142 • Supply Chain Risk Management: An Emerging Discipline
dependencies. Analysis of the data gathered through these interviews
paints a picture of the critical paths within a business at any given time.
is step also identies the business threshold for disruption loss, includ-
ing applications, systems, platforms, and infrastructure.
e business impact analysis identies the preliminary recovery time
objective (RTO)
3
and recovery point objective (RPO).
4
It is important to
remember when designing a business continuity solution that it is not
restoring business to normal, but it is the restoration of what is most cru-
cial at a given time. For example, if the company issued payroll the day
previous to an “event,” restoring the payroll process would not be critical.
But if payroll was to be released the day aer the event then restoring the
payroll process would be critical, especially to employees. e business
process owners also describe work- around procedures that can be imple-
mented until the process can be resumed or the sta can return to work.
Risk Assessment. e risk assessment stage identies business conti-
nuity risks that could result in a business process disruption or hinder
recovery. A risk assessment usually includes a facility assessment and
an environmental analysis. A high- level physical inspection of a facil-
ity should include a review of the electrical design, mechanical heating
ventilation and air- conditioning (HVAC) design, communications and
network architecture review, physical security evaluation, emergency
egress/ ingress, and structural design of the data center and call center
(as applicable). e environmental risk analysis includes the analysis of
the likelihood of natural and man- made disasters at a specic location.
Aer the risks are identied, they should be ranked and rated by criteria
specied in the business continuity standards.
Recovery Strategies. e data gathered from the BIA and risk assessment
portray the existing business continuity capabilities and gaps. Recovery
strategies are developed to mitigate these potential risks. Recovery strate-
gies and the associated estimated costs for implementation are developed
and presented to the business continuity governance board for review. It
is up to the governance board to approve and fund the chosen recovery
strategies. Note the governance board should also sign o on high- ranked
business risks with the reasoning on any decisions not to remediate a risk.
Business Continuity/ Disaster Recovery Plans. Business continuity
planning allows for the availability of critical business processes in the event
of an incident that renders facilities, computer systems, and/ or employees
inoperable or inaccessible. e goal of the creation and implementation of
business continuity and disaster recovery plans is to minimize economic