A BUSINESS IMPACT ANALYSIS (BIA) is the backbone of the continuity planning process. A BIA establishes the goals to be achieved to enable an organization to continue or resume operations following a disaster. It is a tool that assists in identifying, understanding, and prioritizing the critical business functions of each business unit and the related time frame in which each must be restored to avoid the organization reaching its threshold of operational pain when disaster strikes.
The primary goal of a BIA is to separate time-critical business functions. It differentiates those functions that are absolutely necessary, either immediately or within a short time frame, for the organization to function at an acceptable level, from those functions that sustain the business and allow it to operate more smoothly and perhaps more efficiently, yet are not immediately essential to core operations. Upon completion of the analysis, some organizations find that as few as 20 to 30 percent of all business functions are critical immediately following a disaster or major disruption, while some others can be delayed for as long as thirty days—or even longer.
Once the most to least critical business functions throughout the organization are identified and prioritized, a recovery time objective (RTO) and a recovery point objective (RPO) are then assigned to each. The RTO is the target time in which the function must be operational following a disruption. The RPO is the point in time to which systems and data must be restored after an unplanned outage. Related staffing and resource needs for critical functions are also identified. From this solid foundation, it is possible to begin developing effective business continuity strategies.
While the hazard assessment identifies and ranks potential disasters by likelihood and the resulting impact and provides guidance for prioritizing the need for mitigation, the BIA identifies the most time-critical business functions, the related necessary resources, and target time frames for restoring operations following a disaster.
I am often asked which should come first—the hazard assessment or the business impact analysis? (This is like the chicken-or-the-egg question.) If there are sufficient resources, the two processes can be conducted simultaneously. Otherwise, it’s best to do the hazard assessment first, identifying and ranking the risks to your facility and operations to determine which to address most vigorously with mitigation and planning. Then, move forward with the BIA.
Another frequent question is whether it is absolutely necessary to conduct both, or either. The answer is the former: You must do both. The hazard assessment identifies the risks and operational disruptions for which we must plan, while the BIA identifies the most critical functions as well as the time frame in which they must be made operational. Omitting a hazard assessment would require the organization to prepare to manage each and every known risk at its most severe and damaging level. But without a BIA to provide matter-of-fact guidance on the priority order of restoration of business functions, the planning process would be based on the need to restore all business functions fully, immediately, and simultaneously—an approach that is neither realistic nor financially feasible.
Moreover, beyond its principal continuity planning purpose, the BIA is a valuable resource for gaining greater insight into operations across the enterprise. Upon completion, it is highly likely that the information gathered will provide a more complete and in-depth view of the entire enterprise, its operations, and internal and external interdependencies than was previously available from any single source.
Conducting the BIA can seem like a nearly insurmountable challenge when first tackled. The larger the organization, the greater the effort required to conduct the BIA. The complexity of the process is further complicated when the organization has a number of geographically diverse locations or delivers several different products or services. Getting your arms around a complex international corporation or a nontraditional matrix organization is much more challenging than analyzing the operations of a small to midsize company with one location or one with a more vertical supply chain. However, the rewards are worth the effort. This comprehensive understanding of the business provides the knowledge necessary to successfully reconstitute operations following a disruption, regardless of its magnitude.
Like the proverbial elephant sandwich, the BIA is less daunting when approached as a step-by-step process. The steps are as follows:
Step 1: Establish criteria for identifying time-critical functions. This becomes the yardstick against which all business functions are measured to determine the level of criticality of each.
Step 2: Decide on the data gathering process to be used, and develop the necessary instruments. Use the method that works best for your organization, such as an electronic survey, a paper survey, a workshop, interviews, or a combination of two or more of these.
Step 3: Provide orientation for those involved from whom you will be requesting information. Let people know the reason you are requesting the information and how it will be used. This helps you overcome the challenge of making sure the information collected is complete and accurate.
Step 4: Conduct the data gathering process. Expect that it will be necessary to follow up with those who are less timely in their responses.
