Adopting a Project Oriented Methodology
Business Impact Analysis (BIA) is an analytical process of identifying a company’s critical processes and facilities and determining the impact if such critical processes shut down or facilities become unavailable beyond a normal outrage period. It is the cornerstone of a company’s disaster recovery plan.
The best approach toward creating a Business Impact Analysis is by treating it as a mini project, and
- defining the scope, objectives, and duration of the project
- nominating a project manager responsible for implementation
- fixing powers and responsibility of the project manager and team members
Recovering from a disaster is not of much use unless the recovery happens within a reasonable time. A good business impact analysis defines this “reasonable” time by fixing recovery time objective for each critical activity.
Image Credit: flickr.com/systemonegang
A good Business Impact Analysis starts from the top management and works down to the operations management team and floor level workers. This not only help secure the much required support and co-operation at lower level, but also enables understanding critical components and processes first, and then the finer intricacies.
One best practice is to hold a kick-off meeting with the managers responsible for the core business processes to:
- introduce the program goals, time-lines and deliverables,
- raise awareness of the importance of the exercise
- provide instructions on how to answer the questionnaire
Comprehensive Data Collection
Data collection through a questionnaire is an important component in creating a business impact analysis.
Adopting BS 25999-1 and BS 25999-2 standards help prepare a comprehensive questionnaire. BS 25999 is a set of business continuity standards catering to planning, implementing, reviewing and monitoring, and improving of business processes.
Each questionnaire should ideally be specific to a process and contain
- detailed description of the process
- list of all inputs and outputs including human and technical resources needed to support the process
- the department or location that “owns” the process, and manner in which other departments or locations connected with the process
- maximum allowable outage time before impact occurs
- financial and operational impact of the outrage
- legal or regulatory ramifications of the process
- impact of any past outrages and corrective steps taken in its aftermath
- description of workaround or work shifting procedures.
The best approach is to deliver the questionnaire first and follow up later on individual basis to review the answers. Face-to-face interaction clear many unresolved questions and balance answers.
A follow up review and prioritization meeting with all managers after compiling the questionnaire related data, to fill gaps not covered by any departments, and to prioritize processes based on their importance in the overall organizational context is another good practice.
While a Business Impact Analysis questionnaire will invariably contain both qualitative and quantitative questions, veering toward quantitative data make analysis easy. For instance documenting the gross revenue and net profits of the business unit help fix upper limits for the potential losses in the eventuality of shutdown.
Making the evaluation criteria clear contributes greatly to the success of the Business Impact Analysis initiative. If the questionnaire has values between 1 and 5, it becomes important to explain what each of these five values means, preferably in quantitative and easily comparable terms. For instance, lower level employee impervious to the big picture might evaluate one event as catastrophic, whereas the top management might consider that event as having only a moderate impact. Having a quantitative basis for the rankings help distinguish and reconcile such discrepancies easily.
Merging all the data into a spreadsheet or database simplifies data analysis and make reporting easy.
Identification of Interdependent Variables
Recovery Time Objective (RTO) defines time required for recovery, or a return to normal state following a shutdown. A common practice is to group various processes based on their recovery time objectives. Tier 0 RTO’s require a recovery time of less than 24 hours, Tier 1 RTO’s require a recovery time between 24 and 48 hours, and tier 3 RTO’s require a recovery time between 48 to 72 hours.
The best practice is to determine this recovery time after identifying all interdependent variables. For instance, if critical activity “A” has a maximum tolerable disruption period of two days and critical activity “B” has a maximum tolerable disruption period of one day, normally the recovery time objective will be two days for process “A” and one day for Process “B” thereby suggesting priority to recover Process “B.” Analysis of interdependent variables might reveal that Process “B” will not work at full steam without Process “A”, and as such both Process “A” and Process “B’ require a recovery time objective of one day.
Creating a Business Impact Analysis provides a foundation for the business continuity plan and other risk management programs. Experience suggests that the results of a Business Impact Analysis are rarely on expected lines, with the recovery time exceeding normal assumptions.