How to create a business impact analysis for disaster recovery in 10 easy steps

A business impact analysis is an analytic process that aims to reveal the business impacts that would result when a critical process exceeds its maximum allowable outage.

To start, you need to understand the business operations of your company in detail. Here is a simple step-by-step approach that will put you on your way to conducting a successful business impact analysis:

1. Get support from senior management for the exercise. You will then be able to meet with the operations-level managers that know enough detail about the...

RELATED CONTENT Disaster recovery tips Disaster recovery career strategies: Advice for DR and business continuity professionals Business impact and risk assessments in IT disaster recovery planning Evaluating your disaster recovery program's maturity level The pros and cons of IT disaster recovery outsourcing The importance of incident response plans in disaster recovery Disaster recovery best practices: Avoiding DR interdependency predicaments Top 10 IT disaster recovery planning tips of 2009 Top five IT business continuity planning and management tips of 2009 Top 10 business continuity and disaster recovery management trends in 2009 Leveraging cloud computing for disaster recovery purposes Disaster Recovery Planning/Management Disaster recovery career strategies: Advice for DR and business continuity professionals What is change management and how does it relate to disaster recovery? Continuity Software adds disaster recovery service-level agreement management to RecoverGuard Business impact and risk assessments in IT disaster recovery planning Five key business continuity technologies to support BC planning in 2010 What advice do you have on disaster recovery and security for mobile devices? Using data deduplication products as part of an IT disaster recovery strategy IT disaster recovery statistics point to purchasing of more data backup tools Disaster recovery strategies for server virtualization technology Evaluating your disaster recovery program's maturity level

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

processes to be helpful to the program. It's hard to get people's time and even harder to get follow up for a business continuity plan (BCP) without this support.

2. Hold a kickoff meeting with the managers responsible for the core business processes and introduce the program goals, timelines and deliverables.

3. Collect data. Create a business impact analysis questionnaire, which you will distribute at the meeting to all managers. Instruct each manager on how to complete the document. Make it clear that you will be following up with each manager on an individual basis to review the document. See the sidebar to the left for more information about creating a BIA questionnaire.

4. Document the gross revenue and net profit your organization generates per year. This can be done at the appropriate business unit levels as well. The data sets the upper limit for business losses related to the business operation. Include this on your presentations to drive home the importance of the program.

5. Meet with each manager and review the data collected. If needed, block off a couple of hours to help complete and refine the document with the manager.

6. Merge all the data into a spreadsheet or database for easy data analysis and reporting capability.

7. Schedule and conduct a "BIA review and prioritization meeting" with all managers participating in the program. Look for gaps not mentioned by the departments, especially between departments. Prioritize each process based on impact to the business, both direct and indirect as the process may be critical dependency for another process. High, medium and low can be used as measures.

8. During the prioritization discussion you will need to document a recovery time objective (RTO) for each process. The RTO defines the time to return the process to normal operation before impact results to the business and is generally measured in hours.

9. Create groups or bands of process RTOs. Start with the shortest allowable RTO first and then define the upper limits not to exceed 24 hours. These items constitute the Tier 0 RTOs. The next band of RTOs is the Tier 1 group. This group generally extends from 24 to 48 hours. Recovery point objectives (RPOs) are different as they deal more with data recovery and are used more in a "data protection strategy" context. They are also usually measured in minutes to hours as in the case of a production database. It may have an RPO of 20 minutes between scheduled replications.

10. Lastly, convene a summary meeting to present the results of the program to senior management, managers and others core to the processes at topic. You will want to present the business processes in order of RTO and importance, along with the other process details collected during the program. Issue a final report to meeting attendees to reinforce the learning and memory of the participants. Make the report available in hard copy to use in the event of an actual outage to help prioritize actions to resume operations.

The business impact analysis report ideally provides a foundation for the business continuity plan that should follow this exercise. It can also provide an important input to risk management programs that may follow, now that you have insights into where business risk lives.

About the author: George Wrenn, CISSP, ISSEP, is frequent contributor to SearchSecurity.com and Information Security magazine. He served as a Director of Security in the financial services industry and is now a consulting security expert. He's also a Six Sigma Black Belt, a Harvard grad and was trained in cryptography at MIT. He can be reached at mitalum@mac.com.

Rate this Tip To rate tips, you must be a member of SearchDisasterRecovery.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.