Step 5: Review survey responses and, as necessary, conduct follow-up interviews. Validate the information received, correct inaccuracies, clarify inconsistencies, and eliminate information gaps.
Step 6: Integrate the data gathered from all business units into a single criticality order list of functions. Establish the probable sequence in which each critical function must be restored, from most time-critical to least time-critical.
Step 7: Cross-check results for all as yet unidentified internal and external interdependencies and interfaces, and adjust the criticality sequence as necessary. A task not seen as time-critical by the business unit that performs it may have greater criticality based on how it is utilized by another business unit.
Step 8: Identify the resources needed for each time-critical function. This includes standard and nonstandard equipment, office supplies, hardware, and software.
Step 9: Based on criticality, determine the maximum allowable downtime for each function. Establish the sequence in which each critical function must be restored.
Step 10: Set the RTO and RPO. The RTO establishes a goal for the period of time within which each time-critical function will be operational following a disruption, while the RPO identifies the point in time to which systems and data must be restored after an unplanned outage.
Step 11: Report BIA results to executive management for review and, as necessary, revise the results based on management’s input. Expect that adjustments will be requested in some findings, such as priority order of restoration of some functions, based on upper management’s knowledge and broader perspective of the organization and its current and future operations.
Deciding where in the organization to start can be a challenge. In a best practice approach, a BIA is conducted from the top down, starting at the headquarters or corporate level, then moving to the division or location level, and then to the individual business units in the division or location. For each business unit, you must identify the critical products and functions, measure the length of time the identified critical processes can be down without resulting in a significant delivery interruption, and determine the resources needed to support the identified functions.
In beginning the discussion of identifying critical functions, I would like to offer an editorial comment. While most current resources for business continuity best practices use the terms “critical” or “essential,” I prefer to use the term “time-critical,” though “time-sensitive” would also work. I have found this works for two primary reasons.
First, put yourself in the shoes of business unit managers who are asked to assist in identifying the critical functions performed by their departments. It is likely and understandable that you would be reluctant to categorize any of the work done in your department as critical, fearing doing so would imply that any work not specifically identified as critical is unnecessary. Doing so might be construed as identifying everything else done in the business unit as noncritical. As you might expect, many managers are extremely uncomfortable going on record as having said that any of the department’s work or the people who do the work are not essential. In the continuing push to accomplish more with less, you would be justified to wonder whether a secondary purpose—or perhaps even the primary purpose—of this process might be to reduce the number of positions in the department or to further reduce the budget.
Second, if a function or task is identified as not being essential, it is reasonable to question whether it is needed at all and why people are being paid to carry out these nonessential tasks. Managers need to be assured that the goal of the process is not to identify less critical functions with an ultimate goal of cutting positions or department budgets. Every position and every function is necessary. Managers must be told that the results of a BIA provide a rank order of all functions across the enterprise based on time-criticality. It identifies those functions that must be continued or restored most quickly following a disaster-caused interruption, as well as those that can be delayed for varying lengths of time. Its purpose is not to judge any function as being expendable but to determine how long the organization can be without each function before there is resulting financial loss, an inability to meet stakeholder requirements, damage to the brand, or failure to meet regulatory requirements.
The initial step in the BIA is to establish the criteria for determining which functions are the most to the least time-critical. Using two factors—core business and mission—it is possible to accurately define considerations to apply in determining the level of time-criticality of each of the organization’s individual functions (processes or tasks).
While time-critical business functions are those that allow the organization to conduct business and fulfill its mission, equally critical are those functions that protect the organization’s greatest asset—its employees—as well as functions directly affecting cash flow and those necessary to meet legal or regulatory requirements. The criteria must be specific to the organization. For instance, criteria for companies that rely on cutting-edge technology or the newest innovative product idea to give them a competitive edge will rank design or research and development functions as highly time-critical.
Organizations may also opt to identify time-critical functions as those in business units responsible for the most income or the greatest profit. Retaining customers and market share are the priorities. Since a major disruption to the supply chain can have a lasting impact on a company’s ability to produce and deliver its product or service, most would agree that there is a direct correlation between an uninterrupted supply chain and income, profit, and the organization’s financial picture—and in the case of publicly traded companies, shareholder value. Some companies decide that as long as the company is able to produce and ship product to the end customer, other functions (such as invoicing and tracking market trends) can wait.
