• No results found

Business Impact Analysis

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Business Impact Analysis"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Business Impact Analysis

Business Impact Analysis

Franklin Fletcher  Franklin Fletcher 

(2)

Business Impact Analysis

Introduction

The Business Impact Analysis (BIA) is the foundation for any business continuity program within an organization. A BIA is required in the generation of a business continuity or disaster  recovery plan. It allows management to identify its organization’s most critical business and Information Technology (IT) processes. A BIA also captures the timeframe that the business unit must complete and supply its deliverables to its customers along with the resources required to continue operations.

BIA Process

The development of an initial BIA goes through various phases and should be approached as a  project (unique initiative with a defined start and finish). The process involves the following

steps:

• Project planning • Data gathering • Data analysis

• Documentation of the findings • Management review and signoff 

Project Planning

The first step in the creation of a BIA is to gain commitment from senior management. Senior  management needs to set the objectives of the BIA project, as its members play a pivotal role in the final phase, which involves setting priorities and signoff on the project deliverables. Because the BIA requires input across the organization, senior management needs to ensure that the entire organization accepts the process and is responsive to the project team.

A project team needs to be assembled. The IT department is often the group that leads the BIA  project. The BIA project team members must include the business line and middle managers that

understand the overall objectives of the organization and are familiar with the day-to-day

operations for which they are responsible. Theses managers must also articulate the impact of an interruption to their business processes.

Data Gathering

The data gathering phase identifies the critical business function(s) and the tools and expertise required to perform each of them. The data is primarily gathered through an interview process, which can include face-to-face interviews, questionnaires, or conference calls. Depending on the  business unit, the types of questions asked can vary. Each business unit manager must examine

his individual business unit’s processes, team needs, and internal and external dependencies. The manager must then determine the supporting documentation an d computing resources that are needed to allow each business unit to accomplish its individual tasks in a timely fashion.

Frequently, the managers find other information they need to collect or backup to resume their  respective business function (for example, a manager finds out that no one knew the phone number for a contractor that was in the critical path for the operation).

(3)

The following outlines the key data that must be gathered:

• Business unit details, such as number of customers, transactions, total revenue, number of 

employees, purpose of the business unit, and critical operations performed

.

• Financial (quantitative) and intangible (qualitative) costs associated with a business

interruption on a daily basis and how it can change projected over time.

• Personnel requirements to support the business unit’s business function after an event. It

is often assumed that after an event, less staff is required in recovery mode. It should be noted that normal levels or even increased levels of staffing resources might be required.

• Critical systems and applications that support the business unit. This includes computing

 platforms and software.

•  Recovery Time Objectives (RTO), which is the period of time within which systems,

activities, applications, or functions must be recovered after an outage for critical functions.

•  Recovery Point Objectives (RPO), which is the maximum amount of data loss the

 business unit can sustain during an event.

• The critical deadline(s) associated with the business unit.

• The alternate processing contingencies. In the event that primary systems are not

available, the business must identify these alternate processing contingencies. This includes any temporary manual coping methods and the length of time that they can be used to support the business function.

• Seasonal and time of day requirements for a particular process.

• Key management, vendor, and staff contact information. This includes validated phone

numbers, addresses, and emergency contact information.

• Office space and equipment requirements to support staff during the recovery period. • Documentation requirements to continue the business function. If stored off site, how can

they be accessed?

• Alternate site options for staff in the event the primary location is unavailable. • Internal and external dependencies for work flow.

• Work inputs and output (reports).

• Remote access (telecommute) options that are available for critical staff. Listing of staff 

members equipped with remote access software and accounts.

• Regulatory requirements that impact the business unit, such as HIPPA or SOX, which

impact the business unit.

• Contractual obligations to vendors and or customers

• Business opportunity loss due to an event. Will the business unit be able to generate new

 business? For example, a sales organization with the inability to provide quotes after an event. What are the competitive impacts if the business function is unavailable?

(4)

• Future business function changes (systems, organizational, personnel, procedures, and so

on).

Data Analysis

The data analysis phase observes the data that was gathered and translates it into quantitative numbers, which allow the organization to understand the amount of time it can tolerate an extended outage. After key data is gathered, criticality levels need to be determined for all  business and IT functions in the business unit. The following is a sample matrix that lists the

various criticality levels and some recovery methods based on recovery time/point objectives:

Criticality Level Recovery Objective Possible Recovery Method Level 1 The business process

must be available during all  business hours.

