Part two of a two-part series. View part 1, SMB business continuity planning basics.
One of the essential tasks in developing a continuity or disaster recovery plan is the business impact analysis (BIA).Its purpose is essentially to gain a clear understanding of how the business works and what happens when there is an interruption. This tip provides an overview of the process from an IT perspective.
Where it starts
The development of a business continuity plan (BCP) includes the definition of strategies to recover or increase the availability of critical business functions. Strategies are defined, taking into account the potential risks to which a given function is exposed and the impact on the business (such as financial losses) should that function be interrupted. These processes are known respectively as risk assessment and BIA.
The BIA normally starts at the business level since it is about impact to the business. This is referred to as "driven from the top down." However, not all organizations have internal skills or available resources to conduct a BIA. Many businesses still attempt to keep planning tasks internal in an effort to keep costs down. In fact, a recent industry survey found that 30% of respondents had tasked their IT department with business continuity planning responsibilities. This is often the case with small and midsized businesses.
If IT plans to initiate the BIA process, it's best to take a "from the bottom up" approach:
- Ensure that IT already has an inventory of all systems and components that make up the IT infrastructure.
- Identify all applications that are hosted on all systems.
- Identify all other components that applications depend on.
- Establish the priority in which the above must be restored (i.e., network, Dynamic Host Configuration Protocol, systems, authentication, applications, data, etc.) The recovery priority for the applications comes later.
Once you have a good picture of the IT environment, the components' interdependencies and respective recovery priority, it's time to take your quest for information to the business units to complete the picture. A combination of questionnaires and workshops or interviews usually yields the best results. The following information must be gathered from each business unit:
- A list of the most critical business functions for which each unit is responsible. Participants must be reminded that only functions that affect the business revenue flow are to be considered; not those that affect their daily routine.
- The maximum amount of time a critical business function can be interrupted before the business is affected (this becomes the recovery time objective, or RTO).
- The priority order in which business functions must be recovered.
- The applications that are essential to carry out the business functions.
We can now associate the RTO for each business function with the applications and supporting infrastructure. While this method does not allow IT to quantify the impact of an outage from a financial perspective, it does provide the necessary information to develop recovery strategies.
IT is now in a position to provide cost information to the business for each recovery or resiliency option. It is then up to the business to estimate losses in the event of an interruption and compare them with the cost of strategy for justification.
Pierre Dorion is a business continuity consultant at Mainland Information Systems Ltd. in Calgary, Alberta, specializing in business continuity planning.