Yet, because of the interrelated symbiotic nature among all business units within an organization, it is difficult to conclude that all functions performed by one business unit are highly time-critical while none of the functions of another unit are. Determining the cost of a cessation of any business function may present a challenge involving complex calculations of identifiable costs. Other costs are intangible and difficult, if not impossible, to calculate, and the greater cost may not be measurable in monetary terms but rather in terms of lost business, damage to reputation, or damage to the trust and confidence all stakeholders have in the organization. If it is possible to roughly calculate the costs for a short given period of time—say, a week—the ability to calculate the losses for five weeks is not as simple as multiplying the losses for one week times five. In the case of an extended disruption to operations, the resulting loss of customers is perhaps the greatest and longest-term damage. If your organization is the supplier or service provider, the BIA must take into account your post-disaster capability to continue to meet customers’ needs when a disaster strikes.
Figure 6-1 presents an overview of some of the factors to take into account when attempting to accurately calculate the cost of disaster-related disruptions.
Disaster-Related Loss | Calculating the Cost |
Employee Productivity | Number of employees affected × hours of downtime × fully-burdened hourly rate (hourly wage plus all benefits, taxes, etc.) |
Revenue | Direct loss of revenue Billing losses Lost future revenue Investment losses |
Financial Performance | Cash flow Lost discounts on accounts payable Credit rating |
Related Expenses | Lost or dated inventory Marketing costs Space/equipment rental Extra shipping costs Travel expense Overtime costs/temporary employees Chargebacks for late deliveries |
Damage to Reputation and Trust (Intangible) | Brand damage Customer confidence Suppliers Banks and other financial institutions Stockholders |
Regulatory and Legal | Fines Penalties Legal fees |
Lost Customers | Inestimable losses |
Once the criteria have been developed and management has agreed that they are correct, the criticality criteria become the yardstick against which every function within the organization is measured. This provides an objective standard and helps avoid disagreements and the possibility of seeming favoritism during the BIA process.
While the level of criticality of functions performed within each department varies from extremely high to very low, no single department can single-handedly keep the supply chain functioning. Every enterprise has a supply chain, and within it there are products and services where disruption to supply would have a huge impact on business continuity. Similarly, most companies have major customers whose needs they must prioritize during recovery from an incident.
For supply management operations, a BIA includes a review of manufacturing, transportation, distribution services, supporting technology, warehouses, procurement, service centers, and any other business units that are directly involved in the internal supply chain. For each critical business function, it is equally important to identify the dependencies such as outsourced service providers; critical suppliers of raw materials, components, or parts; as well as critical infrastructure providers for water, electrical power, telecommunications, and all other third-party companies upon which the business function relies but does not directly control.
An uncomplicated way to measure the level of criticality of supply chain business units is to develop a series of statements that can be responded to with a yes or no. For example:
Function involves direct contact with customers.
Function involves direct contact with suppliers, contractors, or shippers.
Loss of function would directly result in a loss of revenue and profit.
Loss of function would result in loss of customers.
Loss of function would result in increased operating costs.
Loss of function can result in accounts receivable delays.
Loss of function would:
Delay distribution of products or service delivery.
Delay shipment or receipt of products.
Delay receipt of materials, parts, or components.
Negatively impact the company’s current highly positive public image.
Result in significant liability exposure or other legal ramifications.
Prevent the company from meeting regulatory requirements.
Lead to imposition of fines or other penalties for failure to fulfill delivery clauses or meet service level agreements.
Result in financial penalties for late payment of accounts payable
A ratio of yes to no responses provides a preliminary indication of criticality. A function with more yes than no answers requires further investigation to quantify its precise time criticality.
