

Close Out Presentation

Jan Muhlendorph Operations Collections

Paul P Smith IT
Charles V Watkin HR
Michael Poulsen Finance
Leif S Jensen Risk
Louise Wachmann PMO
Martin Koch IT Controller Leader
Pierre Schwartz IT Controller

Norway

Response Validation Meetings

Tom Schakman IT
Christian Balchen CFO
Nelly Fossheim Finance
Synnove Singha Finance
Samii Trto Finance
Terje Moldestad Sales
Volker Gloe Risk
Petter Gravas Risk
Knut Overnes Operations
Hege Olsen Operations : Customer Services
Karina Goa Operations : New Business
Tarjei Smistad Operations
Gunn Loland Marketing
Borge Liavik Marketing
Oyvind Norberg Legal
Rannveig Drengstig Collections
Tore Wilberg Collections
Alan Howarth Business Security Officer (Internal project co-ordinator)
Martin Koch IT Controller Leader (not all meetings)

Close Out Presentation

Morten Warland Country Lead

Knut Øvernes Ops Manager (COO)
Børge Liavik Marketing manager (CMO)
Volker Gloe Risk manager (CRO)
Christian Balchen Finance manager (CFO)
Morten Helgeland IT Operations manager (stand-in)
Ola Neergård Acting head of Legal & Compliance
Martin Koch IT Controller Leader
Alan Howarth Business Security Officer (all meetings)

HP Global Method HP Restricted Page 24 of 51

Sweden

Response Validation Meetings

Ulrika Wiik CIO

Torbjörn Sjöberg IT
Anne Lööf IT
Jens Svedelius IT
Tomas Sjöstedt L&C Manager.
Thomas Lindby Sales Manager.
Henrik Gustavsson CFO
Anna Roxtorp Finance
Åsa Welander Finance
Tanja Hildonen HR Manager.
Christina Rosengren CS Manager
Jessica Persson Marketing & Customer Sales
Andreas Winther Marketing & Customer Sales
Thomas Nygårds COO
Katarina Hedberg Operations
Carolina Brandtman Risk
Annika Tällberg Risk
Olof Wijnbladh Risk
Fredrik Josefsson Risk
Martin Koch IT Controller Leader (not all meetings)
Pia Stevens Internal project co-ordinator (all meetings)

Close Out Presentation

Ulrika Wiik CIO

Tomas Sjöstedt L&C Mgmr.
Anna Dahl
Anna Roxtorp
Åsa Welander Finance
Tanja Hildonen HR Mgmr.
Christina Rosengren CS Manager
Andreas Winther Marketing & Customer Sales
Thomas Nygårds COO
Fredrik Josefsson Risk
Martin Koch IT Controller Leader (not all meetings)
Pia Stevens Internal project co-ordinator

HP Global Method HP Restricted Page 25 of 51

Appendix B Business Areas included in the BIA

Listed by Country in Alphabetical Order

Country Function / Process

Denmark Collections : Early Collection
Finance : Accounts Payable
HR Payroll : Salary Payment for GE
IT Service Desk : Incident Management
Operations : Authorisation Processing
Operations : Customer Service
Operations : Origination
Risk : Reserves, Fraud & Reporting
Risk : Risk Origination

Norway Collections
Customer Service
Finance
HR
IT
L&C
Marketing
Originate
Risk
Sales

Sweden Accounts Payable

B2B
Controllership Accounting
Controllership Reconciliation
Fraud
HR
Incoming Payments
IT
L&C
M&CS DT Acquisition
M&CS Statement Process
Manual Outgoing Payments
Operations
Risk
Underwriting
The following responses were received, but, in
discussion, it was agreed that these are not critical
processes and were not included in the analysis.
M&CS Campaign Process CRM
M&CS Campaign Process New
M&CS Card Issue
M&CS Interest Adjustment

HP Global Method HP Restricted Page 26 of 51

Appendix C Critical Business Areas Ranked by Recovery Timescales

and Outage Tolerances

Denmark

Recovery Point Objective (RPO)

Recovery
Function / Process Point
Objective
Operations - Authorization Processing 90.00
Collection - Early Collection 72.00
Risk - Risk Origination - Scorecard 54.00
Operations - Origination 45.00
Operations - Customer Service - Customer support 45.00
HR - Payroll - Salary payment for GE 45.00
IT - ServiceDesk - Incident Management 45.00
Risk - Reserves, Fraud and reporting - Reserves 45.00
Finance - Account Payables - Account Payables 36.00

Recovery Time Objective (RTO)

Recovery
Function / Process Time
Objective
Operations - Authorization Processing 70.00
Risk - Risk Origination - Scorecard 54.60
Operations - Origination 49.00
Operations - Customer Service - Customer support 47.60
Collection - Early Collection 42.00
HR - Payroll - Salary payment for GE 7.00
IT - ServiceDesk - Incident Management 7.00
Risk - Reserves, Fraud and reporting - Reserves 7.00
Finance - Account Payables - Account Payables 7.00

Maximum Tolerable Outage (MTO)

Maximum
Function / Process Tolerable
Outage
Operations - Authorization Processing 50.00
Risk - Risk Origination - Scorecard 40.00
Operations - Origination 40.00
Collection - Early Collection 40.00
Operations - Customer Service - Customer support 25.00
HR - Payroll - Salary payment for GE 5.00
IT - ServiceDesk - Incident Management 5.00
Risk - Reserves, Fraud and reporting - Reserves 5.00
Finance - Account Payables - Account Payables 5.00

