How to Conduct a Business Impact Analysis
- Published on Tuesday, October 30, 2007
- Written by Patricia A. P. Fisher
A memo from an executive naming a well-respected senior person as the team leader, and the selected business and technical team members begins the process. The team leader is charged with obtaining results and is held accountable for the BIA project. Moreover, the BIA is not being left to non-senior level employees to try and enlist cooperation and support. Also, the memo is clear that this is a full-time assignment until the BIA is completed.
At the initial team meeting it is best to calibrate each member's understanding of the BIA as the most important element of the entire disaster recovery planning process and to be sure everyone is on the 'same sheet of music'. Once this occurs the team has the ability to effectively communicate the seriousness of its mission to all affected groups. Team members' attitudes resulting from this preliminary process help create enthusiasm throughout the organization. As awareness increases, people will generate the necessary cooperation and camaraderie to set the pace to get their 'best effort' BIA completed. In turn, this BIA will be the foundation on which to build a viable contingency plan.
Requests to participate in a BIA project that are initiated from above have a much greater chance of succeeding once all levels of senior management understands that their participation is required. Then, the rest of the business units will join in'actively and willingly. This approach avoids the difficulties of each team member getting staff to enlist in the BIA project.
Done properly, the BIA sets the stage for producing the enterprise-wide contingency plan. Because the BIA process is very analytical; it ensures that the BUSINESS - not you, not your manager, and certainly, not the political infrastructure of the organization - all focus directly on what the business would need in order to survive if, and when, disaster strikes.
When the importance of a BIA is unequivocally established, it becomes the pivotal point in this analytical methodology. It is now time to start formulating tough questions, such as:
- What are the risks of your particular business?
- How can the risks be quantified?
- What unique needs must be considered to ensure that this business can endure a disaster?
Perhaps, now all can see that the BIA's purpose is to point out these risks and peculiarities. When discovered, they must be factored into the recovery process. Thus, the Business Impact Analysis becomes the cornerstone of the recovery plan.
Viewing the BIA process in terms of the needs of your business clarifies its importance to the enterprise-wide contingency plan. Well-established processes (albeit, those often equated with legacy systems) typically have larger budgets to produce detailed recovery plans. Still, a major question highlights a data center's dilemma today. Are these legacy system processes declining, holding their own, or beginning to be reconsidered as 'less legacy' in the 'real world'? It is true that these systems contain information crucial to the well-being of the corporation. What is the priority associated with these processes in terms of importance to the future of the business? Be aware, that these questions may not be easily answered, and may spark considerable discussion and controversy when broached. Until decisions are made regarding these legacy systems or migration to other systems occurs, its corporate information must still be included in any BIA and Contingency Plan.
At the other end of the spectrum you will find smaller distributed operations that are sometimes relatively unknown: e.g., Local Area Network, EDI applications, Lotus Notes, etc. Do not be surprised to find these environments may be supporting significant portions of the business; yet, may have no recovery procedure, focus on recovery, or recognition of the fact that a Contingency Plan may be needed.
As a member of the BIA team, your responsibility is to properly position each component of the organization, thus, ensuring correct recognition of its importance. In order to carry out these responsibilities it necessitates learning how risk prone (or adverse) your management is and understanding their position. Based upon this information then, you can plan accordingly for an adequate level of protection for your business' needs. Your first charge is to help management acknowledge the problem that a Recovery Plan cannot be produced in a vacuum, but instead, must be built on corporate knowledge.
Once everyone involved buys into a knowledge-based recovery plan, it is easy to understand that the BIA is the mechanism which produces this knowledge. Therefore, the BIA becomes a critical element in establishing a recovery process. This clearly demonstrates that executive level commitment filters down to the various business units and departments, regardless of their location. It is, especially, difficult to attract the attention of far-flung departments and their management chain without upper level commitments to the project. Thus, executive commitment is critical.
To ensure a successful project outcome team members must set realistic timeframes. It will not be an extremely time-consuming procedure for the departmental or functional participants. Full-time commitments will be experienced by the team member charged with the overall project responsibility. When the support is obtained from all levels and the various departments, it is important not to relegate the BIA to the bottom of the priority list. It this happens, either it will lose senior management support or, it will never get done.
Another important step to move this process along is to adequately budget time to conduct an interview that yields the information necessary to correctly assess each department's critical functions. Participants should understand it may take one hour to meet with the BIA team member.
This may be followed by another one to two hours of surveying departmental colleagues. Sometimes follow-on interviews are needed if the participant does not feel that he/she is well-versed in the department's total activities. A quick report is all that is required to provide the team member with adequate input. However, without assigning a high organizational priority level, the project will never be completed. Without this, it will become an anchor around the organization's neck, instead of a valuable function.
Examining the Processes
These preliminary steps must be in place before actually undertaking the analytical steps of the BIA. As a beginning, your first step should be to find an updated copy of the business' organization chart (or that portion to be included in the BIA and the recovery plan). A quick review of the organization chart often gleans very useful information about the inner structure and functions of the various business units. The size and scope of the BIA is really dependant upon the number and complexity of departments involved.
There are several ways in which to proceed. The most arduous way to accomplish this task is to conduct a survey of the entire organization. If the enterprise is large with multiple locations domestically and internationally, this will certainly be a huge task. To solve this dilemma, you should sample various groups. Ask each executive you contact to point you to the most critical departments in his/her operation. This automatically narrows the process requiring you to negotiate/navigate each senior manager's concerns and selection of whom is included in the sample. Then, the selected personnel form the population nucleus for you to conduct the BIA.
On the other hand, you can select your participants by making a horizontal cut across the company. This method surveys a specific level of management that will produce a wide sample; yet, small enough so that it remains manageable.