The supply chain map created for use in the hazard assessment is also helpful, together with available process flowcharts. Begin the BIA process with a review of internal supply chain business units such as manufacturing, purchasing/procurement, warehousing, shipping and receiving, and quality. Also consider the interdependencies with closely linked non– supply chain departments such as research and development, marketing, finance, human resources, facilities, public relations, regulatory, and legal. It should also identify the dependencies on information processing and other technology.
When conducting a BIA for the supply chain, it is necessary to recognize both internal and external components and interdependencies. No organization can deliver its product or service independently, and there is great dependency on a complex supply chain that encompasses multiple supplies and services provided from outside the organization. In global supply chains, the configuration is far-reaching and even more complex.
The importance of all touch points, both upstream and downstream, within supply networks must be considered to effectively and completely analyze disaster impacts. Supplier issues must be considered. The single points of failure identified in the hazard assessment are choke points, and their criticality must be assessed. If a key supplier or service provider experiences a disaster, consideration must be given to how it will affect internal functions identified as being highly time-critical.
Based on the BIA results, suppliers should be ranked and prioritized according to their importance to the company’s mission, their relative potential risk, and the level of ease or difficulty in replacing them. Assurance of supplier continuity capabilities is of paramount concern today. With the realization that most business processes extend beyond the boundaries of any specific company, awareness of critical supply chain interdependencies has risen sharply. It is not enough (although it is important) to simply have profiles of potential high-risk suppliers and to make good choices in the supplier selection process.
Once a service provider or supplier is identified as being highly time-critical, the need to have a strategy to address any failure to deliver also becomes highly critical. As part of the BIA process, your key suppliers and contractors should be asked about their business continuity plans. (And don’t be surprised if your customers ask for information about your business continuity capability when they are evaluating current or potential suppliers or service providers.)
The supply chain is a core competency of an organization and the revenue generator for most businesses. Market share, stakeholder confidence, and the bottom line all rely on continued delivery of product or service to remain healthy. Sales can or may be lost as a result of late deliveries. While customers will not necessarily take legal action if this occurs, most contracts include penalties for failure to comply. Purchase orders are binding legal contracts, and failure to meet service level agreements can result in penalties and, even worse, lost customers. Chargebacks can be another potential consequence of late fulfillment of orders.
There are choices in how the data for a BIA are gathered. Most often, a survey or questionnaire is distributed. Based on what works best in your organization, the document may be electronic or paper. There is no one best BIA survey or questionnaire. Each needs to be developed and tailored to the specific organization’s size, complexity, and culture. As discussed earlier, a variety of off-the-shelf software packages designed to assist with the BIA process are also available.
An organization chart may be used to ensure that no business units are overlooked as well as to identify knowledgeable individuals in each business unit who are qualified to provide accurate and complete information.
As stated previously, it is important that those asked to provide information understand what is needed, why it is needed, at what level of detail, and how the information will be used. It should be made clear to those completing the survey that the information they provide will not be used for staff or budget reductions. It should also be stressed that the information must be based on business operations under normal conditions, rather than in a disaster situation. BIA responses should help create a “snapshot” of usual operations. If resources permit, conducting an orientation session or a workshop for those who will be providing information is a good way to initiate the data gathering process.
The survey document should be distributed with full instructions on how to complete it, as well as clear expectations as to when the information is to be returned and to whom. Contact information should be provided as well regarding whom to call if anyone has questions while completing the survey.
Information to be gathered from each business unit includes the identification by the department manager of the most time-critical functions as measured against the established criteria and the manager’s estimate of the maximum allowable downtime for each function. Then, for each of the identified functions, data may be gathered on information such as:
Skill sets required
Number of persons required to carry out the function
Number of persons trained and capable of performing the function
Whether the function is duplicated at another location, and if so, where
Required hardware
Essential applications and software used
Nonstandard equipment required
Electronic documents or databases needed, the primary source for each, and, if applicable, how often it is backed up and the backup source(s)
Paper documents needed, the primary source, and, if applicable, the backup source(s)
Key times in the business cycle, such as end of quarter, end of fiscal year, and/or end of payroll cycle
Internal dependencies: other business units or functions
Essential suppliers, contractors, outsourcing companies, and other external resources required to perform the function
Identified alternatives for each sole source supplier or service provider
An estimate of minimum requirements including space, desks, computers, phones, printers, scanners, and other office furnishings and equipment
In organizations with no current business continuity program, some departments may have unilaterally taken steps to implement continuity measures. To learn about a business unit’s existing level of business continuity awareness and self-preparedness, a request can be made for yes or no responses to a series of statements, such as:
Written procedures are in place to continue work in the event of computer downtime.
