The fundamental task in business impact analysis (BIA) is understanding which processes in your business are vital to your ongoing operations and to understand the impact the disruption of these processes would have on your business. From an IT perspective, as the National Institute of Standards and Technology (NIST) views it: "The BIA purpose is to correlate specific system components with the critical services that they provide, and based on that information, to characterize the consequences of a disruption to the system components" (Source: NIST "Contingency Planning Guide for Information Technology Systems, NIST Special Publication 800-34, p. 16). So, there are two parts to the BIA: the first is to understand mission-critical business processes and the second is to correlate those to IT systems.
As an IT professional, you certainly understand the importance of various IT systems, but you may not be fully aware of the critical business functions performed in your company. Even if your role in this project is limited to managing the IT elements in this BC/DR plan, you should still pay close attention to the material in this chapter for two main reasons. First, understanding the critical business functions is important in terms of understanding how to recover IT systems in the event of a significant business disruption. You might think that System A is most critical, based on a number of assumptions you're making. However, through this process, you might find that System B or C is really what keeps the company up and running on a day-to-day basis or that without System D, System A doesn't really matter. Second, if you have any aspirations at all of moving up the corporate ladder toward that CIO job, your understanding of the overall business will certainly help you achieve those goals. Today's CIO needs to have a solid background in technology and business, so understanding the critical business functions in your company will pay off in many ways for you.
According to the Business Continuity Institute (www.thebci.org), a recognized leader in business continuity management and certification, there are four primary purposes of the business impact analysis:
- Obtain an understanding of the organization's most critical objectives, the priority of each, and the timeframe for resumption of these following an unscheduled interruption.
- Inform a management decision on Maximum Tolerable Outage (MTO) for each function.
- Provide the resource information from which an appropriate recovery strategy can be determined/recommended.
- Outline dependencies that exist both internally and externally to achieve critical objectives.
Source: The Business Continuity Institute, Good Practices Guidelines, 2005, p. 21.
Business impact analysis is the process of figuring out which processes are critical to the company's ongoing success, and understanding the impact of a disruption to those processes. Various criteria are used including customer service, internal operations, legal or regulatory, and financial. From an IT perspective, the goal is to understand the critical business functions and tie those to the various IT systems. As part of this assessment, the interdependencies need to be fully understood. Understanding these interdependencies is critical to both disaster recovery and business continuity, especially from an IT perspective. Would it make sense for your IT staff to spend three days trying to recover System D if System A is still out of commission? Until you perform the BIA, there may be no real way to know.
Business impact analysis includes the steps listed earlier, but we can break them out into a few more discrete activities or steps:
- Identify key business processes and functions.
- Establish requirements for business recovery.
- Determine resource interdependencies.
- Determine impact on operations.
- Develop priorities and classification of business processes and functions.
- Develop recovery time requirements.
- Determine financial, operational, and legal impact of disruption.
The result of performing these seven steps is a formal business impact analysis, which is used in conjunction with the risk assessment analysis to develop mitigation strategies (discussed in Chapter 5).
The two primary impact points of any business disruption are the operational impact and the financial impact. The operational impact addresses the nonmonetary impact including how people, processes, and technology are impacted by a business disruption and how best to address that impact. The financial impact addresses the monetary impacts and how a business disruption will impact the company's revenues.
Use the following table of contents to navigate to chapter excerpts.
|ABOUT THE BOOK:|
|Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are emerging as the next big thing in corporate IT circles. With distributed networks, increasing demands for confidentiality, integrity and availability of data, and the widespread risks to the security of personal, confidential and sensitive data, no organization can afford to ignore the need for disaster planning. Business Continuity and Disaster Recovery for IT Professionals offers complete coverage of the three categories of disaster: natural hazards, human-caused hazards and accidental/technical hazards, as well as extensive disaster planning and readiness checklists for IT infrastructure, enterprise applications, servers and desktops – among other tools. Purchase the book from Syngress Publishing|
|ABOUT THE AUTHOR:|
|Susan Snedaker, Principal Consultant and founder of Virtual Team Consulting, LLC has over 20 years experience working in IT in both technical and executive positions including with Microsoft, Honeywell, and Logical Solutions. Her experience in executive roles at both Keane, Inc. and Apta Software, Inc. provided extensive strategic and operational experience in managing hardware, software and other IT projects involving both small and large teams. As a consultant, she and her team work with companies of all sizes to improve operations, which often entails auditing IT functions and building stronger project management skills, both in the IT department and company-wide. She has developed customized project management training for a number of clients and has taught project management in a variety of settings. Ms. Snedaker holds a Masters degree in Business Administration (MBA) and a Bachelors degree in Management. She is a Microsoft Certified Systems Engineer (MCSE), a Microsoft Certified Trainer (MCT), and has a certificate in Advanced Project Management from Stanford University.|
This was first published in January 2008