Home » Uncategorized

Conducting Business Impact Analysis for Business Continuity Planning

1 March 2013 3,835 views No Comment

By: Ron French, CBCP

March 1, 2013

 

Business Impact Analysis (BIA) Objective

BIA

The objective of the BIA for any business continuity plan is to itemize and prioritize a company’s most critical business operations, internal resources, and internal and external support dependencies.  Part of this process is the identification of the recovery time objectives for each of the mission critical functions.

What should be avoided in the BIA is any itemized listing of detailed business processes, work procedures, and resources that are of no consequence to the critical overall enterprise functions.  A clear distinction should be made between descriptions of mission essential operations and lists of detailed work procedures. Descriptions of individual work procedures do not belong in the BIA.  Those descriptions just add unnecessary bulk to a business continuity plan.  If business unit processes, operations, and resources don’t contribute directly to the mission essential operations, then they should be considered for inclusion in the details of the business unit recovery plans. Identifying critical resources and prioritizing the recovery time objective of each critical business operation is crucial for a viable BIA.

Characteristics of Critical Business Functions

  • They are strategic in nature. They promote the mission of the company or organization
  • They are important to the customers whose livelihood may depend on those functions
  • Their interruption or loss has an immediate adverse impact on the company and customers to perform their tasks.

Importance of BIAs

It is important to understand that the primary purpose of the BIA surveys is to obtain information on company resources and business dependencies that are needed to sustain the company’s most critical business operations.  It is too late to try to compile lists of these company resources during or after an emergency particularly if that information is either damaged, destroyed, or otherwise just not readily available in the first few hours of the beginning of an emergency.  Listing of critical resources before an emergency is particularly crucial in large companies with diverse and multiple business operations and employees in various occupations, widely separated work locations, and even shifts.

BIA Survey Methodology

The business impact analysis (BIA) begins with a survey distributed to company employees to obtain information that is important in the response to an emergency potentially affecting critical business operations and the recovery of those critical business operations that are damaged by an event.

Most BIA surveys have previously been done on paper surveys that are laboriously handed out to company employees.  Automated BIA surveys are becoming the norm to obtain data quickly and efficiently with the ability to more easily adjust and change data than previously possible.  Web based BIA tools such as Continuum ™ facilitate the distribution of BIA surveys, controlled sharing of information, and overall ease of BIA data administration.

BIA surveys normally contain questions requesting information on employees, office equipment, computers and communications equipment (also known as information technology (IT) equipment), paper and automated data, and similar information.  What is frequently not explicitly explained in the instructions at the beginning of BIA surveys is that the primary purpose of these BIA surveys is the need to document information on company resources that are “critical to the continued operation” of the company enterprise.  Often, these resource lists are either inadequate because they don’t list all critical resources or employees “fluff” up the lists with too much data that is of no consequence in the recovery of their company’s critical operations.  Too much unnecessary information serves no useful purpose and increases the difficulty of emergency responses and business recoveries.

BIA Survey Data

The following data is needed to ensure the accomplishment of a complete BIA:

1. List each unique business organizational unit including the respective supervisor and relationship to the whole of the business enterprise.  In other words, list each primary and subsidiary business unit of the company.  Normally, a business unit is identified as a group of employees with a supervisor.

Numerous and diverse business units and employees within large companies may not be fully knowledgeable of each other’s operations and functions.  Identification of this data is necessary in the BIA because the diversity and size of many business units will make the determination of the status of the various business operations very difficult during the chaos of an emergency.  This data is later used in the BIA process to prioritize the critical processes.

Part of this list should be the identification of all “critical” employees within any business unit.  Criticality of employees should be analyzed in the context of the significance of the work they perform for critical operations and the skills they bring to do that work.  Not all employees perform critical operations and this would be very true during an emergency when “business as usual” is reduced.  This is a very sensitive issue with employees and their supervisors and must be handled with the utmost of care because most employees take pride in their work.  The same reasoning applies to the identification of other “critical” resources and equipment within any business unit.  This is discussed further below under resources.

Only those critical employees needed on site during an emergency or at an alternate recovery site (if there is such a site) during the recovery should be listed.  Additional employee lists such as those used for recalls should be maintained by the respective business unit supervisors.  Business unit employee contact lists (also sometimes called Call Trees) should list all employees of each business unit.  The supervisor of each respective business unit should be expected to maintain only the employee contact data their employees.

2. BIA survey should identify the mission essential operations of the overall company and the critical operations within each subsidiary business unit that “directly” support the overall company mission essential operations.

List the critical organizational operations including:

  • Frequency of the operations
  • Contribution to the company’s revenue
  • Recovery time objectives (RTO)

The frequency of the operations pertains to the number of times the processes are performed.  An example of this would be the data backup schedules, legal reports, and employee pay cycles.  Notice these references are for “operations”, not procedures on how the operations are accomplished.

The RTO is the timeframe within which the loss of a process would begin to seriously degrade the company’s overall operational performance.  The RTO is normally shown in terms of the minimum number of hours or days the company needs for a particular function to be operational.  For example, if a company needs Operation “X” to be operational within 18 hours, then 18 hours becomes the RTO for that particular operation.

The contribution to the company’s revenue is a critical factor in that the loss of a revenue contributing operation could seriously affect the company.  Equally important to remember is the need to consider non-revenue factors when determining the criticality of a process.  For example, could the company’s overall credibility be affected if a process is not operational?  A case in point would be the loss of ATM operations for a bank. For some companies, such as banks, there are legal reporting requirements for certain operations and the loss of those operations would be serious even if they don’t contribute any revenue.

Operational Dependencies: Part of the data obtained for the operational dependencies should include a prioritized list of those internal or external operations (with their RTOs) that must be completed in order to accomplish subsequent operations.  This is particularly true, for example, if a critical process is dependent on another process before it can be operational.  For example, Operation “X” can only work if it is dependent on a critical computer application.  Data transfer, for example, may only be accomplished if the communication equipment, which may be operated by a separate company, is operational.

Lists of internal and external dependencies should be obtained and maintained regularly to include all necessary point of contact information for emergencies.  This information may include some of the following:

  • Support Services (e.g. transportation, supply, manufacturers, equipment and site maintenance)
  • Communication support
  • Utilities
  • IT support
  • Legal
  • Contracts
  • Facility maintenance

3. All resources affecting the critical business operations should be listed and prioritized according to their business unit and RTO.  This list should include office equipment (e.g. copiers, PCs, etc.,), IT equipment, software, and communications, office furniture, and internal/external dependencies.

Since business operations during an emergency are not “business as usual”, employees should not expect to have all the dedicated resources they have during normal times.  This is particularly true if they will be temporarily operating at an alternate recovery site with limited physical amenities and degraded operations.  Consequently, it is up to the COOP/BCP coordinator to work with the supervisors to ensure only truly needed resources are listed.  All employees must understand they will be required during an emergency to share among their business units such equipment as phones, copiers, fax machines and maybe even desks.  It is therefore important to identify resources that will be shared versus dedicated.

If the company has its own IT department or a complex IT support structure, the following data should be obtained in the BIA survey for insertion in the details of their IT business unit emergency recovery plans:

Computer equipment listing by

  • Type
  • Manufacturer
  • Vendor
  • Replacement cost
  • Replacement time

Computer software

  • Type
  • Version
  • Vendor
  • Licenses (including licenses for operations at additional/secondary sites in case they operate at an alternate recovery site.

Schematics and Configurations of:

  • IT equipment
  • Software
  • Communication  (include external dependencies such as ISPs)

It is very important to identify during the BIA survey the internal/external dependencies and RTOs among the software applications and the critical business operations.  This information is crucial to ensure the mission critical operation RTOs are correctly synchronized with the RTOs identified for the IT computers and software applications (and vice versa).

For example, if the RTO for Operation “X” is 12 hours but the RTO for computer application “Y” is 20 hours, then the RTO for Operation “X” must be adjusted (i.e. increased to 20 hours or higher) to accommodate the recovery and operation of computer application “Y”.  RTOs for all computer operations and critical operations must be synchronized to ensure the orderly recovery procedures from an emergency.

4. All vital records should be listed and prioritized to support continuity and restoration.  This list should include the type of records maintained and their specific location.  The location of all vital records, paper and automated, should be clearly identified to facilitate their recovery and determination of condition.  Ideally, the employee responsible with contact information should be listed next to the respective vital record.