Part two of a two-part series. View part 1, SMB business continuity planning basics.
One of the essential tasks in developing a continuity or disaster recovery plan is the business impact analysis (BIA).Its purpose is essentially to gain a clear understanding of how the business works and what happens when there is an interruption. This tip provides an overview of the process from an IT perspective.
Where it starts
The development of a business continuity plan (BCP) includes the definition of strategies to recover or increase the availability of critical business functions. Strategies are defined, taking into account the potential risks to which a given function is exposed and the impact on the business (such as financial losses) should that function be interrupted. These processes are known respectively as risk assessment and BIA.
Before specific strategies can be defined, you must first determine how critical each business function is. Criticality is usually based on the impact to the organization should a business function be interrupted. Availability or recovery strategies are then developed to prevent or mitigate losses, therefore the strategies' cost cannot be allowed to exceed the losses they are designed to prevent or mitigate.
The BIA normally starts at the business level since it is about impact to the business. This is referred to as "driven from the top down." However, not all organizations have internal skills or available resources to conduct a BIA. M
To continue reading for free, register below or login
To read more you must become a member of SearchCIO-Midmarket.com
any businesses still attempt to keep planning tasks internal in an effort to keep costs down. In fact, a recent industry survey found that 30% of respondents had tasked their IT department with business continuity planning responsibilities. This is often the case with small and midsized businesses.
The process
If IT plans to initiate the BIA process, it's best to take a "from the bottom up" approach:
Once you have a good picture of the IT environment, the components' interdependencies and respective recovery priority, it's time to take your quest for information to the business units to complete the picture. A combination of questionnaires and workshops or interviews usually yields the best results. The following information must be gathered from each business unit:
We can now associate the RTO for each business function with the applications and supporting infrastructure. While this method does not allow IT to quantify the impact of an outage from a financial perspective, it does provide the necessary information to develop recovery strategies.
IT is now in a position to provide cost information to the business for each recovery or resiliency option. It is then up to the business to estimate losses in the event of an interruption and compare them with the cost of strategy for justification.
Pierre Dorion is a business continuity consultant at Mainland Information Systems Ltd. in Calgary, Alberta, specializing in business continuity planning.