Shutdown procedures are in place with specific employees assigned to carry out the procedures in the event the building must be evacuated.
Written procedures are in place for continuing operations if building access is denied for more than twenty-four hours for any reason.
Alternate sources for essential supplies, materials, equipment, and services have been identified should the primary supplier be unable to meet the department’s needs.
The department has a tested procedure for contacting employees in the event of a disaster.
Progress in the receipt of completed BIA surveys should be monitored regularly. Those whose responses are not received as expected should get follow-ups to see how completion of the document is progressing and whether any assistance is needed.
All completed surveys should be reviewed to ensure accuracy and completeness. Additional information may be necessary. Also, responses to some questions may require clarification, validation, or more details.
Follow-up interviews can be conducted to gather any additional information needed and to clarify issues arising from survey responses. It is likely that in an interview, additional information will surface that was not included in the written survey, and a discussion provides a good venue for double-checking the results against the criticality criteria.
An additional step I’ve found of great value during the BIA process and beyond is to draft a summary of key points from the survey and interview. Provide the summary to each person interviewed for his or her review and revision to ensure that the summary is accurate and complete. This avoids the possibility of planning based on assumptions or inaccurate interpretation of responses.
Here is an example of a BIA department summary.
BUSINESS UNIT: RECEIVING, DISTRIBUTION, AND TICKETING
Person(s) Interviewed: Susan Jackson, Business Unit Manager
Date of Interview: September 18, 2010
KEY POINTS
Function Overview
Ms. Jackson is manager of Receiving, Distribution, and Ticketing (RDT). With a total staff of 34 people, RDT is an important element in the distribution supply chain for all brands throughout North and South America. RDT interfaces with inventory, warehousing, import/export, accounts payable, buyers, and store operations. The department handles merchandise from vendors in the United States and Europe. Specific responsibilities include correcting errors such as SKU numbers and missing PO style, creating receiver authorization for merchandise shipments, closing receiver authorization, creating tickets, picks, and putaways. Prices are set at corporate headquarters and transmitted by EDI for access by RDT. Price updates are received daily.
Department employees are crossed-trained and can process all brands. In addition, step-by-step procedures have been documented in an Excel document that is revised when any processes change. Printed copies are maintained in the manager’s office.
The work done in this department is not duplicated at any other location.
Most Time-Critical Business Functions/Estimated Allowable Downtime
EDI ASN invoices |
1 day |
Printing of picks |
1 day |
Printing of price tickets |
1 day |
Purchase order update |
1 day |
E-mail/communication |
1 day |
Intercompany transfers |
2 days |
Store replenishment |
1 day |
Generate tickets for price events (markups, markdowns) |
2 days |
Other department responsibilities include updating buyers of shipments by sending ASNs via e-mail, and tracking deliveries.
Peak seasons are September and October for holiday shipping, and June and July.
Applications Needed (excluding standard Word, Excel, PowerPoint, and Outlook)
Standard Equipment Needs (estimate minimum number required)
Workspaces — 12
Telephones — 10
Shared Printers — 4
Fax — 2
Scanner — 1
Special Equipment Needs
Manual ticket guns
Tickets (6 different types)
Monarch Ticket Printers
Financial Information
Loss of this function could stop or delay shipment of product resulting in lost sales and possible chargebacks.
Notes
Receive approximately 500 Advance Shipping Notices (ASNs) daily, up to 5,000 a week. No merchandise moves without this process.
In a typical one-week period, RDT processes 60,000 pieces for (brand) alone. During peak seasons, overtime is required to meet shipping and delivery time frames.
