In the past, the length of an acceptable outage or recovery time objective (RTO) was the sole recovery metric for an organization; it set the timetable for either obtaining replacement resources or providing them before they were needed. But more recently, the recovery point objective (RPO), or acceptable data loss, has become the other primary determinant because any RPO shorter than the time since the last backup necessitates prior arrangements, thereby achieving shortened RTO at the same time.
The business impact analysis also can be used to achieve other objectives within a company. First, a BIA can be used to prioritize the recovery sequence of applications, infrastructure, data and business functions. Second, a BIA can define the minimum operating requirements, or all the "stuff" a business needs to recover operations following a disruption. These things include IT resources, people, desks, chairs, etc. Third, and perhaps most important, a BIA presents the value proposition for implementing the appropriate level of recoverability. If it can be demonstrated that a disruption of x minutes, hours or days will have y effect on a company's operations, finances and reputation, then simple prudence calls for an organizational response, in the form of both a recovery plan and a recovery infrastructure, i.e., the a priori investments that must be made either to prevent o disruption or to mitigate its impact.
In the course of my career, I have performed a hundred or more business impact analyses for a wide range of clients: large and small, in the private and public sectors, and in finance, manufacturing, health sciences, retail and services. And I have learned to differentiate a successful BIA -- one that leads to management's approval of investment and the development of actionable recovery plans -- from reports that accumulate dust on managers' shelves. The difference is not the mechanics but the nuances of a BIA.
A business impact analysis should reflect the way an organization actually makes money/achieves its mission.
Surprisingly, many business managers do not understand how money flows through their organizations. They are focused on their own functions and fear the ramifications of not being able to do what they do under their usual circumstances. A business, particularly a large one, contains many interactive pieces, all of which must work together in normal times. Each piece is individually important, but the whole is indeed the sum of its parts.
Nonetheless, I have had many managers tell me that if his department does not make sales, ship products, keep the production line rolling, or update the general ledger just as routinely performed, then the whole edifice of the company will come tumbling down. Managers do not see that a sale not made today will be made tomorrow; that a shipment a day late will arrive only a day late; that there is enough reserve inventory to satisfy orders for several days. They do not see it because they are encouraged to be myopic in order to keep their functions moving as efficiently as possible in normal times.
The real value of a BIA is to identify those functions, usually unique to a company or an industry, that are specifically central to making money. Thus, some sales cannot be made tomorrow (think of brokerage orders, for example). Some shipments are indeed time critical, such as those of perishables. Some production facilities cannot be halted without a loss of revenue, such as power generation. (But accounting can always be deferred, at least for a while.) The results may show that some functions are so interconnected that less important ones are dragged along by the critical ones. But they may also show that some seemingly critical activities can be put off.
The front office usually underestimates its reliance on the back office; the back office usually overestimates its criticality.
The front office/leadership of functions that are customer-facing or revenue-generating often assume that everything that happens after they are done occurs automatically on the back end. Computers process trades, book orders and pay people, don't they? It is not that they are ignorant of what happens in support functions. Rather, they sometimes discount the contributions of others when discussing their own business impact. If someone is incented to bring money in, they don't always recognize the contributions of others. Quarterbacks get the headlines, but they are only as good as their lines.
On the other hand, many in business functions that support the money-makers overstate their importance, especially in emergencies. They see all the detailed steps that must go right in order for the company to run smoothly, so they tend to overstate the degree of chaos that an extended disruption will bring if they cannot function as usual.
It is not surprising that neither the front nor the back office is a reliable judge of its own criticality. That is precisely the point of bringing in an independent business impact analysis. The lesson to be learned is to discount the biases of the people providing information to the analyst.
A business impact analysis should tell a story.
The easy part of a BIA is gathering data. The hard part is figuring out and communicating what all the data means. There is no advantage in presenting management with a torrent of figures and leaving them to make their own conclusions. A BIA should be written out in clear language, stating, for example, that "if a disruption lasts for x hours, this is what will happen…" It should be made clear to the recipient of a BIA report what the effects of disruptions of various durations and data losses will be.
A business impact analysis, by definition, tells the story of a possible event -- and not a happy one -- that has not and may never occur. Therefore, the value of the report is in the telling, of course backed up by figures and flow charts. Those, however, may be relegated to the appendix.
The broad outline of a strategy should be apparent in BIA results.
A BIA presents requirements for disaster recovery plans. The narrative outline for a BIA strategy should go as follows: 1) We rely on x [data centers, offices, people, network capacity, etc.] to do business. 2) We only have y available to us. 3) We cannot obtain x minus y in a reasonable timeframe. 4) Therefore we need to arrange for alternate data centers, working premises, personnel, bandwidth, etc., in advance of a disruption.
Item number four is the basis of the BIA strategy. Or, more properly, it is the beginning of the strategy. For example, once it is made self-evident that an alternate data center is a requirement, there are other steps an organization needs to take to properly prepare for a disaster, i.e., size the DR facility, decide on internal vs. outsourced solutions, determine how to get data from one site to another, and so on. The important message of a BIA is that the status quo will not suffice and that some investment is essential. Further analysis will balance the competing imperatives of risk reduction, capital expenditure, service availability, operating expense and P&L impact. If management does not see the big picture, they surely will not accept the details.
A BIA must consider others' disruptions.
The interconnectedness of businesses today necessitates concern for third parties. Admittedly, this is not a novel observation. Surprising, though, is the range of interdependence in businesses. For example, the EVP of a major bank noted that he keeps a lot of its secondary data stored on paper. Even in this digital era, his bank could not get along without all its printed reports, copies, checks and invoices. Paper may not be an evident critical resource, but this man understood what was really needed to run his business, and how much more paper would be needed if information systems were not running normally.
Moreover, not all third parties are suppliers; they include customers as well. In many businesses a few customers produce an outsized share of their revenue. A BIA should provide a picture of the impact on an organization if the usual buyers cannot buy. Some manufacturers are so dominated by a few retailers, for example, that they have whole divisions dedicated to those customers. Those divisions need to advise on the impact not only of loss of resources they need but the ones their customers need as well.
A business impact analysis is a means to an end, that being recoverability, if not resilience. The quality of a BIA should therefore be judged not on what it says but on what it accomplishes.
About this author: Steven Ross is an Executive Principal of Risk Masters Inc. and holds certification as a Master Business Continuity Professional (MBCP). He is a specialist in Business Continuity Management, Crisis Management and IT Disaster Recovery Planning. He is editor of the multi-volume series, "e-Commerce Security," and author of several of the books in the series, including "e-Commerce Security: Business Continuity Planning."
This was first published in March 2010