What Is a Business Impact Analysis?

A business impact analysis (BIA) is a study used to identify the impact that can result from disruptions in the business. It focuses on the failure of one or more critical information technology (IT) functions.

Another way of thinking of a BIA is that it helps with identifying the systems critical to the survival of an organization. As a reminder, survivability is the ability of a company to survive loss due to a risk. Some losses are so severe that they can cause the business to fail if they aren’t managed.

A basic understanding of the following terms is necessary when working with BIAs:

  • Maximum acceptable outage—The maximum acceptable outage (MAO) identifies the maximum acceptable downtime for a system. If an outage exceeds the MAO time, it negatively affects the organization’s mission. The MAO directly affects the recovery time.
  • Critical business functionsCritical business functions (CBFs) include those considered vital to an organization. If a CBF fails, the organization will lose the ability to perform essential operations, such as sell products to customers. If the organization cannot perform the function, it will lose money.
  • Critical success factorsCritical success factors (CSFs) include elements necessary to perform the mission of an organization. An organization will have a few elements that must succeed for the organization to succeed. For example, a reliable network infrastructure may be considered a CSF for many companies today. If the network infrastructure fails, all other business functions may stop.

TIP

The BIA includes systems critical to the company’s survivability. However, lesser systems can also be included. In other words, a company may have significant problems if email capabilities are lost for a week, but the company wouldn’t necessarily fail. Still, email may be considered important enough to include in a BIA.

The BIA isn’t intended to include all IT functions, only the critical IT systems and components, which are identified by identifying the CBFs. Systems and components that support CBFs are critical.

TIP

A stakeholder is any individual or group that has a stake or interest in the success of a project. Stakeholders include executives and managers who have a stake in the success of their department or division, meaning they want to ensure success in their area of responsibility.

What makes a business function critical? Any stakeholder can determine that a business function is critical. If the stakeholder determines that the loss of the function will cause an unacceptable loss, it is a critical function. The stakeholder makes this decision based on experience and opinion, and it is not made lightly. Once the function has been designated as critical, the stakeholder needs to dedicate resources (money and personnel) to protect it.

Additionally, a law can dictate that a function be considered critical. For example, the Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of health-related information. Access controls and other protection measures are critical components required to maintain HIPAA compliance.

The BIA is largely a data-gathering process. Input is received from stakeholders, users, process owners, and others in the organization. Data can be gathered from interviews, questionnaires, and surveys or by reviewing available reports; any method that provides information on the target system can be used.

The BIA doesn’t provide solutions but rather is part of a larger business continuity plan (BCP) and provides input into the BCP, whereas the BCP does include solutions. For example, the BCP may provide recommendations for controls to reduce the impact of an outage.

Comparing a BIA against a risk assessment is helpful in understanding the purpose of a BIA. A risk assessment looks at threats and vulnerabilities. When a threat exploits a vulnerability to harm an asset, a risk occurs, and the primary goal of a risk assessment is to reduce the risk by reducing or eliminating the vulnerability or reducing the impact of the threat and its harm on the asset.

On the other hand, a BIA doesn’t address threats or vulnerabilities like the risk assessment does. Instead, it looks at the effect of an outage. Although the focus of a BIA is primarily on business continuity, a BIA can also be used in a risk assessment. In other words, if the goal is to determine what systems need to be evaluated with a risk assessment, a BIA can be considered for identifying and prioritizing the critical systems.

Similarly, if a risk assessment has already been completed, that data can be used to help in creating the BIA. One of the first steps in doing a risk assessment is to identify assets, which can help in identifying the assets that are important to the organization.

Collecting Data

Several methods are available for gathering the data in the BIA data-gathering process. One of these methods is to conduct interviews with key personnel. To improve the quality of the data gathered from these interviews, they should be planned, such as ensuring that the people to be interviewed have the time to answer the questions and that the right questions have been prepared. These questions should focus on CBFs and the MAO of supporting resources.

Another method is to use either paper- or computer-based questionnaires, forms, or surveys that are limited and focused, in other words, focused on only one process at a time. For example, a SharePoint website could be used to gather and compile the data. If the form is too long, people may not have the time needed to answer it, whereas a shorter form can elicit more usable information.

Another method of collecting input is to host meetings or conference calls. A benefit of this format is that people can interact with each other, which can provide richer results. However, gaining consensus may be difficult, which is especially true in trying to identify the priority of different systems.

Seven Steps of Contingency Planning

The National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. Contingency planning helps an organization identify measures to recover services after an emergency or disaster. SP 800-34 Rev. 1 includes information on BIAs. Even though SP 800-34 Rev. 1 is focused on federal information systems, it can also be used for private companies.

SP 800-34 Rev. 1 identifies seven steps to contingency planning. The seven steps are:

  1. Developing the contingency planning policy statement
  2. Conducting the business impact analysis
  3. Identifying preventive controls
  4. Creating contingency strategies
  5. Developing an information system contingency plan
  6. Ensuring plan testing, training, and exercises
  7. Ensuring plan maintenance

As can be seen from the second step, the BIA drives much of contingency planning. Contingencies need to be planned only for systems that the BIA identifies as critical.

Varying Data Collection Methods

Various data collection methods can be used. For example, because some people may have a lot of information, an interview may be appropriate. But just because one person is interviewed does not mean everyone should be interviewed.

If people are already weighed down with a large number of meetings, they may resent another meeting for a BIA. On the other hand, they may welcome the opportunity to fill out an online form at their leisure.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.182.62