To create an effective Disaster Recovery Plan (or Business Continuity Plan), you’ll need to be aware of and fully understand the dependencies of critical operations within your organization. As IT we usually have a fairly good understanding of what the critical systems are (we’re certainly first to blame when something breaks); however, there are often other critical functions, such as Payroll, that rely on IT but we don’t directly hear about.
Additionally, when a true disaster occurs we need to understand which systems are the most critical to continuing and restoring business operations. This is where performing a Business Impact Analysis (BIA) is essential.
What is a Business Impact Analysis (BIA)?
A business impact analysis is used to identify which departments and processes are essential to the survival of your organization. The BIA will identify how quickly critical departments or processes need to be restored after a disaster. Additionally, the BIA will help you to identify the resources required to resume these operations.
Business Impact Analysis (BIA) Objectives:
- Estimate the financial impacts for each business unit, assuming a worst-case scenario
- Estimate the intangible (operational) impacts for each business unit, assuming a worst-case scenario
- Identify the organization’s business unit processes and the estimated recovery time frame for each
A BIA should be completed for each department/business unit within your organization and should include each process managed within the department.
Running the BIA for your Organization
Running the BIA involves collecting information from each of your organization’s department managers. Smaller groups will be easier to get accurate information from, so I recommend that you send your questionnaires to the lowest leader possible; someone very knowledgeable of the tasks his/her business unit performs and the technology and services they rely on.
At FRSecure we’ve put together two forms for each department to complete:
- Business Impact Analysis Process Identification Form
- Business Impact Analysis Questionnaire
The Business Impact Analysis Process Identification Form is used to list all business processes performed by the department.
The Business Impact Analysis Questionnaire is completed for each of the processes identified. It is used to evaluate the impact of each process on the business and what the tolerance is for the downtime of each process. Questions the BIA Questionnaire should ask include:
- How frequently is the process performed?
- What type of loss would be incurred if this process cannot be completed? (Loss of revenue, regulatory and legal, customer service, goodwill, or additional expenses)
- Estimate the impact to the organization after a period of 1/3/5/10/20/30 days.
- What technology does this process depend on?
- What outside services does this process depend on?
- What is the maximum amount of time that this business process could be unavailable?
It can be helpful to develop predefined metrics for your questionnaire. For example, if you’d like participants to rate loss to the company on a scale of 0-10; assigning dollar values to each number on the scale can be useful. The same idea can be applied to an impact to customer service, rather than asking for a numerical value, ask whether the impact would be minimal, moderate, or severe.
Before sending out your questionnaire I would recommend discussing its distribution with organization leaders. They may be able to provide input as to best way to send it out to get a positive response. Additionally, ask whether they’d be willing to send out a notification ahead of time about the BIA’s importance to the organization, as this will help to ensure that the BIA questionnaires are given priority.
Putting it All Together
Once you’ve received the information back from every department, it is time to put it to work! You’ll want to compile all the data into a single list of processes, including their tolerable downtime and impact on the organization. Once this is completed it will be easy to identify which are your most critical processes, and thusly what systems are required to support them and need to be given top priority in the event of a disaster.
After your compilation and assessment are complete, present your findings to senior management. They may want to adjust your criteria based on their understanding of the entire organization; they’ll be able to add a perspective that may have been missed while the department experts focused strictly on their individual processes.
At this point, you’ll be ready to begin coordinating what you’ve found into your Disaster Recovery Plan (DRP) and examining the disaster recovery systems you already have in place. Do your current backup frequency and retention policies meet the needs of your most critical systems?
Will sensitive data remain adequately secured in the event of a disaster? You will need to work with senior management to determine whether it is feasible to attempt to perform all the necessary functions in a crisis environment, or whether some functions should be outsourced to a vendor.
Developing these plans is a lot of work, so if you are working on developing a BCP or DRP for your organization, reach out to our team at FRSecure for help! We can provide templates, policies, and guidance to you and your organization at any point of your BCP/DRP development project.