A business impact analysis (BIA) is the cornerstone of a disaster recovery (DR) strategy and plan. A BIA will identify the processes, systems and functions that are critical to the survival of your company. Understanding
A business impact analysis is an analytic process that aims to reveal the business impacts that would result when a critical process exceeds its maximum allowable outage.
To start, you need to understand the business operations of your company in detail. Here is a simple step-by-step approach that will put you on your way to conducting a successful business impact analysis:
1. Get support from senior management for the exercise. You will then be able to meet with the operations-level managers that know enough detail about the processes to be helpful to the program. It's hard to get people's time and even harder to get follow up for a business continuity plan (BCP) without this support.
2. Hold a kickoff meeting with the managers responsible for the core business processes and introduce the program goals, timelines and deliverables.
3. Collect data. Create a business impact analysis questionnaire, which you will distribute at the meeting to all managers. Instruct each manager on how to complete the document. Make it clear that you will be following up with each manager on an individual basis to review the document. See the sidebar to the left for more information about creating a BIA questionnaire.
4. Document the gross revenue and net profit your organization generates per year. This can be done at the appropriate business unit levels as well. The data sets the upper limit for business losses related to the business operation. Include this on your presentations to drive home the importance of the program.
5. Meet with each manager and review the data collected. If needed, block off a couple of hours to help complete and refine the document with the manager.
6. Merge all the data into a spreadsheet or database for easy data analysis and reporting capability.
7. Schedule and conduct a "BIA review and prioritization meeting" with all managers participating in the program. Look for gaps not mentioned by the departments, especially between departments. Prioritize each process based on impact to the business, both direct and indirect as the process may be critical dependency for another process. High, medium and low can be used as measures.
8. During the prioritization discussion you will need to document a recovery time objective (RTO) for each process. The RTO defines the time to return the process to normal operation before impact results to the business and is generally measured in hours.
9. Create groups or bands of process RTOs. Start with the shortest allowable RTO first and then define the upper limits not to exceed 24 hours. These items constitute the Tier 0 RTOs. The next band of RTOs is the Tier 1 group. This group generally extends from 24 to 48 hours. Recovery point objectives (RPOs) are different as they deal more with data recovery and are used more in a "data protection strategy" context. They are also usually measured in minutes to hours as in the case of a production database. It may have an RPO of 20 minutes between scheduled replications.
10. Lastly, convene a summary meeting to present the results of the program to senior management, managers and others core to the processes at topic. You will want to present the business processes in order of RTO and importance, along with the other process details collected during the program. Issue a final report to meeting attendees to reinforce the learning and memory of the participants. Make the report available in hard copy to use in the event of an actual outage to help prioritize actions to resume operations.
The business impact analysis report ideally provides a foundation for the business continuity plan that should follow this exercise. It can also provide an important input to risk management programs that may follow, now that you have insights into where business risk lives.
About the author: George Wrenn, CISSP, ISSEP, is frequent contributor to SearchSecurity.com
and Information Security magazine. He served as a Director of Security in the financial services
industry and is now a consulting security expert. He's also a Six Sigma Black Belt, a Harvard grad
and was trained in cryptography at MIT. He can be reached at firstname.lastname@example.org.
This was first published in October 2008