Business Impact Analysis

June 17, 2018 | Author: vipermy | Category: Business Continuity, Business Process, Business, Leadership & Mentoring, Leadership
Share Embed Donate


Short Description

Business Impact Analysis...

Description

Business Impact Analysis Franklin Fletcher 

Business Impact Analysis Introduction The Business Impact Analysis (BIA) is the foundation for any business continuity program within an organization. A BIA is required in the generation of a business continuity or disaster  recovery plan. It allows management to identify its organization’s most critical business and Information Technology (IT) processes. A BIA also captures the timeframe that the business unit must complete and supply its deliverables to its customers along with the resources required to continue operations.

BIA Process The development of an initial BIA goes through various phases and should be approached as a  project (unique initiative with a defined start and finish). The process involves the following steps: •

Project planning



Data gathering



Data analysis



Documentation of the findings



Management review and signoff 

Project Planning

The first step in the creation of a BIA is to gain commitment from senior management. Senior  management needs to set the objectives of the BIA project, as its members play a pivotal role in the final phase, which involves setting priorities and signoff on the project deliverables. Because the BIA requires input across the organization, senior management needs to ensure that the entire organization accepts the process and is responsive to the project team. A project team needs to be assembled. The IT department is often the group that leads the BIA  project. The BIA project team members must include the business line and middle managers that understand the overall objectives of the organization and are familiar with the day-to-day operations for which they are responsible. Theses managers must also articulate the impact of an interruption to their business processes. Data Gathering

The data gathering phase identifies the critical business function(s) and the tools and expertise required to perform each of them. The data is primarily gathered through an interview process, which can include face-to-face interviews, questionnaires, or conference calls. Depending on the  business unit, the types of questions asked can vary. Each business unit manager must examine his individual business unit’s processes, team needs, and internal and external dependencies. The manager must then determine the supporting documentation an d computing resources that are needed to allow each business unit to accomplish its individual tasks in a timely fashion. Frequently, the managers find other information they need to collect or backup to resume their  respective business function (for example, a manager finds out that no one knew the phone number for a contractor that was in the critical path for the operation).

The following outlines the key data that must be gathered: •























Business unit details, such as number of customers, transactions, total revenue, number of  employees, purpose of the business unit, and critical operations performed. Financial (quantitative) and intangible (qualitative) costs associated with a business interruption on a daily basis and how it can change projected over time. Personnel requirements to support the business unit’s business function after an event. It is often assumed that after an event, less staff is required in recovery mode. It should be noted that normal levels or even increased levels of staffing resources might be required. Critical systems and applications that support the business unit. This includes computing  platforms and software.  Recovery Time Objectives (RTO), which is the period of time within which systems, activities, applications, or functions must be recovered after an outage for critical functions.  Recovery Point Objectives (RPO), which is the maximum amount of data loss the  business unit can sustain during an event. The critical deadline(s) associated with the business unit. The alternate processing contingencies. In the event that primary systems are not available, the business must identify these alternate processing contingencies. This includes any temporary manual coping methods and the length of time that they can be used to support the business function. Seasonal and time of day requirements for a particular process. Key management, vendor, and staff contact information. This includes validated phone numbers, addresses, and emergency contact information. Office space and equipment requirements to support staff during the recovery period. Documentation requirements to continue the business function. If stored off site, how can they be accessed?



Alternate site options for staff in the event the primary location is unavailable.



Internal and external dependencies for work flow.



Work inputs and output (reports).









Remote access (telecommute) options that are available for critical staff. Listing of staff  members equipped with remote access software and accounts. Regulatory requirements that impact the business unit, such as HIPPA or SOX, which impact the business unit. Contractual obligations to vendors and or customers Business opportunity loss due to an event. Will the business unit be able to generate new  business? For example, a sales organization with the inability to provide quotes after an event. What are the competitive impacts if the business function is unavailable?



Future business function changes (systems, organizational, personnel, procedures, and so on).

Data Analysis

The data analysis phase observes the data that was gathered and translates it into quantitative numbers, which allow the organization to understand the amount of time it can tolerate an extended outage. After key data is gathered, criticality levels need to be determined for all  business and IT functions in the business unit. The following is a sample matrix that lists the various criticality levels and some recovery methods based on recovery time/point objectives: Criticality Level

Recovery Objective

Possible Recovery Method

Level 1 The business process must be available during all  business hours.

> 2 hours

Data replication

Level 2 Indicates that the  business function can survive without normal business  processes for a limited amount of time.

2 hours to 24 hours

Data shadowing

Level 3: The business function can survive for one to three days with a data loss of  one day.

24 to 72 hours

Tape recovery at an off site facility

Level 4: Business unit can survive without the business function for an extended  period of time.

72 hours plus

Low priority for tape recovery / rebuild infrastructure / relocate operations to a new facility

Note: E ach organi zation has to determ in e its own cr it icali ty levels and h ow they are defi ned.

Documentation of Findings and Senior Management Review The BIA report is a document that goes to senior management and lists the findings with recommendations. The BIA report includes a listing of critical IT and business functions with criticality levels. Recovery time objectives over time and recovery point objectives need to be  presented. The potential financial (quantitative) loss by business unit, projected over time, needs to be clearly estimated for senior management. This includes loss of revenue, share price impact, fines and penalties. The intangible costs (qualitative), such as loss of market share, life and safety, reputation, and employee morale, is also articulated in the report. The BIA report should include minimum human and ph ysical resources required to support the  business unit over time. Senior management has to provide an organization-wide perspective, as most business unit managers often see their functions as being the most critical to run the organization. Senior management has to level set and provide guidance in the selection of  recovery methods and priorities.

BIA as an Ongoing Process The initial BIA should be approached as a project. One needs to remember that the organization changes over time, as it adds and removes business units and establishes new priorities and recovery technology changes. The BIA must remain in step with the organization. =The organization should review its BIA on a regular basis to ensure that it is still relevant to the organization. After the BIA is completed, the business continuity and disaster recovery plan process needs to  be initiated. If plans are already in place, they need to be reviewed for any gaps and updated as required based on the BIA report. The BIA provides the relevant data to put in place the recovery methods based on the business unit requirements.

Summary Some of the key benefits that are derived from a BIA include a better understanding of the financial and intangible impacts of an extended outage and the ability to review the most critical functions and processes within the organization. In addition, the business can identify vital resources that support its operations, point to the proper recovery strategies and identify what are the business processes and assets that require the most protection. A BIA is helpful to senior  management, as it allows the managers to review a systematic process of evaluating their  organization’s risk and their ability to recover.

References “Best Practices for Conducting a Business Impact Analysis” Gartner Research ID#G00141260 http://gartner.com “Generally Accepted Practices Business Impact Analysis” Disaster Recovery Institute http://drii.org SunGard Availability Services http://sungard.com

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF