Approach to Business Impact Analysis

By balaji

August 19, 2009

Approach to Business Impact Analysis

Business impact analysis is the first step towards a comprehensive business continuity plan. Consequences, when business continuity is not met, can be severe. A well-executed business impact analysis (BIA) can make the difference between a fully developed, robust business continuity plan and a mediocre one.

Business impact analysis is the first step towards a comprehensive business continuity plan. Consequences, when business continuity is not met, can be severe. A well-executed business impact analysis (BIA) can make the difference between a fully developed, robust business continuity plan and a mediocre one.

The objective of this article is to give a step by step procedure to ensure that the approach to BIA is in an organized manner. Along with such step by step procedure, the article also contains answers to the frequently asked questions (FAQ) during a BIA. Overall the aim is to ensure that a comprehensive BIA is completed on time and the common mistakes that take place during a BIA are avoided. Below are the step by step procedures along with the FAQ.

1. Identify and prioritize critical activities done by the department

All the critical activities need to be identified and categorized according to the priority of recovery.

FAQ - All my activities are critical, which one is the most critical one?

Answer - The most critical activity to be listed is the one, which has to be bought up first after a disaster. Ideally, 'one' activity will start first and that activity will be the most critical one.

If business demands, then it is possible to have 'two' activities as the most critical activities and both these activities can start simultaneously. This will be a business call, as it depends on the resources/people available to start 'two' activities parallel after a disaster.

2. Identify the number of people performing the critical activities

All the dependencies that are relevant to the critical activities have to be identified. People are one of the most important dependencies, as every business is dependent on them. Identify the number of people performing the critical activities.

FAQ - Do I have to mention the minimum amount of people required to perform the activity?

Answer - No, over here we are identifying the total number of people that are performing the activity. For example, if there are 10 people performing an activity 'A', then the number will be 10 for activity 'A'.

Note - We will also be identifying the minimum number of people required for doing the activity 'A', but that will come later.

3. Identify the departments, which gives deliverables to your department

Many of your department activities are dependent on other departments, so without them delivering their outputs, your department activities cannot move ahead. Example – 'Servers and IT infrastructure' must be ready and functioning properly before any 'business unit' starts working. So over here the "IT infrastructure" teams output is "Getting the servers and infrastructure ready". When the "IT infrastructure" is done with their activities, then the "Business Units" can start off with their activities.

FAQ - My department is dependant on internal departments within the organization and it is also dependant on outside companies, so do I need to address these outside companies?

Answer - Yes, any internal department or external company on which your department is dependant on should be mentioned over here. Example - The 'IT infrastructure' department needs to mention they are dependant on the 'Internet Service Providers', as they are dependant on them for internet service.

4. Identify the departments, which require deliverables from your department

This information will identify how many departments in the organization are dependent on your department. It let's us know who would be impacted if your department's activities were not performed?

FAQ - My department's does not deliver to any internal department but my department's outputs are directly to the customer, should I mention the customer

Answer - Yes, any external company/customers or internal department who are receiving deliverables from your departments need to be mentioned here. Example - Packaging department should mention the customer's name, as they would be packaging goods and delivering it to the customers.

5. Identify the maximum allowable downtime for each critical activity

Identify the maximum allowable downtime, which the business is ready to accept after the disruption. This downtime could be in hours, days, weeks etc. In order to respond to any type of disaster, consider the worse case scenario. Good practice would be to create a range based on the organizations recovery priorities. If there are activities that need to be recovered within 4 hours and go on to 24 hours, you may want to consider the example shown.

  • Range 1 (0 to 4 hours)
  • Range 2 (4 to 8 hours)
  • Range 3 (8 to 12 hours)
  • Range 4 (12 to 24 hours)

All of the activities that needed to be recovered inside 4 hours would be considered as Range 1 activity and so on.

FAQ - My activity is very critical, it needs to start within 15 minutes, how do I handle such a situation?

Answer - The time Range should be customized to the organization. Range 1 of '0 to 4 hours' could be valid in one organization while in another organization it could be invalid. So modify the time range depending upon your environment.

6. Identify the maximum allowable loss of data for business

To identify the maximum allowable loss of data, identify the time, (relative to the disaster) from which you plan to recover your data. This will identify how much data loss is acceptable. Like the above example, data loss can also be specified in ranges. Below is the example,

  • Range 1 (24 hours - Data backup once a day i.e. data loss of 24 hours)
  • Range 2 (72 hours - Data backup once in 3 days i.e. data loss of 72 hours)
  • Range 3 (1 week - Data backup once a week i.e. data loss of 1 week)
  • Range 4 (2 week - Data backup once in 2 weeks i.e. data loss of 2 weeks)

All of the data that needs to be backed up once a day would be considered as Range 1 activity and so on. Again, the Range should be customized to your organization. A Range 1 of '24 hours' could be valid in one organization while another organization might have a Range 1 of '48 hours'.

FAQ - I have critical applications like outlook installed on my machine, at what frequency do I need to backup these applications?

Answer - Applications like outlook are not required to be backed up, as we can backup the setup of the application on the CD at an onsite and offsite location. But in the case of 'outlook' the PST (mail files) needs to be backed up.


7. Identify minimum number of people required on the resumption day.

Previously we had identified all the people that were required to perform a single activity, now we need to identify the minimum number of people to start the activity. The people factor is an important factor as it does not make sense to have all the servers ready, all the infrastructure ready, only to find out that people are absent.

FAQ - How can we start 100% of production activities with minimum number of people?

Answer - We will not be able to start 100% of production activities after a disaster.

To ensure that we are ready to respond for any type of a disaster; the worst case scenario needs to be considered. It might not be possible to get all the people to work on the first day. During a disaster, people will not come to office, but be at homes with their loved ones. Another possibility is that people might not have the transportation facility to reach office.

We have to plan for an exponential growth rate in production, where we start from 10 to 20% production activity on day 1 and then slowly increase production.

8. Identify the financial impact on the organization

The financial impact can be expressed monetarily in numbers (quantitative) or in levels such as High, Medium or Low (Qualitative terms). Where possible, impact should be expressed monetarily in numbers for purposes of comparison and better analysis. Financial impact should identify costs linked to failures, such as loss of profits, loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, and so on. It should also suggest appropriate fund allocation for measures to keep the critical activities running.

FAQ - If the company is not ready to share the financial numbers, then what to do?

Answer - It might be difficult for a company to give the exact monetary values, in such cases make a range of monetary levels. So at least they can specify which range of impact they lie in.

The final step would be to consolidate all this information and present it to the management. There will be a number of points missed in the information provided, so ensure that all these missing information is completed. For getting information correctly, stress that if information is not submitted, then it won't be recovered. The outputs of Business Impact Analysis will be utilized to develop business continuity strategies and Business Continuity Plans.

BIA is not a one time process, organization needs to undertake and review the adequacy of the business impact analysis at planned intervals, and when significant changes occur to the organization or its activities.

Tags: Features