Business impact analysis for business continuity: Preparing the BIA report

There is no standardized format for a business impact analysis report and, as with many other processes, this document will likely follow your company's standard format. At minimum, the report should include the business functions, the criticality and impact assessments (see the list is Table 4.2) and the maximum tolerable downtime (MTD) assessment for each. Dependencies, both internal and external, should be noted and the correlation to IT systems should be delineated.

This report should be prepared in draft format with initial impact findings and issues to be resolved. The participating managers, SMEs, and BC/DR team members should review the findings. Revise the report based on participant's feedback to the draft document. If needed, you can schedule a draft review meeting to discuss the finding in the draft. Often this is helpful (and needed) to resolve conflicts with regard to the criticality and maximum tolerable downtime ratings, since there is a correlation between these ratings and the cost of mitigating the risks and reducing downtime. Once the feedback has been gathered, revise the draft and finalize the document. This document, depicted at the outset of this chapter in Figure 3.2, is used along with the risk assessment as an input to the risk mitigation process. To assist you in preparing your final report, we've recapped the elements you may choose to include.

• Key processes and functions
• Process and resource interdependence
• IT dependencies
• Criticality and impact on operations
• Backlog information
• Key roles, positions, skills, knowledge, expertise needed
• Recovery time requirements
• Recovery resources
• Service level agreements
• Technology (IT and non-IT technology)
• Financial, legal, operations, market, staff impacts
• Work-around procedures
• Remote work, workload shifting
• Business data, key records
• Reporting
• Competitive impact
• Investor/market impact
• Customer perception impact
• Other (business-specific data not already included)

Summary

Performing the business impact analysis requires you to look at your entire organization from top to bottom. You can begin by gathering subject matter experts, whether division heads, departmental managers, or designated staff, from various parts of your company. These people should be those in the company best able to answer the questions related to critical business activities. This relates to how your company generates revenues, tracks customers and sales, and other key business processes.

Data can be gathered using questionnaires, interview, workshops, documents, and research. There are pros and cons to each approach, so be sure to select the method most appropriate to your organization. Since each company is unique, there is no "one size fits all" template you can use to delineate all critical business processes for all companies. However, throughout this chapter, we discussed a wide variety of business functions, processes, and approaches that can help you develop a comprehensive list of your company's critical processes as well as the key roles, expertise, and knowledge needed to carry out those critical processes.

Once this data is collected, each process must be assessed for criticality. In the big picture, how critical is each business process to your company's ability to continue operating? Using a three- or four-point rating system will help you look across the depth and breadth of your organization to understand which processes and functions are mission-critical, which are vital or essential, which are important, and which are minor. Your risk mitigation planning efforts will focus first on mission-critical processes and then to vital or essential processes.

You'll also need to develop your recovery time objectives (RTO) for each critical function. In some cases, you might choose to associate a recovery time with criticality ratings. For example, mission-critical functions might need to be recovered within 24 hours whereas vital or essential functions might need to be recovered within 72 hours. Alternately, you can assign criticality and then assign recovery time objectives to each process individually. This might make more sense in companies where there are numerous mission-critical processes that cannot be simultaneously addressed. Again, this is a decision you and your team have to make regarding recovery objectives. Input from division or departmental experts is key to understanding required recovery timeframes as well as key interdependencies that exist among departments, processes, and systems.

There is a relationship between the cost of recovery and the cost of downtime. Each company has to assess these costs and make decisions regarding the optimal point of intersection. The longer the company goes without a key process, the more expensive it becomes due to loss of sales and increase in costs associated with the outage. However, recovery costs go down the longer you have to recover. If you need to recover within hours, your costs to provide this type of recovery capability will be significantly higher than if you need to recover within days. The point at which downtime costs and recovery costs intersect is the optimal point for planning, though in the real world, it can be difficult to determine the exact point of intersection. Keeping this concept in mind, however, will help you find the best solutions for your company.