> 2 hours Data replication

Level 2 Indicates that the  business function can survive

without normal business

 processes for a limited amount of time.

2 hours to 24 hours Data shadowing

Level 3: The business

function can survive for one to three days with a data loss of  one day.

24 to 72 hours Tape recovery at an off site facility

Level 4: Business unit can survive without the business function for an extended  period of time.

72 hours plus Low priority for tape recovery / rebuild

infrastructure / relocate operations to a new facility

Note: E ach organi zation has to determ in e its own cr it icali ty levels and h ow they are defi ned.

Documentation of Findings and Senior Management Review

The BIA report is a document that goes to senior management and lists the findings with recommendations. The BIA report includes a listing of critical IT and business functions with criticality levels. Recovery time objectives over time and recovery point objectives need to be  presented. The potential financial (quantitative) loss by business unit, projected over time, needs

to be clearly estimated for senior management. This includes loss of revenue, share price impact, fines and penalties. The intangible costs (qualitative), such as loss of market share, life and

safety, reputation, and employee morale, is also articulated in the report.

The BIA report should include minimum human and ph ysical resources required to support the  business unit over time. Senior management has to provide an organization-wide perspective, as

most business unit managers often see their functions as being the most critical to run the organization. Senior management has to level set and provide guidance in the selection of  recovery methods and priorities.

(5)

BIA as an Ongoing Process

The initial BIA should be approached as a project. One needs to remember that the organization changes over time, as it adds and removes business units and establishes new priorities and recovery technology changes. The BIA must remain in step with the organization. =The organization should review its BIA on a regular basis to ensure that it is still relevant to the organization.

After the BIA is completed, the business continuity and disaster recovery plan process needs to  be initiated. If plans are already in place, they need to be reviewed for any gaps and updated as

required based on the BIA report. The BIA provides the relevant data to put in place the recovery methods based on the business unit requirements.

Summary

Some of the key benefits that are derived from a BIA include a better understanding of the

financial and intangible impacts of an extended outage and the ability to review the most critical functions and processes within the organization. In addition, the business can identify vital

resources that support its operations, point to the proper recovery strategies and identify what are the business processes and assets that require the most protection. A BIA is helpful to senior  management, as it allows the managers to review a systematic process of evaluating their  organization’s risk and their ability to recover.

References

“Best Practices for Conducting a Business Impact Analysis” Gartner Research ID#G00141260 http://gartner.com

“Generally Accepted Practices Business Impact Analysis” Disaster Recovery Institute http://drii.org

References

Download now ( PDF - 5 Page - 107.95 KB )

Related documents

Strategic R&D Investment under Information Revelation”

His current research fields are focused on the valuation of R&D real options, the Monte Carlo approach to solve option pricing and the stability of International

Implementing and Auditing a Successful Business Continuity Plan

• Business contact list • Alternative suppliers • Revision history Program Initiation Risk Assessment Business Impact Analysis (BIA) Implement Recovery Organization

Planning for monitoring and evaluation activities during the programme's lifetime

Developing a Monitoring and Evaluation Plan Planning for M&E activities during the programme's lifetime. Main tasks to be performed  Collecting

The Impact of the Small Scale Real Estate Business On

[r]

A Blind Data Hiding Technique with Error Correction Abilities and a High Embedding Payload

This study proposed a blind data hiding method with error correction capabilities and high embedding payloads by combining LSB embedd- ing and BCM to produce stego images. Compared

Moyamoya disease (MMD) is a special cause of

Pediatric patients who received revascularization procedures in more than the temporal region had higher velocities (PSV and EDV) in the STA than those who received revascularization

Please select a service plan to go with your selected device.

This plan includes Any Mobile, Anytime: Unlimited domestic calls from the Sprint network to and from ANY U.S!. mobile phone regardless

Functional analysis of dysarthria in a case of paranoid schizophrenia: Approximation from Clinical Linguistics

Nos interesa especialmente centrarnos en la disartria como conducta verbal problemática presente en la esquizofrenia que padece el paciente 1 , realizando una