One of the key elements in pre-planning for business continuity is conducting a business impact analysis (BIA). Doing such an analysis accomplishes three important things:
_1. A BIA establishes the value of each organizational unit or resource as it relates to the function of the total enterprise.
_2. It provides the basis for identifying the critical resources and functions required to develop recovery strategies.
_3. It establishes an order or priority to restoring the critical functions of the enterprise in the event of a disaster.
Every business can point to a number of functions and processes that are time-sensitive, and to those that are required for normal daily business. This is especially true of the security operation. Sorting through all of these possibilities in an organized, systematic way is the core of a useful business impact analysis.
Some objectives of the analysis include determining:
• impact of an outage
• criticality of business processes, functions, departments and work areas as related to the total enterprise functionality
• time-critical application systems, data and telecommunications
• required recovery time(s) for functional departments
• interdependence between business units
• resource requirements
A key element is setting a recovery-time objective for each function. Such an objective is defined as the time within which business functions or application systems must be restored to acceptable operation levels.
With this objective in mind, there are five phases of an analysis:
_1. Project planning
_4. Report findings
_5. Approval for the next analysis phase
In project planning, the use of questionnaires and/or interviews can be mapped out in a way that gathers the data needed.
Service objectives, financial impacts, legal or regulatory issues, loss of market share and other factors will be part of the data-collection process. Reference documents such as the mission statement, organizational charts, policies and procedures are gathered.
All data collected should be analyzed using two methods: quantitative impact and qualitative impact. Quantitative impact identifies losses in terms of quantities, percentages or other factors in monetary terms. The qualitative impact identifies intangible losses that cannot be quantified in monetary terms.
For example, you can measure quantitative impact in sales, market share, penalties and extra expense. Taken together, these will also represent a broader view of the effect of certain disasters on overall assets, revenue and income of the organization.
Finally, the analysis will yield a list of business functions in order of financial impact as well as projected restoration time. This allows an organization to understand the many challenges it may face with its business continuity and disaster recovery efforts and create priority designations to minimize the overall impact on the business.