HP Global Method HP Restricted Page 27 of 51

Norway

Recovery Point Objective (RPO)

Recovery
Function / Process Point
Objective
Originate 90.00
Marketing 72.00
Customer Service 72.00
Collections 72.00
Finance 54.00
HR 54.00
Sales 54.00
Risk 54.00
Legal & Compliance 54.00
IT 45.00

Recovery Time Objective (RTO)

Recovery
Function / Process Time
Objective
Marketing 67.20
Collections 63.00
IT 57.40
Originate 56.00
Customer Service 50.40
Finance 49.00
Risk 32.20
HR 21.00
Sales 7.00
Legal & Compliance 7.00

Maximum Tolerable Outage (MTO)

Maximum
Function / Process Tolerable
Outage
IT 50.00
Marketing 40.00
Originate 40.00
Finance 35.00
Collections 35.00
Risk 25.00
Customer Service 25.00
HR 15.00
Sales 5.00
Legal & Compliance 5.00

HP Global Method HP Restricted Page 28 of 51

Sweden

Recovery Point Objective (RPO)

Recovery
Function / Process Point
Objective
B2B Sales / Instore Origination Process 90.00
Marketing & Consumer Sales/ DTC Acquisition 90.00
Operations 90.00
Underwriting (NBSM process) 72.00
Finance Controllership Accounting 54.00
Outgoing payments (manual) 54.00
Marketing & Consumer Sales/ Statement Process 54.00
IT 45.00
Legal & Compliance/AML transaction monitoring 45.00
A/P process 45.00
Incoming Payments 45.00
HR/payroll processes 45.00
Finance Controllership Reconciliation 36.00
Risk Fermat Process 36.00
Risk Fraud 36.00

Recovery Time Objective (RTO)

Recovery
Function / Process Time
Objective
B2B Sales / Instore Origination Process 67.20
Marketing & Consumer Sales/ DTC Acquisition 67.20
Operations 67.20
Underwriting (NBSM process) 64.40
IT 58.80
Marketing & Consumer Sales/ Statement Process 40.60
Risk Fraud 37.80
Outgoing payments (manual) 26.60
Incoming Payments 23.80
A/P process 12.60
HR/payroll processes 12.60
Risk Fermat Process 12.60
Legal & Compliance/AML transaction monitoring 7.00
Finance Controllership Accounting 7.00
Finance Controllership Reconciliation 7.00

HP Global Method HP Restricted Page 29 of 51

Maximum Tolerable Outage (MTO)

Maximum
Function / Process Tolerable
Outage
B2B Sales / Instore Origination Process 40.00
Marketing & Consumer Sales/ DTC Acquisition 40.00
Operations 40.00
Underwriting (NBSM process) 40.00
IT 35.00
Marketing & Consumer Sales/ Statement Process 35.00
Outgoing payments (manual) 15.00
Risk Fermat Process 15.00
Risk Fraud 15.00
Legal & Compliance/AML transaction monitoring 5.00
Finance Controllership Accounting 5.00
Finance Controllership Reconciliation 5.00
A/P process 5.00
Incoming Payments 5.00
HR/payroll processes 5.00

HP Global Method HP Restricted Page 30 of 51

Appendix D Critical Business Areas Ranked by Potential Impact(s)

Denmark

Financial Impact
Function / Process Financial
Collection - Early Collection 48.00
Operations - Origination 40.00
IT - ServiceDesk - Incident Management 37.00
Finance - Account Payables - Account Payables 33.00
Operations - Authorization Processing 32.00
Risk - Risk Origination - Scorecard 30.00
Operations - Customer Service - Customer support 24.00
Risk - Reserves, Fraud and reporting - Reserves 21.00
HR - Payroll - Salary payment for GE 13.00

Operational Impact
Function / Process Operational
Operations - Authorization Processing 60.00
Risk - Risk Origination - Scorecard 53.00
Operations - Customer Service - Customer support 51.00
Operations - Origination 49.00
Collection - Early Collection 20.00
IT - ServiceDesk - Incident Management 15.00
Finance - Account Payables - Account Payables 9.00
Risk - Reserves, Fraud and reporting - Reserves 9.00
HR - Payroll - Salary payment for GE 9.00

Impact upon Reputation / Image

Function / Process Image
Finance - Account Payables - Account Payables 30.00
Operations - Customer Service - Customer support 22.00
IT - ServiceDesk - Incident Management 20.00
HR - Payroll - Salary payment for GE 20.00
Operations - Origination 16.00
Operations - Authorization Processing 16.00
Risk - Risk Origination - Scorecard 16.00
Collection - Early Collection 12.00
Risk - Reserves, Fraud and reporting - Reserves 12.00

HP Global Method HP Restricted Page 31 of 51

Norway

Financial Impact
Function / Process Financial

Collections 58.00
Originate 38.00
Risk 35.00
Marketing 32.00
Sales 23.00
IT 22.00
Finance 13.00
HR 13.00
Customer Service 13.00
Legal & Compliance 13.00

Operational Impact
Function / Process Operational

Marketing 60.00
Customer Service 54.00
Collections 52.00
Finance 51.00
IT 51.00
Originate 46.00
Sales 33.00
Risk 29.00
Legal & Compliance 19.00
HR 17.00

