A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the
failure of a supplier of goods or services or delayed deliveries. There are many possible scenarios which should be considered. Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and
mitigation strategies. The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include: The point in time when a business function or process is disrupted can have a significant bearing on the loss sustained. A store damaged in the weeks prior to the holiday shopping season may lose a substantial amount of its yearly sales. A power outage lasting a few minutes would be a minor inconvenience for most businesses but one lasting
for hours could result in significant business losses. A short duration disruption of production may be overcome by shipping finished goods from a warehouse but disruption of a product in high demand could have a significant impact. Use a BIA questionnaire to survey managers and others within the business. Survey those with
detailed knowledge of how the business manufactures its products or provides its services. Ask them to identify the potential impacts if the business function or process that they are responsible for is interrupted. The BIA should also identify the critical business processes and resources needed for the business to continue to function at different levels. The BIA report should
document the potential impacts resulting from disruption of business functions and processes. Scenarios resulting in significant business interruption should be assessed in terms of financial impact, if possible. These costs should be compared with the costs for possible recovery strategies. The BIA report should prioritize the order of events for restoration of the business. Business processes with the greatest operational and financial impacts should be restored first. Next steps:
Business Continuity Plan and Information Technology Disaster Recovery Plan Identifying your business continuity plan objectives is an important first step in creating a comprehensive plan. Putting these objectives into words serves two purposes:
By clearly defining these objectives prior to starting your business continuity planning process, you increase the likelihood that you will achieve the core goal of your plan: preparing the business for a disaster scenario to minimize downtime when such an event occurs. Based on our experience as a business continuity services provider, we have identified 9 business continuity plan objectives that are critical for focusing your team’s energies on the activities that will create the policies and procedures that will build lasting resilience into your business operations. We recommend communicating these objectives at your project launch meeting, emphasizing them in your project communications, and listing them at the opening of your business continuity plan (BCP) document. Business Continuity Plan Objectives Aligned to TemplateTo add structure to our recommendations, we have aligned these objectives with the format of the Business Continuity Plan template developed by the Ready.gov organization. Ready.gov is an organization within Federal Emergency Management Administration (FEMA) that was created to marshal the resources of FEMA and the Department of Homeland Security (DHS). It’s mission is to deliver materials to the public to improve the nation’s ability to respond to emergencies including natural and man-made disasters. This site includes a section devoted to business issues, which is where the business continuity plan template is found. The sections of the BCP template provided by Ready.gov are:
At the conclusion of the discussion of each of the objectives, we designate which section or sections of the plan where you can have the greatest impact on achieving these objectives. The section name is listed in italics. 9 Critical Business Continuity Plan ObjectivesObjective 1: Identify Disaster Recovery PersonnelIdentifying the personnel who will be staffing your disaster recovery team is one of the most important goals of your business continuity planning. Some of the questions that need to be addressed are:
One of the most important roles in your disaster recovery organization is the crisis management coordinator. This person can also be referred to as the disaster recovery coordinator. The person is granted authority to make decisions and is responsible for initiating recovery plan protocols and directing the recovery of business operations. The coordinator is also responsible for communicating with the company’s insurance companies about policies related to disaster impacts, including the company’s cyber insurance policy, which will play an important role in mitigating the financial effect of disaster impacts on ongoing operations. BCP Template Section: Business Continuity Organization Objective 2: Assess Risks and ImpactAnother crucial purpose of creating a BCP is identifying the various internal and external threats to your operations through a risk assessment. The results of the risk assessment will be incorporated into a business impact analysis that will specify different types of disasters that could disrupt your business and quantify the impact of each scenario: how much damage would be caused, how long the recovery would take, the cost of operational losses, and so on. As the graphic below demonstrates, the Business Impact Analysis (BIA) lays the foundation for the