Business Impact Analysis
Business impact analysis is the main driver in the implementation of a contingency plan. Conducting a business impact analysis is fundamental in CP controls according to NIST SP 800-53. It enables the information resources contingency plan coordinator to evaluate and characterize the system components, supported mission processes and their interdependencies. BIA seeks to develop a correlation between the system critical business processes and the services offered and based on that information evaluate the consequences of the disruption. A successful BIA informs the ISCP coordinator of the contingency planning requirements and priorities. BIA is carried out at the initiation phase of the system development life cycle in case of information system resources. The results from the BIA are appropriately incorporated into the analysis and strategy development efforts for the business DRP, COOP, and BCP.
A complete and successful business impact analysis incorporates the following three fundamental elements;
Determination of business processes and recovery functions critically to evaluate the business processes supported by the IT resources and their impacts upon disruption. An estimated downtime is also evaluated in this stage to determine the maximum time the business can tolerate while the IT resources are down. According to FIPS 199 impacts should be analyzed in terms of confidentiality, integrity and availability and categorization of information systems placed either as low impact, moderate impact or high impact as per the CIA objectives.
Identification of the resource requirements to explicitly determine the exact resources required to resume the business to normalcy. The resources may include equipments, software, data files, system components and vital records.
Finally, the identification of recovery priorities for IT resources forms the last feature of an effective BIO. This is based upon the results of the previous activities and system resources. Priority levels are established to sequence recovery activities and resources. Information resources recovery priorities are a function of business process criticality, disruption impacts and tolerable downtime.
Of consideration in the recovery process is the recovery time objective. RTO is the time period the business is expected to be back to its normal operation. The team should determine the RTO in respect to particular scenarios.
The specific RTO will determine which resources need to be availed or purchased. This may include offsite work stations and backups. In determining a specific RTO questions of what constitutes unacceptable downtime are answered.
Component reliance and dependencies
Interdependencies between organizations and business partners have always been overlooked in contingency planning, disaster recovery and business continuity. The impact of business disruption and loss of personnel should be considered as an important aspect of contingency planning. The potential of disrupting business operations due to geographical impact which destroy buildings even if no direct impact occurs is real. The same goes for paper records, computer systems and business operations. It is fundamental that organizations not only focus on their own disaster impacts and recovery plans, but they must also put into consideration the recovery efforts of other companies including suppliers, customers and manufacturers so that a coordinated approach is attained to get operations back to normal.
BIA helps companies determine the organizational recovery time and recovery point. Usually two companies having the structure and service operations might have different recovery times and points. This leads to the weakest link scenario playing out where the recovery efforts of others is delayed until the organization with lesser plan is ready. Interdependency exercise is advocated for as a means of leveraging private and public industry factors in the planning process. This is done through interdependency workshops where interdependencies of business to business interaction and reliance study are conducted. The study seeks to consider interdependencies with other major businesses, communication, oil/gas, water, electricity, transportation providers, government agencies and hospitals.
Independencies workshops provide a high level understanding of all the critical resources which might impact an organization. This includes organizational awareness of the weak points and development of matrix listings to give a clear view of the weakness for special consideration.
Another method of determining dependencies in BIO is by the use of interview approach. The method utilize informal interview process supported by questionnaires. A common set of questions will provide the necessary consistency between interviews to arrive at the same base level of information. The test determines the resources, personnel and other parameters involved in the recovery process. Examples of the sampled questions include;
What do you do if you cannot get access to IT systems for x hours?
At what time do you send staff home during an outage? How many do you retain and how many do you send?
A BIA is conducted to determine the areas of interest that would suffer the greatest financial or operational loss in the event of a disaster. All the critical impacts and systems are determined. According to me, the fundamental steps in the development of a BIA include;
- Identification of critical business functions
- Identification of critical computer resources that support key operations
- Identification of disruption impacts and allowable downtime
- Development of recovery priorities
References
Martin J. Wieczorek, U. N. (2002). Business Continuity: It Risk Management for International Corporations. Springer .
Socha, T. M. (2002). Facility Integrated Contingency Planning: For Emergency Response and Planning. iUniverse .
Swanson, M. (2011). Contingency Planning Guide for Federal Information Systems. Dianne Publishing .