As we discussed in Chapter 3, there are four primary ways of gathering information: questionnaires, interviews, documents, and research. This holds true for the BIA as well. Before you can develop questionnaires or interviews, however, you have to know what you're looking for. You may choose to gather subject matter experts who then create questionnaires or interview questions. As a project team, you may create a number of very specific questions or scenarios to be presented to subject matter experts (SME) in the form of questionnaires or interviews. The additional information will come from either the project team or SMEs reviewing documents or performing targeted research.
Where to start this sometimes daunting process? One of the best places to start is with your company's organizational chart. Lacking that, try the company's phone directory -- electronic or paper. In many cases, the functional areas of the company are clearly spelled out. This can be a good place to determine sources for subject matter experts as well. You can begin by creating a list of each functional area such as each division or each major work area such as manufacturing, warehouse, operations, development, among others. List subdepartments or subdivisions under each of the major headings, as appropriate. Now, you should have a comprehensive list of the major and minor departments, which are often the functional areas, in your company. Check for duplication and remove any areas that are repeated or that clearly should not be included. The key at this juncture is to generate a comprehensive list of business functions that can later be prioritized. Also remember there may be internal or external dependencies that raise the criticality of particular business functions.
As previously discussed, asking questions and providing scenarios to consider can help people focus on specific business issues and generate better responses. Some questions you might ask of your subject matter experts to help them focus on the key aspects of the impact analysis include these:
- How would the department function if desktops, laptops, servers, e-mail, and Internet access were not available?
- What single points of failure exist? What, if any, risk controls or risk management systems are currently in place?
- What are the critical outsourced relationships and dependencies? What are the upstream and downstream risks to your business function?
- If a business disruption occurred, what workarounds would you use for your key business processes?
- What is the minimum number of staff you would need and what functions would they need to carry out?
- What are the key skills, knowledge, or expertise needed to recover? What are the key roles that must be present for the business to operate?
- What critical security or operational controls are needed if systems are down?
- How would this business function in a backup recovery site? What would be needed in terms of staff, equipment, supplies, communications, processes, and procedures? (This crosses into the disaster recovery element, which we'll discuss more in a later chapter.)
Use the following table of contents to navigate to chapter excerpts.
Business Continuity and Disaster Recovery for IT Professionals
Home: BIA for business continuity: Introduction
1: BIA for business continuity: Overview
2:BIA for business continuity: Upstream and downstream losses
3:BIA for business continuity: Understanding impact criticality
4:BIA for business continuity: Recovery time requirements
5:BIA for business continuity: Identifying business functions
6:BIA for business continuity: Gathering data
7:BIA for business continuity: Data collection methodologies
8:BIA for business continuity: Determining the impact
9:BIA for business continuity: Data points
10:BIA for business continuity: Understanding IT Impact
11:BIA for business continuity: BIA for small business
12:BIA for business continuity: Preparing the BIA report
|ABOUT THE BOOK:|
|Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are emerging as the next big thing in corporate IT circles. With distributed networks, increasing demands for confidentiality, integrity and availability of data, and the widespread risks to the security of personal, confidential and sensitive data, no organization can afford to ignore the need for disaster planning. Business Continuity & Disaster Recovery for IT Professionals offers complete coverage of the three categories of disaster: natural hazards, human-caused hazards and accidental/technical hazards, as well as extensive disaster planning and readiness checklists for IT infrastructure, enterprise applications, servers and desktops – among other tools. Purchase the book from Syngress Publishing|
|ABOUT THE AUTHOR:|
|Susan Snedaker, Principal Consultant and founder of Virtual Team Consulting, LLC has over 20 years experience working in IT in both technical and executive positions including with Microsoft, Honeywell, and Logical Solutions. Her experience in executive roles at both Keane, Inc. and Apta Software, Inc. provided extensive strategic and operational experience in managing hardware, software and other IT projects involving both small and large teams. As a consultant, she and her team work with companies of all sizes to improve operations, which often entails auditing IT functions and building stronger project management skills, both in the IT department and company-wide. She has developed customized project management training for a number of clients and has taught project management in a variety of settings. Ms. Snedaker holds a Masters degree in Business Administration (MBA) and a Bachelors degree in Management. She is a Microsoft Certified Systems Engineer (MCSE), a Microsoft Certified Trainer (MCT), and has a certificate in Advanced Project Management from Stanford University.|