remainder of your BCP. All your recovery strategies, continuity plans, and update processes derive from the work that occurs during the business impact analysis phase. Source: Ready.gov The purpose of the BIA is to allow companies to uncover all the linkages among internal business operations and with suppliers and customers to anticipate to the greatest degree possible what can possibly become de-linked and quantify the potential impact. In a Business Continuity Institute (BCI) article entitled, “Why the BIA Provides the Foundation Stone for Business Continuity,” the author states: “It never fails to amaze me the labyrinth of intricate parts that goes into making up an organisation, and it can often be difficult for individual teams to understand how they contribute to the success and vision of the business. I liken it to a delicate ecosystem where everything needs to work in balance and harmony to work efficiently and effectively. When you start changing or removing parts of the organisation, whether that is through structural change or an incident, that ecosystem becomes out of balance and therefore we need to understand the impact.” Business continuity consultants can play a constructive role in ensuring that all interactions are surfaced and discussed. As outsiders to your operations, they have an ability to pick up on linkages that employees in the system can overlook as they are simply too close to particular functions to see all potential implications for your business and customers. One of the outcomes of the BIA is the establishment of the plan’s Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). These two metrics are defined in the following way:
The importance of establishing these measurements lies in the fact that they are used as a basis for defining your recovery strategies. MHA Consulting, a business continuity consultant, stresses the importance of RTO and RPO concepts in guiding your recovery processes investment decisions: “Knowing them helps ensure that your strategies, implementation, and plans are neither overly aggressive (wasting resources) or inadequate (providing insufficient protection).” BCP Template Section: Business Impact Analysis Objective 3: Outline Existing Preventive MeasuresA business stakeholder wants to know, “what are we doing to prevent ransomware situations like the one I just read about in the news?” This is another reason for your BCP. It will outline the technologies, tools, and protocols that are already in place to prevent or mitigate the effects of a disaster. Technologies for premises-based data backup and cloud services backup are included in the preventive measures analysis. By demonstrating to all members of the business continuity organization what assets are already in place, the preventive measures analysis provides a means of gaining agreement among team members about what investments the company needs to make in additional preventative measures. Often referred to as a gap analysis, the process will build consensus amongst team members so the BCP findings can then be used as a tool to pitch executive decision-makers for the investment capital to improve business resilience. BCP Template Section: Business Impact Analysis Objective 4: Provide the Step-by-Step ProtocolsYour plan will provide the specific procedures that need to be followed to assist in recovery. Chances are, when a disaster strikes, personnel won’t remember exactly what they’re supposed to do. Your disaster teams should have a general idea, but if needed they’ll be able to consult the document to follow the exact procedures as they’re listed. At this point, it is important to draw the distinction between a businiesss continuity plan and a disaster recovery plan. In our previous post on this topic, we noted that, “a comprehensive business continuity plan will actually have a disaster recovery plan built into it.” The disaster recovery plan is an element of your business continuity plan but is also a standalone document. The disaster recovery plan includes granular instructions covering such items as definition of plan triggering events, emergency alert and escalation procedures, steps in activating emergency response teams, and team assembly points are all elements of a plan with well-constructed response protocols. BCP Template Section: Business Continuity Strategies and Requirements Objective 5: Identify the Location of Critical Data and AssetsOne of the most important IT business continuity plan objectives is to identify where critical data and other assets are being stored. This allows recovery teams to begin recovery even if key IT personnel are unavailable. Imagine, for example, a scenario in which you had no IT workforce. There must be, at least, a footprint for other personnel or stakeholders to follow. Any confusion will significantly impede the recovery process. An IT asset management system offers companies a way to automate tracking of assets and reduce errors resulting from out-of-date information, duplicates, inaccurate serial numbers and tag overlaps. Asset management systems also play a role in cyber security preventive measures. Without a complete asset management list, a device could be overlooked that connects to the network without virus protection or the latest patch to meet a known security threat. IT asset management systems have facilitated the tracking of the great dispersion of devices that resulted from the COVID-19 pandemic. BCP Template Section: Business Continuity Strategies and Requirements Objective 6: Identify Back-up Locations and ResourcesRecovery teams need to know where and how to relocate operations and with what resources. Your BCP will outline the availability of any back-up office space or the procedures for securing a new space rapidly. Additionally, it will cite the availability of back-up physical resources, such as workstations and devices. There are several different types of disaster recovery backup sites that are generally classified in one of four ways: cold site, warm site, cold site, and mobile site. These types are described below:
