You’ve persuaded your bosses to invest in business impact analysis? Good job! Now, it is time to get started. But the process needs some preparation beforehand if it’s going to be successful.
After all, the analysis predicts the outcomes of disruptions of a business process and function and collects information necessary to create recovery strategies.
Now, the business disruption could be something as simple as a leaky overhead sprinkler or it could be much more complex, such as a terrorist attack. It could be because of a lack of server space or because the business does not have enough computer engineers to make this project come to fruition.
In any case, you need to get familiar with the core concepts of business impact analysis and outline the prep work. Make sure it is worth your time and energy, providing tangible results in the process. Take a look at the fundamental components of business impact analysis below:
Building blocks of business impact analysis
Even though it varies based on the circumstances, business impact analysis requires the following (at the minimum):
- Maximum tolerable downtime: This term is used to indicate the longest period a specific asset can be down before it starts affecting the finances of the business in a significant manner.
- Recovery point objective: Recovery point objective describes the quantity of data your business is expected to lose on every individual system. For example, if nightly backups are scheduled for 8 p.m. every day, and the server crashes before, you must manually recover all data back to 8 p.m. of the previous day. Company employees at the management level are in charge of deciding whether this is acceptable or not.
- Interdependencies: Used to rate the dependency of other systems on the particular asset. The results are crucial since a few systems, while not very impactful themselves, become crucial to the business because of many other systems needing it to function thoroughly.
- Overall impact: The overall impact is nothing more than a list of things your business holds dear in order of priority. Any risks posed to the IT security of the organization’s digital assets could break the business’ back.
Business impact analysis strategy that works for you
Normally, business impact analysis uses more traditional processes involving stakeholder interviews, dependency reviews and discussions, RPOs and applications, and scoring for calculating RTO. Even though this takes a whole lot of time, other options are available. Apart from formal business impact analysis, you are able to perform:
- Informal business impact analysis: A strategy that involves the use of fast, informal interviews. The participants must discuss the timing of when a specific process has to be functional. The “why” of the situation must also be discussed. The contents of the discussion may also cover the necessary applications and concentrate on critical dependencies only.
- Questionnaire: This tactic revolves around collecting the required details using a questionnaire and following up whenever required. Make it a point to cover all the necessary details. Try to gather information that resembles what was gathered from the informal interview.
- Hybrid: A strategy that combines the best of both worlds — informal and formal — for every department on the basis of its criticality, the latest changes to the organization, and the last business impact analysis performed.
Understanding the fundamental building blocks
Business impact analysis can be properly understood only if it contains the five elements mentioned below:
1. Executive sponsorship
Conducting a business impact analysis is not a one-person job; it requires the support and cooperation of other executives within the company. Without the backing of management, your analysis will never succeed. Executive sponsorship provides the clout necessary to achieve priority and support from other organizational departments.
The best way to earn the cooperation of the management is to facilitate top-down communication. This communication can assume the form of a managerial meeting, an email, or a conference. Your job is to highlight the need for business impact analysis to ensure the smooth running of the business when disaster strikes.
2. Get insight into the organization
You need to first identify every critical business function and process performed by your company before you can complete the second phase of business impact analysis. Check the organizational structure of your business, the different departments and divisions to locate key contacts or subject matter experts capable of helping you learn and identify the processes that will be affected most by a sudden incident.
3. Tools of the trade
A successful business impact analysis depends on the tools for the job. These tools all come into play once you review the overall business and figure out which part of each system, function, and process affects the daily operations.
The best tools for business impact analysis include interviews, organizational charts, dedicated software, data flow diagrams, and questionnaires — all of which help collect the data needed to understand the possible impact that a disaster could impose on the company. Just watch “Deepwater Horizon” and see how that disaster affected BP!
4. Follow the process
Utilize the business impact analysis tools to list every business function and process. Accordingly, designate every process as noncritical or critical to conducting business smoothly. Plus, develop a list of personnel who can perform said functions.
If you’re dealing with critical functions, collect detailed data regarding how every function is performed, whom it is performed by, and the financial and operational impact of interruption. Keep doing this after the initial week of interruption, the initial month, and so on.
Choose a fixed target recovery date for every process, every business-critical function, and every business system. Figure out the external and internal business dependencies. Also, allocate a safe space for all the BIA data to be stored so it can be retrieved for future reference following a disaster.
Confirm and submit the findings. But first, check in with key personnel or the departmental managers to make sure what you’ve concluded is realistic and accurate. Present the findings to the ranking officers of the company for approval, which you can then use to create business recovery strategies.
6. Bolstering business practices
The insights drawn from a business impact analysis must feed back to the security readiness of the organization.
Preparation is the key
Irrespective of the business impact analysis strategy employed, preparing for the analysis can make or break the outcome. IT must gather all the information necessary to create a basic strategy and disseminate the information needed to begin work on the tech recovery strategy.
While you might still fall short of the necessary details (nothing is perfect), following the concepts above might be a judicious way to get started with a business impact analysis.