The business impact analysis uses business functions, business processes, and IT systems as the input points. The analysis is performed so that each process is identified and analyzed. The output for each process and function includes criticality assessment, financial impact analysis, operational impact analysis, recovery objectives, dependencies, and work-around procedures. When this is documented for each business function and key business process, you have a comprehensive look at your company and a solid business impact analysis.

Solutions Fast Track

Business Impact Analysis Overview

• After identifying risks and threats to the company, the business impact must be evaluated. Key business functions and processes are viewed in light of risk assessment data.
• The impact of disruptions not only to your business but to upstream and downstream partners needs to be considered.
• Consider the impact on corporate employees including physical or emotional injuries in the aftermath of a serious event or natural disaster. People respond in many ways to disasters and your plan must have the flexibility to allow for a variety of responses.
• For each key business process, critical objectives, timelines, dependencies, and impact must be understood and analyzed.
• The impact of the disruption of key business functions is assessed and prioritized so that risk mitigation strategies can be developed.

Understanding Impact Criticality

• Not all business functions and processes are mission-critical. Your risk mitigation strategy planning usually is limited to those functions and processes that are vital to the ongoing operations of the company.
• You can use a three- or four-point system of rating criticality. The four-point system ratings are mission-critical, vital (essential), important, minor. If a three-point system works better for you, you can use mission-critical, important, and minor. Define these clearly so they are used consistently across the organization.
• All processes should be assessed for criticality. Recovery objectives must also be assigned. Some companies assign the recovery time with the criticality. Therefore, mission-critical would have a recovery objective of 0--4 hours, for example. Other companies choose to set recovery objectives separately.
• The total time it takes to recover from a business disruption includes the recovery point objective, which is the lag between the time of the last good backup and the business disruption, the time it takes to recover systems, the time it takes to recover data, and the testing and verification of repaired systems. This is often called the maximum tolerable downtime (MTD) or maximum tolerable outage (MTO).
• There is an optimal point between the cost of downtime and the cost of recovery. The longer systems are down, the more expensive it is for your company. The shorter the required recovery time, the more expensive it is for your company. Therefore, the intersection of the cost of downtime and the cost of recovery is the optimal point. This is not always easy to determine but the concept helps in your planning efforts.

Identifying Business Functions

• Business functions are areas of the company that have specific roles or purposes such as sales, operations, finance, or HR. Business processes are the defined methods and actions used to achieve those purposes. Both functions and processes must be assessed in order to fully understand the company's critical work.
• The most common business functions include facilities, security, HR, IT, legal, compliance, manufacturing/assembly, marketing/sales, operations, research/development, and warehouse/inventory.
• The most common business processes include sales, invoicing, inventory management, and payroll, to name just a few.

Gathering Impact Data

• Gathering data for your business impact analysis is a significant undertaking. Enlisting subject matter experts (SME) from around the company is vital to your success.
• Using scenario-based questions, you can help SMEs understand what you're asking of them and help them envision potential problems. The more realistic your scenarios, the better data you'll gather.
• The data you gather should include the business function, process, criticality, time to recovery, dependencies, financial and operational impact, and other relevant data.
• You can use questionnaires, interviews, workshops, documents, and research to gather data. There are pros and cons to each approach; use the one that best fits your organization's way of doing business.

Determining Impact

• Determining the impact runs the gamut from financial to legal to operational to environmental and beyond. It's important to understand the impact to the company from these various perspectives, even if your focus is on the impact related to IT systems.
• The impact of a business disruption may have serious legal, financial, or regulatory consequences. These typically come from outside the organization and should be included in your planning. It's sometimes easy to miss these external elements when focusing solely on internal business impacts.
• The company's reputation in the community, region, or marketplace can be greatly impacted by a business disruption, especially if that disruption has to do with data security, data loss, or other sensitive areas. This should also be taken into consideration as you look at the impact analysis.