Impact upon Reputation / Image

Function / Process Image

Legal & Compliance 30.00

Finance 22.00
Risk 22.00
Customer Service 22.00
HR 20.00
Sales 16.00
Marketing 16.00
Originate 16.00
Collections 16.00
IT 6.00

HP Global Method HP Restricted Page 32 of 51

Sweden

Financial Impact
Function / Process Financial

Operations 52.00
Incoming Payments 37.00
A/P process 35.00
IT 33.00
Underwriting (NBSM process) 30.00
Outgoing payments (manual) 27.00
Risk Fraud 27.00
Legal & Compliance/AML transaction monitoring 23.00
Risk Fermat Process 23.00
B2B Sales / Instore Origination Process 22.00
Marketing & Consumer Sales/ DTC Acquisition 22.00
Finance Controllership Accounting 21.00
Finance Controllership Reconciliation 13.00
HR/payroll processes 7.00
Marketing & Consumer Sales/ Statement Process 7.00

Operational Impact
Function / Process Operational

B2B Sales / Instore Origination Process 60.00

Marketing & Consumer Sales/ DTC Acquisition 60.00
Operations 60.00
Underwriting (NBSM process) 60.00
IT 58.00
Marketing & Consumer Sales/ Statement Process 43.00
Outgoing payments (manual) 37.00
Incoming Payments 37.00
Risk Fraud 33.00
Finance Controllership Reconciliation 23.00
HR/payroll processes 19.00
Finance Controllership Accounting 15.00
A/P process 15.00
Risk Fermat Process 11.00
Legal & Compliance/AML transaction monitoring 9.00

HP Global Method HP Restricted Page 33 of 51

Impact upon Reputation / Image

Function / Process Image

Marketing & Consumer Sales/ Statement Process 30.00

Outgoing payments (manual) 30.00
Incoming Payments 30.00
HR/payroll processes 30.00
Risk Fermat Process 30.00
Legal & Compliance/AML transaction monitoring 30.00
IT 22.00
Risk Fraud 22.00
B2B Sales / Instore Origination Process 16.00
Marketing & Consumer Sales/ DTC Acquisition 16.00
Operations 16.00
Underwriting (NBSM process) 16.00
Finance Controllership Reconciliation 6.00
Finance Controllership Accounting 6.00
A/P process 6.00

HP Global Method HP Restricted Page 34 of 51

Appendix E Overall Criticality of Business Areas

Denmark
Function / Process Overall Criticality Rating
Operations - Authorization Processing 97.00
Risk - Risk Origination - Scorecard 74.28
Collection - Early Collection 71.33
Operations - Origination 70.92
Operations - Customer Service - Customer support 63.45
IT - ServiceDesk - Incident Management 37.00
Finance - Account Payables - Account Payables 34.00
HR - Payroll - Salary payment for GE 29.50
Risk - Reserves, Fraud and reporting - Reserves 29.50

Norway
Function / Process Overall Criticality Rating
Originate 89.50
Collections 88.17
Marketing 86.73
Customer Service 73.88
IT 73.05
Finance 67.50
Risk 58.57
HR 42.50
Sales 40.00
Legal & Compliance 37.50

Sweden
Function / Process Overall Criticality Rating
Operations 100.23
B2B Sales / Instore Origination Process 92.73
Marketing & Consumer Sales/ DTC Acquisition 92.73
Underwriting (NBSM process) 85.30
IT 74.52
Marketing & Consumer Sales/ Statement Process 63.20
Outgoing payments (manual) 55.37
Incoming Payments 50.60
Risk Fraud 50.10
Risk Fermat Process 37.20
A/P process 34.87
HR/payroll processes 34.87
Legal & Compliance/AML transaction monitoring 34.50
Finance Controllership Accounting 32.50
Finance Controllership Reconciliation 26.50

HP Global Method HP Restricted Page 35 of 51

Appendix F Critical IT Applications by Time Scale

See note in section 9

Denmark (See note in section 6)

Denmark < 1 Day

Application Owner
AcceptCard.dk Ops Orig
Batch (insurance) Ops Cust. Servs
Cadre IT
DataWareHouse Collection
DataWareHouse Risk Reserves
DDB.dk Finance
Dialer system Collection
Excel Risk Reserves
Formscape Ops Cust. Servs
GE Network Ops Auth
GE network Ops Orig
GE network Risk Orig
GE network Collection
GE Network HR
GE Network Finance
GE Network IT
GE network Risk Reserves
GEMoneyBank.dk Ops Orig
IC Archive Ops Cust. Servs
InterFlex HR
Mercury Risk Orig
Multiløn HR
Nice Ops Cust. Servs
NSBM Ops Orig
NSBM Risk Orig
Oracle Financials Finance
Oracle Financials AP Finance
PBS routing Ops Auth
Phone system Collection
Phonesystem Ops Orig
Postilion Ops Auth
Postillion Ops Cust. Servs
probe Risk Orig
RKI/CPR Ops Orig
SAS Risk Reserves
SMASH Ops Cust. Servs
Symposium Ops Cust. Servs
Vision Plus Ops Auth
Vision Plus Collection
Vision Plus Ops Cust. Servs
WEB indus Collection Note : lists for one
country may be
over multiple pages

HP Global Method HP Restricted Page 36 of 51

Denmark After 24 Hours

Application Owner
Formscape Ops Orig
Importer Ops Orig
Mercury Ops Orig
Vision + Ops Orig
Workflow Ops Orig

