Conducting a business impact analysis (BIA) is often viewed as an exercise that is exclusive to enterprise-class organizations with seemingly limitless funds for consulting services. Large consulting firms often spend
These projects are time-consuming and costly because of the complexity of large companies, which rely on dozens of core functions and sometimes hundreds of support functions. Take for example an airline that has a reservation system, check-in, baggage handling, refueling, maintenance, in-flight catering, customer service, marketing and the multitude of secondary functions that support the core business activity. Now try to imagine the impact of the interruption of one or many of these functions on the organization as whole; what are the immediate financial losses, cumulative losses and long-term effects?
SMBs have the same requirements, albeit on a smaller scale; they must stay in business.
Identify core business functions
The first step is to identify the core business functions; these are the functions that have the most impact on the revenue stream. You can then create a list of support functions for those core functions. This is a business process mapping exercise that is essential to gaining an understanding of how the business actually works. At this point in the process, you must resist the temptation of downplaying the criticality of a function because you already have a workaround in mind should that particular function be interrupted. This is jumping ahead into "solution mode", which comes later in the business continuity planning process as part of the recovery strategy.
This is where most BIA efforts appear to stall for smaller organizations because it is sometimes difficult to clearly establish financial losses in the event of an unplanned interruption or disaster. For most companies, a single business function is rarely responsible for generating the entire revenue stream. This is where your accounting people can help by putting some revenue and cost perspective around business activity. Some of the losses to consider include:
- The cost per hour or per day for an idle workforce
- Lost sales for services or goods with no inventory
- Future losses caused by depletion of current inventory
- Post-recovery work backlog (cost to catch up)
- Lost opportunities
- Penalties for breach of contract or missed service levels
This is the impact that is the most difficult to quantify because it does not necessarily translate into immediate financial loses. This includes negative impact on reputation and customer confidence. The value of a brand is difficult to calculate, but should a service interruption be severe enough to cause some of your clients to seek services elsewhere, this can now be quantified with a future dollar value.
Although difficult to calculate, this impact is probably the most severe. You must try to estimate what impact not being able to service you customers for one or two weeks will have on your business over the next five years or more. Depending on the industry and market conditions, the impact could range from significant losses to an unrecoverable business failure.
Essentially, the goal is to develop an understanding of the immediate and long-term financial losses so you can build an appropriate recovery strategy. The key factor is that the cost of the recovery strategy should never exceed the losses it is designed to prevent. Common sense is that you don't build a $20 fence to keep a $10 horse!
This is where you map your IT infrastructure to the business functions it supports. Understanding the relationship between a business function, the software application necessary to keep that function running and the IT systems and component that support the application will allow you to set recovery objectives for IT. These objectives are known as recovery time objective (RTO) and recovery point objective (RPO), and are a set based on the maximum tolerable losses resulting from an unplanned interruption or disaster. These objectives also dictate the type of IT technology that must deployed to ensure the availability or recoverability of systems within the established timeframe.
Risk and probability of occurrence
Of course, when discussing the potential impact of a disaster on a business, the next logical question before deploying a bulletproof IT architecture is: "What are the chances of a disaster actually striking?" There is an assumption that if a company is conducting a BIA and has already engaged in disaster recovery or business continuity planning activities, then there is an acknowledgment that a certain risk exists. There is an option to accept that risk as present, act upon that knowledge and take measures to ensure recoverability. Alternatively, a company may choose to further investigate the risks and probability of occurrence by conducting a risk assessment.
About the author: Pierre Dorion is the Data Center Practice Director and a Senior Consultant with Long View Systems Inc. in Phoenix, AZ, specializing in the areas of business continuity and disaster recovery planning services, and corporate data protection.
Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.
Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for SearchDisasterRecovery.com.
This was first published in November 2008