Disaster recovery planning is a multi-stage process, and one of the most vital of those stages is the business impact analysis (BIA). A business impact analysis is where you research the likely impact of a disruption to your organisation in terms of loss of business, effects on your reputation, loss of staff and loss of data. In some ways it is the heart of the disaster recovery planning process because it is during the business impact analysis you will determine the precise effects of disaster on your organisation.
In this interview, SearchStorage.co.UK Bureau Chief Antony Adshead speaks with Paul Kirvan, board member with the Business Continuity Institute, about where a business impact analysis fits into the disaster recovery process, its aims and the key steps you should go though to undertake one.
Read the transcript below or listen to the podcast on business impact analysis.
SearchStorage.co.UK: What is a business impact analysis, where does it fit in the DR process, and what are its aims?
Kirvan: According to British Standard BS 25999 Part 2, a business impact analysis ... is the process of analysing business functions and the effect that a business disruption might have upon them. Consequences of a disruption can include financial loss, reputational loss and loss of competitive position; this is in addition to potential loss of staff, loss of data and even loss of access to buildings.
BIAs are usually performed after the DR project has been launched and prior to starting risk assessments. The BIA aims to identify critical business functions and the impact of a disruption to them and provides an important starting point for defining disaster recovery strategies that are used to respond to disruptive events.
According to BS 25999, once BIAs are completed, the next step is to conduct risk assessments of the enterprise, its business units, operational infrastructure, internal and external risks and threats, and an analysis of any vulnerabilities. The BIA defines those parts of the enterprise that are deemed most critical. The risk analysis identifies and quantifies the risks, both internal and external, that threaten the operation of critical business units and processes defined by the BIA.
SearchStorage.co.UK: What is involved in carrying out a business impact analysis?
Kirvan: BIAs require … a significant amount of data gathering, interviewing and analysis. Detailed questionnaires must be prepared, and interviews must be scheduled with key members of the organisation. Research identifies activities that support the organisation’s key products and services, identifies impacts resulting from the disruption to these activities, determines how these vary over time, establishes how long the organisation can operate in the aftermath of a disruption, and defines the minimum operational levels the organisation needs to function.
The BIA seeks to categorise and prioritise business activities for recovery, identify all internal and external dependencies associated with critical activities, determine the amount of time required to resume critical activities, and estimate the resources that each critical activity will require for resumption of business.
The BIA process is probably the longest-running and also the most critical among all business continuity activities. … The reason for this is that the discovery [is extensive] to gather relevant information about individual business units; the processes they perform; the systems and technology they use; the employees in the unit and their roles; and the unit’s relationship to other internal departments and external organizations, such as vendors and regulatory organisations.
Among the findings in a BIA are the people, process and technology requirements needed to support critical business functions. From this information we also obtain metrics called recovery time objectives, or RTOs. RTOs … estimate the maximum amount of time the business unit and/or business function has in which to recover its systems, processes and people and then resume operations as close to normal as possible, given the circumstances of the disruption.
Another BIA activity that is often a challenge is to determine the revenue impact of a particular business function. For example, total loss of a critical manufacturing function could result in a loss of millions of dollars in annual turnover. Other functions, such as accounting, may not have a direct relationship to revenue generation, but they’re still critical, and their value to the organisation is undisputed.
Still another goal in a BIA is to identify the relationships and dependencies a business function has with other activities, both internal and external to the organisation. This means defining what a critical business function needs from internal departments, such as human relations or IT, as well as external entities, such as vendors and supply chains.
The degree of importance of relationships and dependencies varies with each business function. For example, a critical relationship and dependency for manufacturing might be the facilities management department. Facilities management ensures that such things as electrical power, [HVAC] and fire protection are in place to support manufacturing.
A simple way to collect and organise the discovery data is to use a standard spreadsheet that can be organized to provide a place to store results of interviews, which can list each business unit and provide a detailed description of its processes; financial estimates (such as the annual turnover directly impacted by the business unit); time scales for how quickly systems need to be recovered and restored; minimum inventories of office space, furniture, systems and utilities, and office supplies to resume operations; and a host of other items that need to be addressed following a disruptive event.
Once the interview results have been posted to the spreadsheet, the analysis can then proceed. The goals of the analysis are to identify the most critical business functions; the people, processes and technology needed for that function to operate properly; and the time scales within which the business function must be recovered so that the organisation can resume operations.
The results of the BIA must be reviewed with and approved by senior management, because the results will be used to formulate business continuity and disaster recovery strategies and plans.
This was first published in May 2011