Norway

Norway < 1 Day

Application Owner
Argus IT
Phones IT
Outlook IT
Backup IT
Origo Sales
TFS Sales
NBSM Sales
Experian Sales
Web Shop Solution Sales
NBSM Risk
Origo Marketing
gemoney.no Marketing
CWC Marketing
Origo Originate
NBSM Originate
TFS Originate
Experian Originate
Readsoft Originate
IBM Content Manager Originate
PDF Server Originate
Phone systems: Contact centre/IVR Cust Service
TFS Cust Service
FLS Cust Service

Norway After 24 Hours

Application Owner
TFS Finance
Nova Finance
Bank Finance
Report Manager Finance
Datwarehouse Sales
SAS (including DWH) Risk
Fermat Risk
Nova (including Nova Rulle) Risk
Microsoft Office (+ all other standard software) Risk
View21 (including Auto Rulle) Risk
markeme Marketing
IRC - Interest rate change application Marketing
Datawarehouse Marketing
SAS Marketing

HP Global Method HP Restricted Page 37 of 51

Norway After 24 Hours

Application Owner
SMTP Server Originate
Telephony systems Originate
Origo / Experian Cust Service
Data Warehouse (DWH) Cust Service
MS Office Cust Service
Phone system Collections
Nova Collections
TFS Collections
View21 Collections
Dialler Collections
Nova Rulle Collections
Workflow Collections
DWH Collections

Norway Within 1 Week

Application Owner
View 21 Finance
Oracle Finance
DWH Finance
Kenexa Brassring Recruiting system HR
Transaction tool HR
Oracle (HR) HR
Cadre IT
Sametime, Webex IT
SuperOffice Sales
Microsoft Office Sales
Accelerate Risk
TFS Risk
Credit Bureau Access Risk
Report manager Marketing
Access Marketing
Dialler for outbound Cust Service
CWC / GE Money Cust Service
Content Manager(e-arkiv) / Scan (read soft) Cust Service
Actimize L&C
TFS L&C
Nova L&C
View 21 L&C
Microsoft L&C
FLS Collections
e-archive Collections

Norway After 1 Week

Application Owner
Payroll Finance
Sophos AV / CA Unicentre IT
Sharepoint HP IT
Supportcentral IT
Docbase IT
GE Extranet/Cleint Web Page Sales
Modelbuilder Risk
Rightfax Originate

HP Global Method HP Restricted Page 38 of 51

Norway After 1 Week

Application Owner
Notifikator / SQL Server Rep Services / Epi
Server / gemoney.no Originate
DW L&C

Sweden

Sweden < 1 Day

Application Owner
NBSM B2B
Ansok B2B
NOS B2B
TFS B2B
Telephony B2B
TFS M&CS DTC
Ansök M&CS DTC
NBSM M&CS DTC
Homepage M&CS DTC
Telephony M&CS DTC
TFS Operations
UC Operations
Nova Operations
Dialer Operations
NBSM U/Wr NBSM
Ansok U/Wr NBSM
TFS U/Wr NBSM
Nova U/Wr NBSM

Sweden After 24 Hours

Application Owner
Network & Infrastructure incl telephony IT
Opalis (Batch infrastructure job control system) IT
Virtual office IT
CVS (code version system) IT
DWH B2B
IVR B2B
TFS M&CS Stat
FLS M&CS Stat
CWC M&CS Stat
DWH M&CS Stat
CWC M&CS DTC
IVR M&CS DTC
FLS M&CS DTC
DWH M&CS DTC
Clear Interact Operations
Cosmos Operations
Atlas Operations

HP Global Method HP Restricted Page 39 of 51

Sweden Within 1 Week

Application Owner
Incident Management System (Cadre) IT
IP Monitor IT
Kintana IT
Lotus Notes IT
Support Central IT
Business on Line Out Payments
TFS Out Payments
TFS In Payments
Cosmos In Payments
Nova In Payments
e-redovisning In Payments
Business online In Payments
Doktolk In Payments
Oracle HR HR Payroll
Transaction Tool HR Payroll
Jetform M&CS DTC
IVR Operations
FLS Operations
DWH Operations
Infoline (Scripts) Operations
DWH U/Wr NBSM
Fermat Risk Fermat
DWH Risk Fermat
TFS Risk Fermat
Nova Risk Fermat
Cosmos Risk Fermat
Oracle Finance Risk Fermat

Sweden After 1 Week

Application Owner
Actimize case manager L&C
Network Accounting
Oracle Accounting
ADI Accounting
Discoverer Accounting
Discoverer Reconciliation
ARRTT Reconciliation
Network Reconciliation
Oracle Accts Pay
B2P Accts Pay
Girovision Accts Pay
TRS Accts Pay
Adobe Invoice Scanning Accts Pay
Outlook Accts Pay
Hogia In Payments
Filmaker Pro In Payments
Ultra Edit In Payments
FLEX HR Payroll
Interpay HR Payroll
Base 24 (Authorisation) Risk Fraud

HP Global Method HP Restricted Page 40 of 51

Sweden After 1 Week

Application Owner
TFS Risk Fraud
DWH Risk Fraud
Dynamic Monitoring System (DMS) Risk Fraud

