Business impact analysis
Business Impact Analysis is a process designed to prioritize business functions by assessing the potential quantitative (financial) or qualitative (non-financial) impact that might result if an organization was to experience a business continuity event.
Before any disaster recovery plan can be created, an organization must thoroughly review and understand general business operations and drivers and the impact on the business if one or more of these drivers are affected. Such understanding is accomplished via a business impact analysis, which should be organized by the person ultimately responsible for creating the disaster response and recovery plan—the disaster recovery planner.
Examples of drivers to be examined in a business impact analysis include:
- Finances: What is the corporation’s cost when business interruptions occur? A Planner must consider all scenarios. If a critical system fails, the company will incur a cost; historically, this cost has been underestimated. We must more accurately determine costs for unavailable critical assets (e.g., data, people, buildings). There are several ways to calculate these downtime costs; a good website that offers some guidance is Tech Republic. The Government’s Federal Emergency Management Agency is also a good reference.
- Contractual obligations: In the past, if a company’s system failed it could just recover it and continue. Now, many enterprises have business relationships that require partners to communicate electronically, so this is not an option. Partners depend on each other’s systems, and as systems interact as intranet or extranet services, a great deal of exposure results. In many cases, if one system fails orders will not be processed and contracts will not be fulfilled. A response and recovery plan should consider this and ensure all involved that the enterprise and its partners are protected from supply chain interruption.
- Regulatory issues: Many enterprises are governed or audited by regulatory agencies and/or policies. In the banking industry for example, state and federal laws prescribe redundancy behaviors to protect customers. The FDIC mandates that banks, savings and loans, and others can survive outages and interruptions. They must have adequate backup strategies along with documented and tested procedures that protect data from loss. The SEC oversees publicly held companies via auditors knowledgeable in business continuity to protect shareholder value in case of a business interruption. Additionally, the IRS requires corporations and individuals to maintain tax data/documents.
- Legal issues: Legal counsel should approve any recovery plan. A company required to maintain a disaster recovery plan that does not could be in violation of the law and held accountable.
- Standards: Whatever path an organization chooses for business continuity, it must follow standards as much as possible to ensure operation and compatibility with all enterprise locations (e.g., the central site must be compatible with the backup site).
Steps to Creating a Business Impact Analysis
Developing a business impact analysis and carrying it out can be a difficult and time consuming task. Since the amount of information can be overwhelming, organizations should assign a team to handle the task. The disaster recovery planner often acts as team leader and should invite each department head’s input to be as thorough as possible.
Building the Team
Only personnel necessary to business recovery should be involved in the business impact analysis. The team should be small enough to be manageable yet large enough to get all necessary information.
The organization’s Board of Directors will typically help choose the team. The board has ultimate responsibility to stockholders and the welfare of the stock valuation. If stock prices decrease due to a business interruption and an inappropriate or nonexistent business continuation process, board members could be held accountable. The board initiates the business continuation plan, but increasingly, board members are requiring management to execute the business continuation process. Management then reports the progress at future board meetings.
At least once a year, the board should authorize an audit of the corporate finances. The auditors require a business continuity plan (BCP) to be on file and that the plan be fully tested for compliance to ensure stockholders that due diligence has been performed.
Performing the Business Impact Analysis
Once the Board of Directors establishes the need to protect shareholder value, corporate officers are responsible for making it happen. One of the biggest complaints by DRPs is that they have no money with which to build a continuity solution. If all is done correctly, the Chief Financial Officer (CFO) will allocate a budget for this purpose based on what the Chief Information Officer, Chief Compliance or Security Officer or perhaps the Chief Operating Officer prescribe. Senior management and corporate officers hold the key to successful strategies. The key is to convince them that business survival depends on what is done or not done. Next, individual department heads/managers must direct the appropriate personnel to begin planning, implementing, and initiating ongoing operations and maintenance. All levels of management must endorse the endeavor for it to be successful.
The Risk and Threat Analyses
A risk analysis evaluates all of an organization’s assets (e.g., facilities, systems, applications, data, and people) and determines how critical each one is to the company’s survival. The critical assets receive the most attention during recovery and have the greatest share of the recovery budget. Examples of evaluation criteria are:
- Critical: A company cannot survive without its critical assets—those that pay the bills and create cash flow. Examples include customer-facing applications such as customer relationship management (CRM), enterprise resource planning (ERP), and supply chain management (SCM) as well as e-commerce applications such as on-line ordering or bill paying programs or others that generate revenue.
- Vital: Vital assets have significant corporate investment and should be protected. Examples might include inventory control and management.
- Sensitive: Sensitive assets are typically used for normal business purposes and can be restored easily. Examples include source documents, human resources, and benefits administration.
- Non-critical: These resources can readily be replaced with minimal cost. An example is employee job postings on an internal server.
Once the risks are understood, analyze the potential threats—the likely events that could negatively affect operation. Threats include natural disasters (e.g., fire, flood, hurricanes, tornados), human intervention (e.g., terrorists and hackers), or infrastructure failures such as power, water, and telecommunications. Categorize threats according to their likelihood of occurrence.
- High: This category identifies a threat as highly probable. A data center located at sea level in Florida may very likely experience flooding from tidal surges during hurricanes.
- Moderate: This category reflects a possible threat. A data center in Phoenix, Arizona is not in danger of hurricane-induced tidal surges, but monsoonal floods are possible.
- Low: This category reflects an unlikely threat. A data center on the twelfth floor of the Sears tower will not experience tidal surges or monsoonal floods.
The threat analysis process is performed for each possible threat. Ultimately, a disaster could have only local impact (e.g., power failure), or it could have a global impact (e.g., terrorist attack). Intelligent risk and threat analyses are crucial for an organization to understand how to prepare for possible disasters.
Once the risk and threat analyses are performed, the next step is the business continuity plan.
|<mp3>http://podcast.hill-vt.com/podsnacks/2007q2/bcp.mp3%7Cdownload</mp3> | Business continuity planning (BCP)|
|<mp3>http://podcast.hill-vt.com/podsnacks/2007q1/rpo-rto.mp3%7Cdownload</mp3> | RPO versus RTO|