The number and type of data points you collect in your business impact analysis is largely a function of the size and type of company in which you work. Smaller companies will have fewer data points, larger companies will have more. However, you can also inundate yourself with too many data points if you don't take a focused approach. Some companies are extremely slow moving, analytical types of companies in which all data must be collected and assessed. Other companies move at the speed of light (typical in start ups) and want to grab just the high points and move on. The plan you devise needs to find a balance between information overload and superficial data. Be sure to include enough detail so that you can actually develop strategies that will help your company survive a serious business disruption, but don't allow the information floodgates to open and overwhelm you with minutiae.
Table 4.2 shows various data points you can consider collecting along with a brief description of the purpose or focus of that data point. Feel free to modify this to suit your unique needs.
Table 4.2 Business Impact Analysis Data Points
|Data Point||Description||IT Dependencies|
|Business function or process||Short description of the business function or process (we'll use "function" from here on).||Describe primary IT systems used for this business function.|
|Dependencies||Description of the dependencies to this function. What are the input and output points to this function? What has to happen or be available in order for this function to occur? What input is received, either from internal or external sources, that is required to perform this business function? How would the disruption of this business function impact other parts of the business? How and when would this disruption to other functions occur?||Describe IT systems that impact or are impacted by this business function. Are there any internal or external IT dependencies?|
|Resource dependencies||Is this business function dependent upon any key job functions? If so, which and to what extent? Is this business function dependent upon any unique resources? If so, what and to what extent (contractors, special equipment, etc.)?||Describe secondary/support computer/IT systems required for this business function to occur.|
|Personnel dependencies||Is this function dependent on specialized skill, knowledge or expertise? What are the key positions or roles associated with this function? What would happen if people in these role were unavailable?||Describe key roles, positions, knowledge, expertise, experience, certification needed to work with this particular IT system or IT/business function.|
|Impact profile||When does this function occur? Is it hourly, daily, quarterly, seasonally? Is there a specific time of day/week/year that this function is more at risk? If there a specific time at which the business is more at risk if this function does not occur (tax time, payroll periods, year end inventory, etc.)?||Describe the critical timeline related to this function/process and related IT systems, if any.|
|Operational||If this function did not occur, when and how would it impact the business? Would the impact be on time or recurring? Describe the operational impact of this function not occurring.||Describe the impact on IT if this business function does not occur. Describe the impact on IT if this business function does not occur.|
|Financial|| If this function did not occur, what would be the financial impact to the business? When would the financial impact be felt or noticed? Would it be one time or recurring? Describe the financial impact of this function not occurring.
Backlog. Describe the financial impact of this function not occurring.
|Backlog||At what point would work become backlogged?||Describe how a backlog would impact IT systems and other related or support systems work.|
|Recovery||What types of resources would be needed to support the function? How many resources would be needed and in what timeframe (phones, desks, computers, printers, etc.)?||What resources, skills, and knowledge would be required to recover IT systems related to this business function?|
|Time to recover||What is the minimum time needed to recover this business function if disrupted? What is the maximum time this business function could be unavailable?||How long would it take to recover, restore, replace, or reconfigure IT systems related to this business function?|
|Service Level Agreements||Are there any service level agreements in place related to this business function? What are the requirements and metrics associated with these SLAs? How will SLAs be impacted by the disruption of this business function?||How would IT service levels be impacted by the disruption or lack of availability of this business function? How do external SLAs impact IT systems?|
|Technology||What hardware, software, applications, or other technological components are needed to support this function? What would happen if some of these components were not available? What would be the impact? How severely would the business function be impacted?||What IT assets are required to support/maintain this business function?|
|Desktops, laptops, workstations||Does this business function require the use of "user" computer equipment?||What is the configuration data for required computer equipment?|
|Servers, networks, Internet||Does this business function require the use of back-end computer equipment? Does it require connection to the network? Does it require access to or use of the Internet or other communications?||What is the configuration data for required servers and infrastructure equipment?|
|Work-arounds||Are there any manual work-around procedures that have been developed and tested? Would these enable the business function to be performed in the event of IT or systems failures? How long could these functions operate in manual or work-around mode? If no procedures have been developed, does it seem feasible to develop such procedures?||Are there any IT-related work-arounds related to this business function? If so, what are they and how could they be implemented?|
|Remote work||Can this business function be performed remotely, either from another business location or by employees working from home or other off-site locations?||Can this business function be performed remotely from an IT perspective? If so, what would it take to enable remote access or the ability to remotely perform this business function?|
|Workload shifting||Is it possible to shift this business function to another business unit that might not be impacted by the disruption? If so, what processes and procedures are in place or are needed to enable that function?||Are there other IT systems or resources that could pick up the load should a serious disruption occur?|
|Business/data records||Where are the business records related to this function stored or archived? Are they currently backed up? If so, how, with what frequency, where?||How and where are backups stored? Based on data proviced, is the current backup strategy optimal based on the risks and impact.|
|Reporting||Are there legal or regulatory reporting requirements of this business function? If so, what is the impact of a disruption of this business function to reporting requirements? Are there reporting work-arounds in place or could they be developed and implemented?||Are there other ways reporting data could be generated, stored, or reported if key business functions or systems were disabled?|
|Business disruption experience||Has this business function ever been disrupted before? If so, what was the disruption and what was the outcome? What was learned from this event that can be incorporated into this planning effort?||Has IT ever experienced the disruption of this business function in the past? If so, what was the nature and duration of the disruption? How was it addressed and what was learned from the event?|
|Competitive impact||What, if any, is the competitive impact to the company if this business function is disrupted? What would the impact be, when would the impact occur, when would the potential loss of customers or suppliers occur?|
|Other issues||What other issues might be relevant when discussing this particular business function?||Are there other IT issues related to this specific business function that should be included or discussed?|
Once you've collected all these data points for all your business functions and processes, you have a comprehensive understanding of your business, its key functions, and what would happen if those functions were disrupted. In the next chapter, we'll discuss how to develop risk mitigation strategies based both on the various risks your company faces and on the criticality of the various business functions as defined in this phase of the assessment.
Use the following table of contents to navigate to chapter excerpts.
|ABOUT THE BOOK:|
|Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are emerging as the next big thing in corporate IT circles. With distributed networks, increasing demands for confidentiality, integrity and availability of data, and the widespread risks to the security of personal, confidential and sensitive data, no organization can afford to ignore the need for disaster planning. Business Continuity & Disaster Recovery for IT Professionals offers complete coverage of the three categories of disaster: natural hazards, human-caused hazards and accidental/technical hazards, as well as extensive disaster planning and readiness checklists for IT infrastructure, enterprise applications, servers and desktops – among other tools. Purchase the book from Syngress Publishing|
|ABOUT THE AUTHOR:|
|Susan Snedaker, Principal Consultant and founder of Virtual Team Consulting, LLC has over 20 years experience working in IT in both technical and executive positions including with Microsoft, Honeywell, and Logical Solutions. Her experience in executive roles at both Keane, Inc. and Apta Software, Inc. provided extensive strategic and operational experience in managing hardware, software and other IT projects involving both small and large teams. As a consultant, she and her team work with companies of all sizes to improve operations, which often entails auditing IT functions and building stronger project management skills, both in the IT department and company-wide. She has developed customized project management training for a number of clients and has taught project management in a variety of settings. Ms. Snedaker holds a Masters degree in Business Administration (MBA) and a Bachelors degree in Management. She is a Microsoft Certified Systems Engineer (MCSE), a Microsoft Certified Trainer (MCT), and has a certificate in Advanced Project Management from Stanford University.|