HP Global Method HP Restricted Page 41 of 51

Appendix G HP Servers

Source : GEMB

1 Nordic Production

EAI
MYSESWAPPCL01
MYSESWAPPCL02
gemoney.fi
GECOM01
GECOM02
GEWEB01
GEWEB02
GENET.fi
GECOM01
GECOM02
GEWEB01
GEWEB02
OASIX
IIS/Connect Direct/RoboFTP
DMZFTP
Loan Calc
BAT
Websphere, DB2
GEUNXPROD
(blank)
MYSESWLOGIX

HP Global Method HP Restricted Page 42 of 51

2 Denmark : Production

acceptcard.dk
GECOM01
GECOM02
GEEPI01
GEEPI02
GEWEB01
GEWEB02
bolia.dk
GECOM01
GECOM02
GEWEB01
GEWEB02
elaan.dk
GECOM01
GECOM02
GEWEB01
GEWEB02
elbodan
CARBONIX
GECOM01
GECOM02
GEWEB01
GEWEB02
KEVLARIX
OASIX
gemoneybank.dk
GECOM01
GECOM02
GEEPI01
GEEPI02
GEWEB01
GEWEB02
online.dk
GECOM01
GECOM02
GEEPI01
GEEPI02
GEWEB01
GEWEB02
online.dk
GESQL01
GESQL02
Workflow
MYSESWWF02

HP Global Method HP Restricted Page 43 of 51

3 Norway : Production

CWC
CARBONIX
eArchive
MYNOSWSVG1DOC01
Extranet
GECOM01
GECOM02
GEEPI01
GEEPI02
GEWEB01
GEWEB02
FLS Fusion
CARBONIX
KEVLARIX
MYSESWW3IA
MYSESWW3iB
OASIX
gekundservice.no
CARBONIX
GECOM01
GECOM02
GEWEB01
GEWEB02
KEVLARIX
IBM Content Management
MYSESWNOCM00
MYSESWNOCM01
MYSESWNOCM02
IVR NO
MYSESWNOS2SA
MYSESWNOS2SB
Markemy Server Norway
MYSESWGCMSAPPNO
Online.no
GECOM01
GECOM02
GEWEB01
GEWEB02
Origo
GEEXTW11
GEEXTW12
GEINTW11
GEINTW12
MYSESWDB20A
MYSESWDB20B
MYSESWDB21A
MYSESWDB21B
MYSESWINTBTS01A
MYSESWINTBTS01B
MYSESWINTREP
MYSESWINTWEB01A
MYSESWINTWEB01B
MYSESWORIBIZ01A
MYSESWORIBIZ01B
MYSESWORINB01A
MYSESWORINB01B
MYSESWORIPDF01A
MYSESWORIPDF01B

HP Global Method HP Restricted Page 44 of 51

MYSESWORIPDF01C
SEP Server
MYSEVWPOSTIX
WebShops
CARBONIX
GECOM01
GECOM02
GEEPI01
GEEPI02
GEWEB01
GEWEB02
KEVLARIX
MYSESWW3IA
MYSESWW3iB
OASIX
Workflow
MYSESWWF01
(blank)
MYSESWIABTS01A
MYSESWIABTS01B

HP Global Method HP Restricted Page 45 of 51

4 Sweden : Production

Actimize
MYSESOACCTIX
Active Directory Server
MYSESWEURDC0041
AD NetIq Server
MYSESWFIRSTIX
Affinity
EAIBTS02
GECOM01
GECOM02
GEEPI01
GEEPI02
GESQL01
GESQL02
GEWEB01
GEWEB02
Afsol DB (NO)
SEPM04
Ansök
DMZPRINT
Aristion
MYSESWARISTIX
Aristion DB
MYSESWDB10
ARP
OASIX
ASCI
CARBONIX
KEVLARIX
MYSESWW3IA
MYSESWW3iB
OASIX
Atlas/Launchpad/Oracle
DOGMATIXCGCFGE
Automate
MYSESWTOMATIX
Backup (Dataprotector)
MYSESWDP00
Biz Tool
GECOM01
GECOM02
GEWEB01
GEWEB02
Bridger
MYSEVWBRIDGERIX
CBO
MYSESWW3IA
MYSESWW3iB
Citrix
ASTERIX
COMIX
IDEFIX
MYSESVCTX000
MYSESWCTX000
MYSESWCTX01
MYSESWCTX02
MYSESWCTX03
MYSESWCTX04

HP Global Method HP Restricted Page 46 of 51

MYSESWCTX60
MYSESWCTX61
Citrix Metaframe Server
MYSESWNIKIX
MYSESWNILIX
Citrix server
CIRIXONECGCFGE
OUTIX
SESTO21CFLSGE
Citrix; IIS
MYSESWCWB01
CWC
APP
DHCP/RIS/Safeboot
SCARIX
Easy Contract
CARBONIX
GECOM01
GECOM02
GEEPI01
GEEPI02
GEWEB01
GEWEB02
KEVLARIX
MYSESWW3IA
OASIX
SS-01
SS-02
Faxserver/Automate/Bankomate
MYSESWFAXIX
File Server
MYSESWGIGANTIX
STORIX
Filemaker
MYSESVWAPP09
Fileserver
SESTO10CFLSGE
FLS
CARBONIX
KEVLARIX
MYSESWW3IA
MYSESWW3iB
OASIX
Gecko
ALFIX
BETIX
GECOM01
GECOM02
GEWEB01
GEWEB02
MYSESWAPPCL01
MYSESWAPPCL02
MYSESWW3iB
Gecko - Admin
BAT
Gecko - External
BAT
Gecko - Internal
BAT
gemoneybank.se
GECOM01

