What are the five most important things to consider when conducting business impact assessments?
The assessment must be approached from a business perspective rather than an IT perspective:
- Identify the key services a company provides. These can be internal services such as payroll and inventory or external services such as production, sales and transaction processing.
- Identify the tools used to provide those key services. These tools, also known as dependencies, can be a process, staff, a phone system, an application, etc.
- Determine the maximum length of time a key service can be interrupted before the company starts incurring financial losses or is impacted in other ways. This will dictate the service's resumption or recovery objective. We can now start drawing a parallel between the recovery objective for a service and the recovery objective for the application(s) on which the service depends; this becomes the recovery time objective (RTO).
- The impact, financial or otherwise, must be quantified or rated in order to rank criticality and recovery priority.
- Use the output of the risk assessment in conjunction with the business impact assessment to determine the appropriate risk mitigation or recovery strategy.
Dig Deeper on Disaster recovery planning - management
Related Q&A from Pierre Dorion
Find out what business impact assessment errors you can most easily identify in this Expert Response from Pierre Dorion. Continue Reading
Pierre Dorion highlights some of the business impact analysis tools available to help companies in this Expert Response. Continue Reading
Pierre Dorion explains how to weigh a short-term financial risk against a damaged reputation in this Expert Response. Continue Reading