Train By Tweet

Follow this course on Twitter

Contents 1 Business Impact Analysis 1.1 Objectives 1.2 Disaster Recovery Planning (DRP) 2 Purpose and Process 2.1 Purpose of Business Impact Analysis (BIA) 2.2 The BIA Process 3 Who is Involved? 3.1 Membership of BIA Team 3.2 Who Contributes to BIA 3.3 BIA Detailed and Local Knowledge 4 How to Gather Data 4.1 Gathering BIA Data 4.2 BIA Questionnaires 4.3 BIA Interviews 4.4 BIA Workshops 5 Business and IT Perspectives 5.1 Business Perspective of BIA 5.2 IT Perspective of BIA 5.3 Recovery Plan Document - By When? 6 Categorizing Applications 6.1 Application Categories 7 Summary

Business Impact Analysis

• Process Outline
• Instructions for Conducting a BIA

Objectives

In this outline:

• Learn the importance of targeting solutions at those areas with maximum impact on the business

By deciding:

• Who resources the business impact analysis team
• How to gather impact data
• What are the consequences for IT of identified business impacts

Disaster Recovery Planning (DRP)

The role of BIA in DRP

• Project goals
• Identify threats
• Business Impact Analysis
• Identify critical processes
• Identify IT resources
• Design contingencies
• Produce plan
• Test and Deploy
• Maintain the DR Plan

Purpose and Process

Purpose of Business Impact Analysis (BIA)

• To quantify effect of disruption on business operations
• Financial and functional impact
• Business-focused
• Enables or justifies decision on what to protect at what cost
• To identify and classify backup resources
• Divide the musts from the wants for assurance of business continuity

The BIA Process

• Identify main business functions
• For example, sales, marketing, finance, manufacturing, IT, et al.
• Identify major activities of each function
• Identify dependencies for all major activities
• Must include all prerequisites or facilitators
• For example, ICT infrastructure and applications
• Manufacturing facilities, raw materials, customer contact centers, etc.
• Accommodation and transportation
• Quantify consequence from the loss of prerequisites

Who is Involved?

Membership of BIA Team

• First decide who should be involved
• Senior management and board members
• Functional managers
• Divisional managers
• Site or geography managers
• Operational staff
• Board-level senior managers
• May be appropriate for small companies
• Too far from the action in large organizations
• But
• Can set corporate objectives and priorities
• Can add credibility and authority to project

Who Contributes to BIA

• Functional Managers
• Usually the most appropriate contributors
• Sales, marketing, manufacturing, finance
• Focused on a single business function
• Generally have a rational view on its place in the overall business
• May need to consult with their supervisory and operational staff to identify all touch-points on IT systems
• Divisional managers
• Divisions may often be treated individually as small companies
• Approach and format should be consistent
• Each division may wish to field its own management team
• Potential difficulty with representation of cross-divisional functions

BIA Detailed and Local Knowledge

• Site or geography managers
• Good overview of all functions
• May be appropriate to treat each site as individual company
• Approach and format should be consistent
• Operational staff
• Good knowledge of fine detail
• Need to keep in perspective
• Typically too many for workshop session
• Less cross-functional understanding
• Need to ensure level of contribution is consistent across different functional areas

How to Gather Data

Gathering BIA Data

• What data do we need to gather?
• Fundamental purpose of the function
• Activities performed to achieve the purpose
• Resources required to perform the activities
• Consequences of non-availability of those resources
• How to gather the data
• Questionnaires
• Structured interviews
• Focused workshops
• Organizing the data
• Categorize requirements
• Document the results
• Text, spreadsheets, or database
• Purpose-designed software

BIA Questionnaires

• Designing and using questionnaires
• Make it easy for targets to respond
• Convenient
• Don't have to get all players together at one time
• Results need sanity checking
• Time-consuming to achieve good results
• Can precede workshop (to set the agenda, for example)
• Need skill and care to prepare effective questionnaire and avoid pitfalls
• Leading the audience toward an answer
• Danger of poorly considered response - completed in a hurry
• Poor response rates - or not completed at all
• Frequently need to contact respondents to clarify answers
• Easy for recipients to avoid hard or unpleasant concerns
• Inability to elicit full, frank information
• "You didn't ask that!

BIA Interviews

• Structured interviews
• Time-consuming and costly
• Capable of good results
• Danger of narrow thinking
• Results need sanity Checking

BIA Workshops

• Focused workshop
• Recommended approach
• Quick
• Lower cost than alternatives
• Highly effective
• Synergy from group
• Moderation from peers in real time
• Common understanding and decision criteria
• Drawbacks
• Difficult to schedule
• Needs good facilitator
• May still need follow-up

Business and IT Perspectives

Business Perspective of BIA

• Creates a statement of
• The critical operational needs
• How quickly I need it back
• How do I meet catch-up implications after the information systems become available again?
• How much I can afford to have lost when the process is restored
• The (non-IT) resources that are essential for me to achieve my fundamental purpose
• What do I need to do to ensure their availability?
• Identifies critical business applications
• Time scales and impacts
• Document in the DR plan
• Drives the IT perspective of BIA

IT Perspective of BIA

• From an IT perspective
  • Driven by the business perspective of must-have applications
• Drivers
• What are the dependencies of the application?
• What other applications are required for it to function?
• What infrastructure (hardware, software, networking, etc.) does it require?
• How soon must it be available and what is the acceptable restart position?
• What volumes, timings, and user population are required in disaster mode?
• Is there a backup regime appropriate to these needs?
• Does the application support a staged/phased recover, or is it all or nothing?
• How will we protect it during DR mode operation?
• Identifies supporting infrastructure of the critical business applications
• Document in the DR plan

Recovery Plan Document - By When?

• Time vs. Impact
• Impact increases or levels off over time
• Impact never decreases over time

Categorizing Applications

Application Categories

• Keep it simple using three categories
• 1 = essential to organization's ability to operate
• 2 = significantly reduces the organization's capabilities or profitability
• 3 = useful, but not important in the short term
• Restoring applications
• Category 1, as soon as possible within limits specified by the BIA
• Category 3, put to one side for consideration later
• Category 2, do simple cost/benefit analysis to ensure response is appropriate to need

Summary

• In this outline, we have seen that BIA concerns
• Identifying the cost of disruption in functional and financial terms
• Setting priority for restoring applications according to business needs
• Meaningful BIA is dependent on
• Appropriate contributors
• Appropriate data gathering techniques
• BIA output is viewed from two perspectives
• Business Perspective
• People, processes, non-IT resources, recovery time, musts/wants
• IT Perspective
• Technology resources required to deliver business applications in time scale demanded