HP Global Method HP Restricted Page 47 of 51

GECOM02
GEEPI01
GEEPI02
GESQL01
GESQL02
GEWEB01
GEWEB02
GOS
EAIBTS02
GECOM01
GECOM02
GEEPI01
GEEPI02
GESQL01
GESQL02
GEWEB01
GEWEB02
IIS, Visual Source Safe
EBIZWEB
IIS,SQL Server
IVR01CGCFGE
IVR02CGCFGE
IIS;Optus Fax Server;
METRIXCGCFGE
internal web
MYSESWW3iB
Internet Bank
CARBONIX
GECOM01
GECOM02
GEEPI01
GEEPI02
GEWEB01
GEWEB02
KEVLARIX
OASIX
SS-01
SS-02
Internet Security Scanner
MYSESWGETAMIX
ITAM/CA unicenter
MYSESWINVENTIX
MYSESWVIVIX
Lotus Domino Server / PostgreSQL
BUTTERIXCGCFGE
INTRANIX
Markemy
MYSESWREMUS
MYSESWROMULUS
MOM Server
KATANIX
MS TeamFoundation Server
MYSESWMTFS01
MYSESWMTFSB01
MS TFS
MYSESWKODIX
NBSM
MYSEDVW2635
Networker
BACKUPIX
NOS

HP Global Method HP Restricted Page 48 of 51

CARBONIX
GECOM01
GECOM02
GEEPI01
GEEPI02
GEWEB01
GEWEB02
KEVLARIX
MYSESWW3IA
MYSESWW3iB
OASIX
Nova Batch Server
MYSEVWALPIX
Nova Batch Server; Nova
TORIX
Office Server Malmoe
SEMAL01CFLSGE
OFS
BAT
Opalis/Connect Direct/RoboFTP
FTHPROD
Oracle
MARTIX
TSUNAMIX
Oracle Application Server
MYSESWSERVIX
Partner Online
GEWEB01
GEWEB02
OASIX
Print Server
PRINTIX
Probe SM
MYSESWPROBIX
SAS
SUMPIX
Softgrid
MYSESWSFT01
MYSESWSFT02
Softgrid Sequenser
MYSEVWAPP04
SQL Server
MAN
SQL Server, 3 instances
SQLIX
Topaz monitoring Agent
TOPAZIX
Webtrends
SMARTIX
WMWARE ESX
CADABRIX
MYSESVMW03
MYSESVMW04
MYSESWQBIX
MYSESWVIRTIX
WMWARE GSX
ABRIX
Workflow
FLOWIX
VSS
SEVSVSS01

HP Global Method HP Restricted Page 49 of 51

WSUS DB/App
MYSESWGETAFIX
(blank)
BAT
CARBONIX
FRONTIX
HAVRIX
KEVLARIX
KORNIX
MYSESWCACTI
MYSESWRDP01
MYSESWSOAP01
MYSESWSOAP02
MYSEVWAPP00
MYSEVWCTXMGMT
SESTO19CFLSGE
SESTO20CFLSGE
SMARTCENTER01

HP Global Method HP Restricted Page 50 of 51

Appendix H Information Collection Questionnaire (for reference)

C:\PENTIRE\CUST\
HP Synstar GBC\GEMB\BIA\BIA Documents\BIA Spreadsheet GEMB 001.xls

