- Overview
- Interview with Dr. Cole
- Student Comments
- Domain 1: Access
- Domain 2: Network
- Domain 3: Management
- Domain 4: Application
- Domain 5: Cryptography
- Domain 6: Architecture
- Domain 7: Operations
- Domain 8: Planning
- Domain 9: Law
- Domain 10: Physical
- Business Impact Analysis
- Category: Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
Author: Franklin Fletcher
Date Added: February 6th, 2007
Introduction
The Business Impact Analysis (BIA) is the foundation for any business continuity program within an organization. A BIA is required in the generation of a business continuity or disaster recovery plan. It allows management to identify its organization's most critical business and Information Technology (IT) processes. A BIA also captures the timeframe that the business unit must complete and supply its deliverables to its customers along with the resources required to continue operations.
BIA Process
The development of an initial BIA goes through various phases and should be approached as a project (unique initiative with a defined start and finish). The process involves the following steps:
- Project planning
- Data gathering
- Data analysis
- Documentation of the findings
- Management review and signoff
Project Planning
The first step in the creation of a BIA is to gain commitment from senior management. Senior management needs to set the objectives of the BIA project, as its members play a pivotal role in the final phase, which involves setting priorities and signoff on the project deliverables. Because the BIA requires input across the organization, senior management needs to ensure that the entire organization accepts the process and is responsive to the project team.
A project team needs to be assembled. The IT department is often the group that leads the BIA project. The BIA project team members must include the business line and middle managers that understand the overall objectives of the organization and are familiar with the day-to-day operations for which they are responsible. Theses managers must also articulate the impact of an interruption to their business processes.
Data Gathering
The data gathering phase identifies the critical business function(s) and the tools and expertise required to perform each of them. The data is primarily gathered through an interview process, which can include face-to-face interviews, questionnaires, or conference calls. Depending on the business unit, the types of questions asked can vary. Each business unit manager must examine his individual business unit's processes, team needs, and internal and external dependencies. The manager must then determine the supporting documentation and computing resources that are needed to allow each business unit to accomplish its individual tasks in a timely fashion. Frequently, the managers find other information they need to collect or backup to resume their respective business function (for example, a manager finds out that no one knew the phone number for a contractor that was in the critical path for the operation).
The following outlines the key data that must be gathered:
- Business unit details, such as number of customers, transactions, total revenue, number of employees, purpose of the business unit, and critical operations performed.
- Financial (quantitative) and intangible (qualitative) costs associated with a business interruption on a daily basis and how it can change projected over time.
- Personnel requirements to support the business unit's business function after an event. It is often assumed that after an event, less staff is required in recovery mode. It should be noted that normal levels or even increased levels of staffing resources might be required.
- Critical systems and applications that support the business unit. This includes computing platforms and software.
- Recovery Time Objectives (RTO), which is the period of time within which systems, activities, applications, or functions must be recovered after an outage for critical functions.
- Recovery Point Objectives (RPO), which is the maximum amount of data loss the business unit can sustain during an event.
- The critical deadline(s) associated with the business unit.
- The alternate processing contingencies. In the event that primary systems are not available, the business must identify these alternate processing contingencies. This includes any temporary manual coping methods and the length of time that they can be used to support the business function.
- Seasonal and time of day requirements for a particular process.
- Key management, vendor, and staff contact information. This includes validated phone numbers, addresses, and emergency contact information.
- Office space and equipment requirements to support staff during the recovery period.
- Documentation requirements to continue the business function. If stored off site, how can they be accessed?
- Alternate site options for staff in the event the primary location is unavailable.
- Internal and external dependencies for work flow.
- Work inputs and output (reports).
- Remote access (telecommute) options that are available for critical staff. Listing of staff members equipped with remote access software and accounts.
- Regulatory requirements that impact the business unit, such as HIPPA or SOX, which impact the business unit.
- Contractual obligations to vendors and or customers
- Business opportunity loss due to an event. Will the business unit be able to generate new business? For example, a sales organization with the inability to provide quotes after an event. What are the competitive impacts if the business function is unavailable?
- Future business function changes (systems, organizational, personnel, procedures, and so on).
Data Analysis
The data analysis phase observes the data that was gathered and translates it into quantitative numbers, which allow the organization to understand the amount of time it can tolerate an extended outage. After key data is gathered, criticality levels need to be determined for all business and IT functions in the business unit. The following is a sample matrix that lists the various criticality levels and some recovery methods based on recovery time/point objectives:
| Criticality Level | Recovery Objective | Possible Recovery Method |
|---|---|---|
| Level 1: The business process must be available during all business hours. | > 2 hours | Data replication |
| Level 2: Indicates that the business function can survive without normal business processes for a limited amount of time. | 2 hours to 24 hours | Data shadowing |
| Level 3: The business function can survive for one to three days with a data loss of one day. | 24 to 72 hours | Tape recovery at an off site facility |
| Level 4: Business unit can survive without the business function for an extended period of time. | 72 hours plus | Low priority for tape recovery / rebuild infrastructure / relocate operations to a new facility |
Note: Each organization has to determine its own criticality levels and how they are defined.
Documentation of Findings and Senior Management Review
The BIA report is a document that goes to senior management and lists the findings with recommendations. The BIA report includes a listing of critical IT and business functions with criticality levels. Recovery time objectives over time and recovery point objectives need to be presented. The potential financial (quantitative) loss by business unit, projected over time, needs to be clearly estimated for senior management. This includes loss of revenue, share price impact, fines and penalties. The intangible costs (qualitative), such as loss of market share, life and safety, reputation, and employee morale, is also articulated in the report.
The BIA report should include minimum human and physical resources required to support the business unit over time. Senior management has to provide an organization-wide perspective, as most business unit managers often see their functions as being the most critical to run the organization. Senior management has to level set and provide guidance in the selection of recovery methods and priorities.
BIA as an Ongoing Process
The initial BIA should be approached as a project. One needs to remember that the organization changes over time, as it adds and removes business units and establishes new priorities and recovery technology changes. The BIA must remain in step with the organization. =The organization should review its BIA on a regular basis to ensure that it is still relevant to the organization.
After the BIA is completed, the business continuity and disaster recovery plan process needs to be initiated. If plans are already in place, they need to be reviewed for any gaps and updated as required based on the BIA report. The BIA provides the relevant data to put in place the recovery methods based on the business unit requirements.
Summary
Some of the key benefits that are derived from a BIA include a better understanding of the financial and intangible impacts of an extended outage and the ability to review the most critical functions and processes within the organization. In addition, the business can identify vital resources that support its operations, point to the proper recovery strategies and identify what are the business processes and assets that require the most protection. A BIA is helpful to senior management, as it allows the managers to review a systematic process of evaluating their organization's risk and their ability to recover.
References
"Best Practices for Conducting a Business Impact Analysis" Gartner Research ID#G00141260 http://gartner.com
"Generally Accepted Practices Business Impact Analysis" Disaster Recovery Institute http://drii.org
SunGard Availability Services http://sungard.com