Business Impact Analysis Data Points

• There are numerous data points that can be collected about business processes across the organization. A comprehensive look will include these data points along with the interdependencies and impact on/with IT systems.
• For each critical business process, the impact to and impact from IT systems should be mapped out. In some cases, the disruption of a business process impacts IT systems. In other cases, the disruption of business processes does not impact IT but the disruption of IT systems, either primary or secondary, can impact key business processes. These interdependencies must be clearly understood and documented.
• External elements such as regulatory compliance, reporting, and corporate reputation must also be addressed. Again, the IT relationship must also be addressed. Often there is no leeway in meeting financial or legal obligations, regardless of the nature of the business disruption. There may be a bit of flexibility if a large natural disaster impacts the firm, but an isolated event such as localized flooding or fire will not alter regulatory, legal, or financial requirements on the firm.

Frequently Asked Questions

Q:There seem to be far too many things to consider when doing the business impact analysis. I don't really know where to start. Any suggestions to make this process less overwhelming?

A:The business impact analysis is probably the largest data gathering aspect of this entire project and it can be overwhelming. The key to success is first to identify the various business functions then recruit experts from each function to participate. If you have to sit down and map all this out yourself, you not only will be overwhelmed, you'll also probably have lots of gaps and errors. This has to be an organizational effort, not just something the BC/DR team does off in a corner. Next, if you create a clear, concise set of questions that you want each subject matter expert to respond to, you have a much better chance of getting good data. In some companies, creating a series of workshops and working together in a less formal atmosphere may make this process a bit more interesting and productive. If you break it down by function or department and just start working your way through the data, you'll find you make it through this process a bit more easily. It's a big job but defining the segments and working systematically through it will help you get there successfully.

Q:I'm an IT analyst and a lot of this information doesn't relate to my job or role in the project. Can't I just skip over this section?

A: You could, but not if you want to have a successful project. Even if your role is limited to assessing IT functions, you need to understand how your company conducts business. Without that understanding, you won't be able to make intelligent assessments about IT systems. Sure, you know which servers are running which applications, you understand user access and security, but how does this relate to the day-to-day activities in your company? If the building were to burn to the ground with your IT systems in it, how would you prioritize your next steps? If you don't know which activities are mission-critical, you can't make intelligent assessments about which systems should be restored first. Certainly, there may be IT-related constraints with regard to the order or priority of system recovery, but you also need to consider the bigger picture. Critical business processes must resume first, regardless of where they fall in the IT world view. Therefore, participating fully in this process will make you better able to participate fully on this team and it will also help you be a more productive contributor to the overall business.

Q: You didn't spend much time talking about IT systems in this chapter. I thought this book was focusing on business continuity and disaster recovery for IT professionals. Did I miss something?

A: No you didn't miss anything. Any IT professional needs to focus on these businesswide issues, regardless of whether you're heading up the BC/DR effort or just focusing on IT needs. We didn't spend an undue amount of time on IT systems at this juncture because this section focuses specifically on the business impact analysis. You should include your IT systems as part of your assessment, just as you included other functions such as warehouse or marketing. However, since you know your IT systems and your IT processes intimately, we focused instead on areas that are likely to be less familiar to you. The processes and procedures discussed in this chapter, however, should be applied to your IT functions and processes as well. The interdependency of IT systems with other business functions is important and that's why we focused on that area more than strictly on IT systems. We'll look at IT systems in more detail in upcoming chapters.

Use the following table of contents to navigate to chapter excerpts.

Business Continuity and Disaster Recovery for IT Professionals
  Home: BIA for business continuity: Introduction
  1: BIA for business continuity: Overview
  2: BIA for business continuity: Upstream and downstream losses
  3: BIA for business continuity: Understanding impact criticality
  4: BIA for business continuity: Recovery time requirements
  5: BIA for business continuity: Identifying business functions
  6:BIA for business continuity: Gathering data
  7: BIA for business continuity: Data collection methodologies
  8: BIA for business continuity: Determining the impact
  9:BIA for business continuity: Data points
  10:BIA for business continuity: Understanding IT Impact
  11: BIA for business continuity: BIA for small business
  12: BIA for business continuity: Preparing the BIA report