HP Global Method HP Restricted Page 51 of 51

Low-Code/No-Code: Citizen Developers and the Surprising Future of Business Applications
From Everand
Low-Code/No-Code: Citizen Developers and the Surprising Future of Business Applications
Phil Simon
2.5/5 (2)
HP Case Study
0% (1)
HP Case Study
9 pages
Lab #7: Assessment Worksheet: Part A - Perform A Business Impact Analysis For An IT Infrastructure
No ratings yet
Lab #7: Assessment Worksheet: Part A - Perform A Business Impact Analysis For An IT Infrastructure
5 pages
Business Impact Analysis Template
No ratings yet
Business Impact Analysis Template
2 pages
RSAArcher 6.1 Business Impact Analysis Guide
100% (2)
RSAArcher 6.1 Business Impact Analysis Guide
38 pages
Dell Technologies Master PDF
No ratings yet
Dell Technologies Master PDF
75 pages
Introductory Booklet
100% (2)
Introductory Booklet
16 pages
Sample CTS
No ratings yet
Sample CTS
3 pages
Hewlett-Packard Company Business Impact Analysis Report For BCP Project Qiib
No ratings yet
Hewlett-Packard Company Business Impact Analysis Report For BCP Project Qiib
24 pages
Burgan Bank BIA Report 1.1a
No ratings yet
Burgan Bank BIA Report 1.1a
28 pages
Lab 7
No ratings yet
Lab 7
3 pages
Lab07_IAA202_HE181705_Nguyễn Xuân Phương
No ratings yet
Lab07_IAA202_HE181705_Nguyễn Xuân Phương
14 pages
Lab07_IAA202_HE181705_Nguyễn Xuân Phương
No ratings yet
Lab07_IAA202_HE181705_Nguyễn Xuân Phương
13 pages
lab07
No ratings yet
lab07
4 pages
Business Impact Analysistemplate
No ratings yet
Business Impact Analysistemplate
2 pages
Lab7 IAA202
No ratings yet
Lab7 IAA202
6 pages
Business Impact Analaysis
No ratings yet
Business Impact Analaysis
11 pages
Lab7 Iaa202
No ratings yet
Lab7 Iaa202
6 pages
RA Report 1.0
No ratings yet
RA Report 1.0
16 pages
ae_outsourcing_wp
No ratings yet
ae_outsourcing_wp
12 pages
BIA
No ratings yet
BIA
29 pages
Business Impact Analysis Template by SingleHop
No ratings yet
Business Impact Analysis Template by SingleHop
9 pages
Lecture 5 - Business Impact Analysis
No ratings yet
Lecture 5 - Business Impact Analysis
50 pages
SG2_v15.21_English_00729772
No ratings yet
SG2_v15.21_English_00729772
178 pages
Business Impact Analysis Template
No ratings yet
Business Impact Analysis Template
20 pages
Lab07 - IAA202
No ratings yet
Lab07 - IAA202
6 pages
Business Impact Analysis For Information Security
100% (1)
Business Impact Analysis For Information Security
15 pages
Laboratory7_Cao_Duc_Anh_HE180550_IAA202
No ratings yet
Laboratory7_Cao_Duc_Anh_HE180550_IAA202
12 pages
Isom Reviewer
No ratings yet
Isom Reviewer
35 pages
Lab 7
No ratings yet
Lab 7
6 pages
HP Enterprise_Pawel Lubasinski
No ratings yet
HP Enterprise_Pawel Lubasinski
34 pages
Lab 7
No ratings yet
Lab 7
5 pages
Module 9 - Technology and Architecture - 1.0
No ratings yet
Module 9 - Technology and Architecture - 1.0
32 pages
Business Impact Analysis For: (System Name)
No ratings yet
Business Impact Analysis For: (System Name)
7 pages
Servidores HP Rack DL
No ratings yet
Servidores HP Rack DL
20 pages
IA1804 IAA202 Nguyen Viet Quan HE171453 Lab7
No ratings yet
IA1804 IAA202 Nguyen Viet Quan HE171453 Lab7
13 pages
Business Impact Analysis BIA Information Security - (13p)
100% (1)
Business Impact Analysis BIA Information Security - (13p)
13 pages
Inoni FREE BIA Template 2018
No ratings yet
Inoni FREE BIA Template 2018
11 pages
Bia Bti PT PJB
100% (2)
Bia Bti PT PJB
23 pages
In 1934 After Graduating As Electrical Engineers From Stanford University, Bill Hewlett
No ratings yet
In 1934 After Graduating As Electrical Engineers From Stanford University, Bill Hewlett
8 pages
Ictsas505 V3
No ratings yet
Ictsas505 V3
52 pages
HP Services Npi
No ratings yet
HP Services Npi
23 pages
Cono Scan
100% (2)
Cono Scan
116 pages
He181243 Phạm Huy Hoàng Ia1807 Iaa202 Lab07
No ratings yet
He181243 Phạm Huy Hoàng Ia1807 Iaa202 Lab07
14 pages
IAA202 - Group1 - Lab 8
No ratings yet
IAA202 - Group1 - Lab 8
9 pages
Encompass BTO 21feb2007
No ratings yet
Encompass BTO 21feb2007
31 pages
HP ATA - IT For Business: Certification Guide
No ratings yet
HP ATA - IT For Business: Certification Guide
5 pages
Bridging The Gap Between ITIL V2 and ITIL V3: Roc Paez HP Education
No ratings yet
Bridging The Gap Between ITIL V2 and ITIL V3: Roc Paez HP Education
13 pages
Chapter 4 Lecture Topics (1)
No ratings yet
Chapter 4 Lecture Topics (1)
27 pages
4aa7 9622enw
No ratings yet
4aa7 9622enw
9 pages
STRATEGIC MANAGEMENT of IT_Unit - IV & V_2023
No ratings yet
STRATEGIC MANAGEMENT of IT_Unit - IV & V_2023
17 pages
Week3 BIA
No ratings yet
Week3 BIA
30 pages
HP Server Innovation
No ratings yet
HP Server Innovation
91 pages
CaoTienNgoc_HE172160_LAB08_IAA202
No ratings yet
CaoTienNgoc_HE172160_LAB08_IAA202
17 pages
Resume Ramses EnglishBAv13
No ratings yet
Resume Ramses EnglishBAv13
7 pages
Consultancy Report Hussain Almukhtar 201101942
No ratings yet
Consultancy Report Hussain Almukhtar 201101942
18 pages
Dương Văn Quyết-IAP301-LAB07
No ratings yet
Dương Văn Quyết-IAP301-LAB07
7 pages
HE187009 Hà Anh Tuấn Lab7