BCP Template Sections: Business Continuity Strategies and Requirements; Incident Management Objective 7: Prioritize Emergency CommunicationsWho communicates with the client during an emergency? Who notifies the workforce? Who speaks to the media? By having a business continuity management policy in place, recovery personnel will understand their roles in both internal and external emergency communications. One of the goals of your crisis communications plan is to help maintain calm within your workforce so all parties can fulfill their responsibilities and continue to serve customers. Disaster events can eliminate ordinary methods of communications, so alternative communications channels should be specified. Identifying and understanding your audiences, or stakeholders, is the necessary first step in formulating your crisis communications plan. The following is a list of potential audiences:
A clear definition of who will be the spokesperson aligned to each of these audiences is necessary in order to provide speed of response and to ensure consistency of message. BCP Template Sections: Business Continuity Strategies and Requirements; Incident Management Objective 8: Find Weaknesses and Propose SolutionsAny holes in your continuity planning must be addressed. The BCP is as much a process as it is a static document. It’s a work in progress requiring ongoing risk assessment, identification of scenarios that would leave operations unprotected, and the development of action steps to address weaknesses that call for immediate attention. Business continuity plan testing is an important element of keeping your plan current and responsive to changing conditions. There are four categories of testing described below:
Your testing schedule is highly dependent on such factors as company size, your pace of new equipment and upgrade installations, and the amount of turnover in your IT staff, but most business continuity professionals recommend annual testing at a minimum. BCP Template Sections: Testing, Testing & Exercising; Program Maintenance and Improvement Objective 9: Fulfill External RequirementsThe final objective does not link to any particular section of the plan itself, but instead addresses the reality that your company may be required to provide a BCP to satisfy external requirements from regulators, vendors, and insurance companies. As noted by the Disaster Recovery Institute (DRI), there are over 120 regulations that mandate business continuity management across a variety of industries. These are mandated by regulatory authorities and legislation such as the Financial Industry Regulatory Authority (FINRA) and the Health Insurance Portability and Accountability Act (HIPAA). RFPs increasingly include a requirement to demonstrate an active business continuity management program and insurers will want see evidence of a BCP as a part of the underwriting process. ConclusionGaining organizational commitment to achieving these critical business continuity plan objectives is a significant challenge, as business continuity leadership has to find a way to motivate employees to commit to spending time on issues that don’t contribute to achieving daily goals. Recruiting the right team, adopting a collaborative approach with participants, engaging senior management early in the process, and investing in training and certification will contribute to long-term commitment to planning success. Learn MoreAs a provider of business continuity services, Invenio IT has helped clients manage through disaster incidents. To learn more about how we can put this experience to work for your company to minimize downtime from disruptive incidents, contact our disaster recovery teams at (646) 395-1170 or . Sign up on our blog home page to join our community of 17,000+ readers who receive our updates on topics related to business continuity, disaster recovery, data backup, and cybersecurity. What is the objective of a BIA?A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment.
What are the main components of BIA?10 Elements in a Business Impact Analysis Report. Internal and external dependencies.. Vital records.. Service level agreements.. System and application Recovery Point Objectives.. Level of reliance on internal and external systems and applications.. Specialized equipment required.. Backlog information.. Workaround procedures.. What are the three key outputs of the BIA process?The BIA quantifies the impacts of disruptions on service delivery, risks to service delivery, and recovery time objectives (RTOs) and recovery point objectives (RPOs).
What are the five goals of conducting a BIA?An effective BIA consists of five elements: Executive Sponsorship, Understanding the Organization, BIA Tools, BIA Processes and BIA Findings.
|