This may seem to be the most practical; but, danger lurks here. By using this sample type you run the risk of interviewing people who might not know the critical requirements (particularly those in the future) of the business or, they may not be able to quantify them and analyze disaster potential.
Although there are a myriad of possibilities on how to select your project population, the real key is to review and analyze your business processes, not simply those which are automated. There is no perfect method of undertaking this portion of the project. All approaches have risks, scope problems, and time requirements. Your task is to minimize the risk while maximizing the results obtained from the enterprise and achieving a balance between the project and its cost.
Business Criticality Pattern
The BIA's baseline is formed when you delineate what you want to accomplish during the review process, as well as how you go about it. A list of questions should be developed that you will use to start each interview. You do not need a comprehensive set of questions to occupy the entire interview period. Instead, a basic set of open-ended questions will enable you to informally learn enough about the critical processes of each department for your needs. A common set of questions will provide the necessary consistency between interviews and ensure that you have a base level of information to later draw your conclusions. The most productive and efficient way is to hold interviews with individuals whose functions are being surveyed.
Sample Questions to Ask
- What does each interviewee department do?
- What 'tools' do you need to run your department? What would happen if these tools were not available to you? Do you have any alternatives?
- What constitutes a disaster in your departmental organization?
- What would you do if you had no computing (telephone, services, etc. ) for x hours or days?
- What impact upon your operation would a disaster have?
- What are the revenue producing functions of your organization?
- Do you know if your data is backed-up? Is so, how often?
These are just a few of the common questions to ask to generate conversation and obtain specific insights in each department. During a directed discussion you can elicit necessary information to assist you in understanding the criticality of this particular function to the overall business. Also, it is important to take extensive notes. It is far too difficult remembering who said what at some later date without thorough records. These notes will form the base to conduct and follow-up to confirm your analysis.
Quantify as much as possible, is the best by-word. Encourage interviewees to respond in terms of lost revenue, periods of time, amounts of services needed for a variety of disaster scenarios; i.e., total losses, partial losses. This may not always be easy. You may have to help some participants in how to respond quantitatively.
For example, if you are conducting a BIA to determine what the organization should do in terms of meeting telephone service needs, you might try to get respondents to quantify how many lines would be needed for the first 48 hours; what would happen after that; how the business would be affected; how revenue might deteriorate; etc. Once you have these answers, ask the same questions for a different period of time; e.g., up to one week, and make notes of the answers. Do the same thing for an even longer time period. After you complete several of these interviews you will begin to see a picture emerging - the business criticality pattern, that will become the foundation of the written results of your work.
Once all the interviews are completed, you can begin to analyze the entire series of interviews to determine how much service is critical to a particular unit, and for what time period. Be careful. Heed the following warning.
Very often interviewees feel that they are extremely critical (not just critical) to the ongoing operations and success of the business. Remember, it is human nature to want to be needed. Call this group of people: 'how can the business get along without me'.
You will need to probe deeply to understand how critical their process is to the overall functioning of the total business. On the other hand, in business impact surveys, there is usually another group who feel that they can operate with no services.
Call them 'the heroes'. These folks need nothing and will hold their function together with their bare hands, if necessary. Neither group's response is more truthful or practical than the other. Be prepared, you will find both kinds. When you encounter these types, delve more deeply to determine the real needs of the business.
Once the interviews are completed, or close to completed, a pattern begins to emerge. This pattern defines the problems you have discovered during this process. What obstacles to recovery existing in the current environment were uncovered in the course of your survey and analysis?
This is an ideal time to help management understand what vulnerabilities there are so that as the recovery plan is developed these will be taken into consideration.
Be very specific in your definition of a problem and in its solution. List each problem (risk, finding, etc.) found and provide a corresponding recommendation. Organize these by topic so that patterns can be discerned. It is always easier to hold management's attention by providing a recommendation(s) that offers a solution for each problem.
The next step is to draw up a loss matrix. You can do this by entering each interviewee on the matrix with their functional unit, critical timing elements, and responses relating to revenue and/or productivity losses. Be as exact as possible. Recontact interviewees for greater specificity, if you are lacking details. Once you have as much definition as possible in each of the loss categories, then, total these numbers.
After completion of the written findings (interview notes) and the loss matrix, analyze which elements in the loss matrix appear to have the most criticality to the enterprise. Pull these findings into a summary. This, in turn, forms the basis for justification of expenditures, resources, or actions recommended as a result of the BIA.
Think about the variety of disasters that may occur. These unforeseen events can cause total or partial disasters affecting a number of people, facilities, functions, etc. Also, keep in mind that you will never be able to prepare for every kind of disaster that may happen.
Therefore, do not focus on providing for every 'potential' possibility. Concentrate on any obvious and 'expected' potential disasters. Most importantly, consider what needs to be done on a priority basis (regardless of the disaster) and what must be put in place for a smooth recovery to occur.
Pay particular attention to your organization's responses; especially, those exposing any weaknesses existing in your services environment. Many of these vulnerabilities will have been uncovered during the BIA.
Then, you can build a set of BIA recommendations that will take these freshly exposed pressure points into consideration. Pull all these results into a well-structured written analysis along with your expert opinion.
This analysis is based upon what you have learned about the needs of the business and details what the business costs would be, if critical functions were not recovered in a timely fashion.
In turn, these recommendations become the foundation and cornerstone of the disaster recovery plan - the logical follow-on to the BIA.
Printed In Summer 1996
Patricia A. P. Fisher is CEO and president of Janus Associates, Inc. an information security, contingency planning service and software firm in Stamford, CT. Email - Janusnet@aol.com