No ratings yet
HE187009 Hà Anh Tuấn Lab7
7 pages
HP Man BSM 920 BPIServerAdminGuide
No ratings yet
HP Man BSM 920 BPIServerAdminGuide
330 pages
Amarjeet Singh
No ratings yet
Amarjeet Singh
6 pages
1 Introduction To ITSM
No ratings yet
1 Introduction To ITSM
3 pages
Modernise Your Business-Critical Systems and Applications With The Cloud
No ratings yet
Modernise Your Business-Critical Systems and Applications With The Cloud
43 pages
Document 1
No ratings yet
Document 1
41 pages
LinuxKI 4.1 CURSO
No ratings yet
LinuxKI 4.1 CURSO
78 pages
SUSE Training and Certification HPE TechTalk-2016-09-15
No ratings yet
SUSE Training and Certification HPE TechTalk-2016-09-15
30 pages
Enterprise Business Continuity and Disaster Recovery Plan
No ratings yet
Enterprise Business Continuity and Disaster Recovery Plan
1 page
Aibel Risk Assessment Risk Analysis Questionnaire
No ratings yet
Aibel Risk Assessment Risk Analysis Questionnaire
17 pages
Strategy Definition 1.2
No ratings yet
Strategy Definition 1.2
24 pages
Security Value Map™: Next Generation Firewall (NGFW)
No ratings yet
Security Value Map™: Next Generation Firewall (NGFW)
1 page
Poweredge Fx2: With Fc640 and Fd332
No ratings yet
Poweredge Fx2: With Fc640 and Fd332
10 pages
Forrester - Total-Economic-Impact-Of-The-Dell-Boomi-Platform
No ratings yet
Forrester - Total-Economic-Impact-Of-The-Dell-Boomi-Platform
24 pages
Dell Technologies Hyperconverged Solutions: Modernize Your Infrastructure and Accelerate IT Transformation
No ratings yet
Dell Technologies Hyperconverged Solutions: Modernize Your Infrastructure and Accelerate IT Transformation
21 pages
Calalas Vs Court of Appeals 332 SCRA 356 May 31 2000 PDF
No ratings yet
Calalas Vs Court of Appeals 332 SCRA 356 May 31 2000 PDF
6 pages
Bail Application
No ratings yet
Bail Application
7 pages
United BF Homeowners Association Inc Aet Al V The City Mayor of Paranaque
No ratings yet
United BF Homeowners Association Inc Aet Al V The City Mayor of Paranaque
2 pages
Crystal Report Viewer 1
No ratings yet
Crystal Report Viewer 1
3 pages
JavaScript Frameworks for Modern Web Dev 1st Edition Tim Ambler Nicholas Cloud - Read the ebook now or download it for a full experience
100% (1)
JavaScript Frameworks for Modern Web Dev 1st Edition Tim Ambler Nicholas Cloud - Read the ebook now or download it for a full experience
73 pages
Cash and Cash Equivalents
No ratings yet
Cash and Cash Equivalents
52 pages
Foreign Exchange Management Act - Wikipedia
No ratings yet
Foreign Exchange Management Act - Wikipedia
29 pages
CRIM Artc 14 Cases
No ratings yet
CRIM Artc 14 Cases
63 pages
CHAPTER 14 Corporations Basic Considerations
No ratings yet
CHAPTER 14 Corporations Basic Considerations
8 pages
NIA - Sector Accounting
No ratings yet
NIA - Sector Accounting
20 pages
Centac C700: Innovation & Tradition
No ratings yet
Centac C700: Innovation & Tradition
2 pages
Toll Free Number FAQ
No ratings yet
Toll Free Number FAQ
5 pages
Guidelines On Petitions For Money Claim Filed With COA
100% (2)
Guidelines On Petitions For Money Claim Filed With COA
21 pages
CBN Exposure Draft on Baseline Standards for Automated AML Solutions
No ratings yet
CBN Exposure Draft on Baseline Standards for Automated AML Solutions
5 pages
Noe-Lacsamana v. Busmente, A.C. No. 7269
No ratings yet
Noe-Lacsamana v. Busmente, A.C. No. 7269
2 pages
Full Report - Unpacking Judicial Data To Track Implementation of The POCSO Act in Assam, Delhi & Haryana
No ratings yet
Full Report - Unpacking Judicial Data To Track Implementation of The POCSO Act in Assam, Delhi & Haryana
284 pages
Republic Act No 8293
No ratings yet
Republic Act No 8293
29 pages
The Third Pillar of Sound Money and Credit
No ratings yet
The Third Pillar of Sound Money and Credit
4 pages
Department of Agrarian Reform vs. Carriedo (GR No. 176549 January 20, 2016)
No ratings yet
Department of Agrarian Reform vs. Carriedo (GR No. 176549 January 20, 2016)
32 pages
Screenshot 2023-02-27 at 12.22.20 PM
No ratings yet
Screenshot 2023-02-27 at 12.22.20 PM
5 pages
Islamic Rulling on PCEX and CBEX - Shaykh Prof. AbdulRazzaq AbdulMajeed Alaro
No ratings yet
Islamic Rulling on PCEX and CBEX - Shaykh Prof. AbdulRazzaq AbdulMajeed Alaro
15 pages
I. Compliance With Laws, Rules and Regulations: Legal Department
No ratings yet
I. Compliance With Laws, Rules and Regulations: Legal Department
7 pages
Ga, Vanessa May C - Activity 6
No ratings yet
Ga, Vanessa May C - Activity 6
2 pages
June 1, 2012 Strathmore Times
No ratings yet
June 1, 2012 Strathmore Times
32 pages
Asif Ali Zardari-VS-The State 636957864906876544
No ratings yet
Asif Ali Zardari-VS-The State 636957864906876544
7 pages
Debate: Retraction of Rizal: Shirly Mae P. Gumaru Bscrim-1 Alpha
No ratings yet
Debate: Retraction of Rizal: Shirly Mae P. Gumaru Bscrim-1 Alpha
5 pages
Reading Material #2 in Forensic Accounting - Psychology of The Fraudsters
No ratings yet
Reading Material #2 in Forensic Accounting - Psychology of The Fraudsters
13 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.