Use six types/sizes of tickets, approximately 25,000 to 35,000 daily. Some tickets are interchangeable. A 2-to 3-week vendor lead-time is required for ticket stock; a 6-month supply is kept on hand in the department. The vendor holds a limited number of additional rolls of tickets for immediate availability if needed (each roll has 2,000 tickets). In addition, while tickets are not currently purchased from other vendors, an alternate vendor that can supply all six ticket types has been identified.
If necessary for any reason, receipts could be recorded manually in a log and tickets could be handwritten, though this process would be slow and require a significant number of additional person-hours. Styles and distribution for the warehouse could also be handwritten, though doing so would take a great deal more time. An unanswered question is whether factories and suppliers would stockpile merchandise if we couldn’t receive and for how long they would do so.
These summaries provide an invaluable reference throughout the continuity planning process. When combined, they present a unique and complete view of departments throughout the organization.
Survey responses are then used to develop a list or database of the resources needed to accomplish business continuity. These resources include equipment, supplies, hardware, software, databases, office furniture, telecommunications equipment, and forms necessary for the resumption of time-critical functions. Both standard and special equipment needs must be identified. While most business units throughout an organization use company standard equipment such as PCs and printers, some business units have requirements for special equipment such as Mac computers, color printers, a secure printer, a dot matrix printer, wrist scanners, ticketing guns, mail room equipment, and shredders. In a disaster situation, learning that special equipment needed to fulfill an extremely critical function is not available can prevent meeting the RTO of the immediate function and all dependent functions.
A second set of resources listed should include outsourced service providers, vendors, suppliers, and contractors that are essential to the time-critical functions.
To make certain that all supply chain resource requirements have been identified, representatives from supply chain business units should be gathered to create a list of the resources needed for each critical link. This list should include people and skills, hardware, computer applications, communications capability, equipment, and services provided by suppliers, vendors, contractors, and outsourcing companies. The supply chain map helps ensure that no required resources are omitted.
Here is a word of warning when attempting to identify necessary resources: Business continuity is survival mode, not business as normal. It can be difficult to narrow down the perception of what is necessary. As an example, in an environment where every employee has his or her own office or cubicle, desk, computer, telephone, and perhaps even a dedicated printer, scanner, and fax, it can be challenging to think in terms of employees sharing a computer and telephone, having to wait in line for a printer or fax, and working together at long tables in a very large room. Business continuity planning requires thinking in terms of what is absolutely required to complete critical tasks— nothing more.
When identifying necessary internal resources, employee-related continuity issues are of enormous importance for companies and especially for service delivery businesses. This may include continuing operations even when employees can’t make it to their usual work location because roads and bridges are impassable or employees need to take care of their families following a natural disaster such as an earthquake that destroys or severely damages homes. While business continuity planning once put great emphasis on the protection of data, information systems, and other technology, as well as on equipment, today’s business continuity practitioners agree that while technology is of tremendous importance, the greater issue is employee continuity. Computers and data or sophisticated equipment without skilled and experienced employees will not fulfill customer needs.
Also identified in the BIA process is the electronic data needed to support time-critical functions. The recovery point objective identifies the maximum amount of data an application can lose before the organization begins to suffer. The RPO is typically measured in terms of time, such as four hours or one business day. For some functions in some types of organizations, where there are great amounts of money involved in transactions every minute (such as a stock exchange), there can be no data loss. In other organizations, where the amount of data processed is less or where the data is readily available for reentry, the RPO will be greater.
The last stage of the BIA process is to establish the recovery time objectives for all identified critical business functions. Starting with the most time-critical, you must determine the maximum amount of time the function can be nonoperational before it impacts the organization negatively—before monetary losses become substantial. This becomes the recovery time objective. The RTO may be thought of as maximum allowable downtime, or “how long is too long” for the organization to be without the function.
A method of grouping and categorizing functions with similar RTOs should then be established. (See Figure 6-2 for one example of how this might be handled.)
