Find out how a BIA will keep your disaster recovery plan strong
Preface to the BIA
Most businesses today have a DR plan in place—but not all have completed a thorough business impact analysis. Whether you create your DR plan internally or reach out to a partner, the process must begin with a proper BIA: an exercise that breaks down all applications and systems critical to business and customers, and establishes tier levels of importance. Here’s the questions to ask to create one:
- What are your most critical applications?
- How long can that application be offline before it starts to impact business, and what is the true impact? Is it monetary, or something like loss of reputation or potential loss of customer?
- How do you differentiate between what is critical to a single business unit and what is critical to the business?
BIAs are critical because, as stated by TechTarget, they establish organizational vulnerabilities and delineate what types of protection and recovery activities should be carried out prior to a disaster, versus what can be held off until after a disaster event has taken place. Without a BIA, in the event of catastrophe, businesses will have a very difficult time figuring out which applications and systems need recovered first. The confusion could result in chaos, and the potential for business impact consequences that DR is intended to prevent in the first place increases. Availability of IT assets will ultimately determine when an organization can return to “business as usual,” at least at an acceptable level, but a lack of insight into what to focus initial recovery on makes business as usual difficult to achieve.
Lack of prioritization renders your DR plan useless
Your DR plan is significantly less useful if you haven’t used a BIA to prioritize. ComputerWeekly explained that the BIA should demonstrate the legitimate business impacts of a disaster event, spanning both organizational problems and likely associated costs. Ultimately, the end result should help define levels of protection for each area of business, minimum necessary IT service levels and the extent to which business can reasonably withstand disruption.
Getting started with a business impact analysis
There are a number of important considerations for your IT team to keep in mind when conducting a BIA, described by TechTarget.
- Define the total organization impact of a lack of a business function. Determine which applications are relied upon by that function.
- Look at the complete IT environment when determining importance of applications. End users are not the only consideration. It is also important to understand which other applications and infrastructure components respective applications rely on.
- Be very specific in defining financial impacts. Factor in P&L impact, capital and operating costs.
- Do not include risk assessment activities in business impact analysis. Risk assessment is aimed at causes of outages—BIAs determine the effects.
A BIA template
These are the basic BIA steps to help organizations begin to list out impacts of disaster across all levels of business:
Timing: Identify point in time when interruption would have most significant impact.
Duration: Identify disruption duration or point in time when impacts will occur. <1hr, >8hrs; >72 hours; >1 month; etc.
- Lost sales and income
- Negative cash flow
- Increased expenses
- Regulatory fines
- Customer dissatisfaction Financial impacts: Quantify operational impacts.
All organizations must complete a BIA
The BIA process allows organizations to realistically determine the consequences of disaster, making it a central part of disaster recovery planning.