What are the five most important things to consider when conducting business impact assessments?
The assessment must be approached from a business perspective rather than an IT perspective:
- Identify the key services a company provides. These can be internal services such as payroll and inventory or external services such as production, sales and transaction processing.
- Identify the tools used to provide those key services. These tools, also known as dependencies, can be a process, staff, a phone system, an application, etc.
- Determine the maximum length of time a key service can be interrupted before the company starts incurring financial losses or is impacted in other ways. This will dictate the service's resumption or recovery objective. We can now start drawing a parallel between the recovery objective for a service and the recovery objective for the application(s) on which the service depends; this becomes the recovery time objective (RTO).
- The impact, financial or otherwise, must be quantified or rated in order to rank criticality and recovery priority.
- Use the output of the risk assessment in conjunction with the business impact assessment to determine the appropriate risk mitigation or recovery strategy.
This was first published in August 2012