Another approach is to group functions into three categories and assign an RTO to each category. For example:
Time-Critical: Core business operations with considerable costs related to their not being operational
Necessary: Important, but relatively simple to work around for a limited period of time without the organization incurring significant losses
Non–Time-Critical: Nice to have, but loss of function for a period of time will not result in a significant loss to the organization
Category | RTO |
Level 1 | 0 to 4 hours |
Level 2 | 5 to 24 hours |
Level 3 | 2 to 3 days |
Level 4 | 4 days to 1 week |
Level 5 | 8 days to 15 days |
Level 6 | 16 days to 30 days |
Level 7 | More than 30 days |
Once the BIA process is completed, a report is submitted to executive management that details the entire process and findings. Based on information in the report, management can approve the business functions identified as time-critical and the related priority order and time frame for continuing or restoring each, or the criticality level and sequence for some functions may be reprioritized and the RTOs adjusted.
The BIA report should include a section that addresses the potential losses that could be experienced as a result of disaster-related downtime. In calculating the losses, include lost productivity, lost revenue, diminished financial performance, and damage to the organization’s reputation. Other items that may be included are extra shipping costs, overtime costs, inventory that may be lost or become dated, and money spent on marketing campaigns that will be lost. And don’t forget the intangibles. This financial information demonstrates the value of meeting the continuity requirements determined by the BIA. It also helps validate the allocation of resources and funding for the business continuity program.
As with anything going to executive management, the report should be tailored to reflect its audience. The following is an example of an outline for a detailed BIA report.
EXECUTIVE SUMMARY
SECTION I: BUSINESS IMPACT ANALYSIS (BIA) PROJECT OVERVIEW
1.1 Project Mission Statement
1.2 Project Background
1.3 Methodology and Process
SECTION 2: BUSINESS IMPACT ANALYSIS RESULTS
2.1 Time-Critical Business Functions
2.2 Recovery Time Objectives
2.3 Regulatory and Audit Requirements
2.4 Business Unit Ranking
2.5 Financial Considerations
2.6 Intangible Impacts
2.7 Application Ranking
2.8 Current Department Business Continuity Preparedness
SECTION 3: BUSINESS CONTINUITY RECOMMENDATIONS
3.1 Corporate Business Continuity Program
3.2 Department Business Continuity Planning
3.3 Disaster Recovery Planning
3.4 Warehouse Business Continuity Planning
3.5 Additional Recommendations
SECTION 4: EMERGENCY PREPAREDNESS AND RESPONSE RECOMMENDATIONS
4.1 Emergency Communications Capabilities
4.2 Recent Steps and Current Status
4.3 Emergency Preparedness and Response Program
ATTACHMENTS
1. Sample BIA Survey Document
2. Interview Summaries
3. Business Unit Time Criticality Responses and Scoring
4. Participant Responses to Business Continuity Questions
5. Business Unit Ratings: Time Criticality Scores
6. Business Unit/Application Cross-Reference
7. Identified Standard Equipment and Supply Needs
8. Identified Special Equipment and Supply Needs
In addition to the written report, an in-person presentation of the results provides an opportunity to respond to any questions and concerns and build continuing support for the program.
An effective business impact analysis identifies and examines time-critical business functions and core processes in all departments that, if interrupted, would create a severe financial or operational impact on the organization. The results are used to support development of continuity strategies and the procedures needed to enable the continuity of time-critical functions. In addition, at the conclusion of the process, the department manager will have gained an understanding of the length of time that functions within the department may not be available following a disaster. Omitting supply chain business units from the BIA prevents these units from being fully represented in the business continuity planning process and resulting plans. The omission also leaves the organization’s supply chain managers in an information void with respect to what the company expects of them in the event of a disaster and what they can expect from the company.
Determine whether a BIA was conducted in your organization.
If so, understand what criteria were applied to identify the most time-critical business functions.
Find out whether your business unit was included in the BIA and, if so, the results.
Determine to what extent external dependencies were addressed in the BIA.
If a BIA was completed, consider whether operational changes that have been implemented since it was conducted make it necessary to revisit the BIA results.
In the absence of a BIA, consider conducting a BIA of the supply chain business units.
3.133.108.103