Use the BIA to identify adverse effects on the organization. During this process you identify key components. A component can be a function/process or a system such as a database server. How detailed the component definition is depends on the organization. It must be of enough detail that the impact on the business is clear and a recovery strategy can be selected.

The source for this information is the business itself. A BIA cannot be conducted in isolation. It is the business that must establish the priority of components. This phase of the BIA has the following objectives:

• Identify all business functions and processes within the business.
• Define each BIA component.
• Determine the financial and service impact if the component were not available.
• Establish recovery time frames for each component.

There are specific metrics that are collected or computed for each component. One such metric is the maximum tolerable downtime (MTD). This is the amount of time that a component can be out of service without catastrophic damage to the organization. Related to that is the issue of mean time to recovery (MTTR), sometimes called mean time to repair. It is an arithmetic mean (average) of the time needed to get that component back online or replaced. These two metrics will feed into metrics like the recovery time objective, which will be discussed a bit later in this chapter.

One of the most important parts of the BIA is the determination of dependencies—which components depend or rely on other components. This includes dependency on other BIA components. The BIA must also identify specific resources, such as technology and facilities. Other dependencies may include specific skills in short supply.

The key objectives of this phase of the BIA are to:

• Identify dependencies, such as other BIA components
• Identify resources required to recover each component
• Identify human assets needed to recover these components

Once you complete the assessment, you compile the results, formulating recommendations and integration points into the IRT process.

With this in hand, the business can make decisions. The BIA impact report is not just issued unilaterally by one office or group. You should develop it as a collaborative effort among key stakeholders. These stakeholders include executive leadership, risk teams, IT, and the business. The process of producing the report creates the consensus. Most important, the collaboration process builds the political will to implement the BIA recommendations.

The key objectives of this phase of the BIA are to:

• Validate findings of the BIA report
• Create consensus for its findings and recommendations
• Provide a foundation for other assessments
• Start educating individuals who are key to recovery

The BIA final report is an essential component of an organization’s business continuity. It becomes the key document in planning the IRT process. It sets the organization’s priorities for IRT responses and for funding IT resiliency efforts. Resiliency is a term used in IT to indicate how quickly the IT infrastructure can recover from an outage.

The BIA describes the mission-critical functions and processes. This report leads to further assessments that identify threats and vulnerabilities. You typically produce a BIA annually. Next, you compare the findings to existing security policies. This comparison identifies gaps that may be opportunities to improve policies.

As a business changes over time, the BIA is an excellent way to understand the business. This top-priority list of business processes helps focus security efforts to protect the most vital assets of the business. It also drives security decisions on how these assets are to be protected and recovered.