2.7 Business Impact Analysis (BIA) (1/4)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

2.7 Business Impact Analysis (BIA) 69

Chapter 2

resources to reduce and correct potential losses. For this reason, some peo-

ple prefer to address the threat/vulnerability pairs as observations instead of

ﬁndings in the risk assessment report. A suggested report format is shown

in Appendix A.

2.7 Business Impact Analysis (BIA)

A business impact analysis is a process of identifying the critical business

functions and the losses and effects if these functions are not available. It

involves talking to the key people operating the business functions in order

to assess the impact an event would have on business operations. The pur-

pose of the BIA is to correlate speciﬁc system components with the critical

services that they provide and, based on that information, to characterize

the consequences of a disruption to the system components. The BIA pro-

cess must begin with executive sponsorship of the effort and the support

and involvement of senior management, because a good BIA will involve an

unprecedented study of the organization. The BIA is a collective undertak-

ing with those whose continuity is sought and those who are major contrib-

utors to the various business processes and are intimately involved in the

assessment of their value. The results of a BIA will rank, order, and position

each business and support function in an order for recovery based on orga-

nizational knowledge. Results from the BIA should be appropriately incor-

porated into the analysis and strategy development efforts for the

organization’s COOP, BCP, and BRP.

Effective analysis is essential in plan development, strategy selection, and

reduction of recovery costs. Impact analysis involves the owner/business

function/program manager’s input to understand precisely what the agency

risks losing, should there be a disruption or disaster. While overall responsi-

bility lies with the business functional unit leader, information needed for

recovery comes from all levels of management. The IS organization alone

cannot provide that information. The effort needs to be a “meeting of the

minds” that results in identifying, qualifying, and quantifying the terms

“critical” and “intolerable impacts.” Only the owner can identify, quantify,

and qualify these impacts. Impact analysis ensures the intolerable impacts

are the main consideration in deﬁning the direction, scope, and appropriate

recovery strategies for plan development. Simply put, the shorter the time

in which the impacts become intolerable, the hotter the strategy (most

resources in place, ready to use). Conversely, if the impacts are tolerable for

two weeks or more, then a colder strategy (resources identiﬁed, but not in

place) is indicated.

70 2.7 Business Impact Analysis (BIA)

One of the lesser-known advantages of performing a BIA is the aware-

ness level of many of the organization’s employees rises signiﬁcantly as BIA

interview questions and “what if” scenarios are discussed. This can have the

advantage of speeding the progress of the project and helps to gather con-

sensus and support from areas of the organization, which otherwise would

not have understood the importance of enterprise-wide recovery plan devel-

opment, testing, and maintenance.

Impact analysis is often confused with risk assessment. Risk assessment

is associated with determining the potential losses of a threat versus the cost

of the protective measure against the value of the asset. It is related to deter-

mining how much to spend on prevention and protection. Although risk

assessments are a very important step in the analysis, all of the information

needed for recovery planning does not result from this one step.

Interview people from all the functional and support areas who know

the business processes and can respond to a structured questionnaire quan-

titatively. Interviewees should range from those who feel the organization

“cannot survive without me” to those who “hold the organization together

with their bare hands.” BIA conveys the needs of the organization and what

the impacts would be if critical functions were not recovered in a timely

fashion. BIA results are the foundation and cornerstone of the plan and

strategies selected to use in the event of a disaster.

2.7.1 Identiﬁcation of Key Business Processes

The BIA should include a list of the key business areas of the organization.

This list should be in order of importance to the business. Areas that should

be considered include:

 Accounting and Reporting

 Customer Service Handling

 E-mail and Ecommerce Processes

 Finance and Treasury

 Human Resources

 Information Technology

 Maintenance and Support

 Marketing and Public Relations

 Production Processes

2.7 Business Impact Analysis (BIA) 71

Chapter 2

 Quality Control Mechanisms

 Research and Development Activities

 Sales and Sales Administration

 Strategic Business Planning Activities

Each item identiﬁed above should include a brief description of the

business process, its main dependencies on IT (or other) systems, what

communications are involved, key personnel, and other relevant informa-

tion that may be helpful in a recovery process.

2.7.2 Establishing Requirements for Business Recovery

In the event of a disaster, it is advisable to have the immediate answers to

several crucial questions. Examples of the types of questions critical to busi-

ness continuity are:

 What resources and records would be required to continue the busi-

ness function?

 What are the bare minimum resource requirements to maintain oper-

ations?

 Which of the resources would come from external sources?

 What other business functions it would be dependent upon, and to

what extent?

 What other business functions would depend on it, and to what

extent?

 Upon which external business/suppliers/vendors would it be depen-

dent, and to what extent?

 Which Service Level Agreements (SLAs) and measures for continuity

would these external entities follow?

 What would the backup needs be?

 What time and effort is required to recreate current data from the

backups?

 What precautions need to be taken for recovering without a test envi-

ronment?

72 2.7 Business Impact Analysis (BIA)

2.7.3 BIA Questionnaire Development

In preparing the BIA questionnaire, all of the metrics used should be

decided on and followed consistently throughout the questionnaire. Even if

automated tools are used, it is recommended that some of interviews be

conducted face-to-face, with the understanding that there will be iterations

and opportunities to ﬁne-tune the responses. In order to obtain greater con-

sistency in responses and ease of comparison, describe precisely the business

function being interviewed, use consistent critical timing elements and

orders of magnitude for specifying quantity, or provide selections from

which to choose. Remember, the BIA questionnaire determines impacts to

an organization as if it were experiencing an actual interruption.

2.7.3.1 Information Provided by the BIA Questionnaire

In order to determine initial discovery and response to an event, your ques-

tionnaire should have a series of questions that begin with the phrase

“When would the disruption . . .” Some key questions for consideration

include the following items shown in Figure 2.10:

Answers to the questions above will allow you to develop speciﬁc focus

on matters that unfold as the disaster is discovered and reported, as well as

how people in the vicinity are likely to respond to it. If a disruptive event

occurs, there should be speciﬁc activities that are prepared for with planned

responses to the various stages of the event as it unfolds. The next set of

questions address dealing with the impact of the event as opposed to discov-

ery and dispatch of a response.

Figure 2.10

Questions to ask in

the BIA

Questionnaire

regarding initial

discovery and

response to an

event..

2.7 Business Impact Analysis (BIA) 73

Chapter 2

BIA questions beginning with When would the disruption impact . . .

are generally directed at understanding how the event will affect the organi-

zation. Figure 2.11 shows you some questions for consideration:

Of course, there is no limit to the number of questions that can be

asked on the questionnaire, but our recommendation is to keep it as short

as possible and focus on speciﬁc areas of interest that address the afore-

mentioned areas.

There may be extenuating circumstances that your organization must

consider and include in such a survey; always take those into consideration

when developing the questions. For example, if your organization is spread

across a large campus and an event occurs speciﬁc to a single building, what

would be different in the questionnaire if the event were to affect multiple

buildings, or all of the campus?

Figure 2.11

BIA questions used

to determine

impact of an event.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 2.7 Business Impact Analysis (BIA) (1/4)

Create new playlist

Sign In

Sign Up

Table of Contents for
2.7 Business Impact Analysis (BIA) (1/4)