Conduct a Hard Hitting BIA: Proven Tips for Success


by Leo Wrobel

So, you have been tasked with developing a business impact analysis as a prelude to your corporate business resumption plan. Congratulations, I am both happy and sad for you! Seriously speaking, this will be a most visible project with ample opportunity to shine in the eyes of executive management. On the other hand, it could backfire miserably on you if you proceed carelessly.
It’s impossible to list every way people go wrong in this endeavor in a single article. Even so, we can hit some of the more common secrets of success to assure your business impact analysis (BIA) is accepted by management and is understandable enough to guarantee future support and funding for the project. Be forewarned! The BIA is often short-sold in the interest of getting the plan done cheaper or faster, only to cause undesirable consequences later. Don’t let this happen to you. In this article we will discuss some common mistakes made in conducting a BIA, centering principally around who does it, how, with what tools, and most importantly, how it is presented to decision-making executives.
If you have been given the responsibility for conducting a BIA, chances are your boss raised your budget, lightened your work load, and perhaps even let you go out and hire one or two bodies to assist you in the project, correct? Yea, right! In actuality, the worst case is probably true. You will be expected to add contingency planning to your “to do” list and knock out a plan in your copious spare time.
This leads us to the first major mistake most corporations make in putting together their BIA, as well as business resumption plans in general. More often than not, responsibility for developing a long term recovery plan is placed squarely where it does not belong, in operations departments. This is not to say that operations managers are not qualified to pursue this goal. But think about it, when was the last time you found an operations person in your organization with extra time on his hands? That means business resumption planning becomes “kitchen table” work which gets taken home at night as it certainly does not fit inside the confines of a today’s overwhelmed operations personnel.
Some of the most often made errors in contingency planning happen on the first day of the project. This is the time when for whatever reason (time, money, knowledge, etc.), the responsible technologist skips or shortcuts the most important part of the project: The business impact analysis.
The Business Impact Analysis, or BIA, is probably the most important component of your recovery project. This is the part that defines and quantifies all the reasons you are going through all the trouble of producing a Business Resumption Plan. More importantly, the more factual, understandable and informative your BIA is, the better your chances are for success. If your BIA clearly communicates the inherent vulnerabilities of the systems you are trying to protect to executive management, you will win the endorsement, support and funding of your higher-ups. We will discuss the specifics of conducting a hard-hitting BIA which will meet this objective, and allow for a fast track approach to a successful project completion. Let’s start with laying out the strategy.
The diagram “DYNAMICS of ABC Polymers, Inc.” shown later in this article graphically illustrates your company’s resistance to disruptions in comparison to two other types of businesses, a heavy manufacturing company and a retailer. Since as an author, I have no idea what kind of company you work for, I’ll make a few assumptions:
•You work for the parent company of ABC Polymers, a specialty films company which makes bags for potato chips and snack foods as its primary business.
•Your company also has two other kinds of businesses. 
• One is a snack food company (a natural outgrowth of the core business) and a second more speculative venture, ABC Real Estate Investments, Inc.
• ABC Real Estate Investments Inc. basically invests money and collects rents for the parent.
The diagram depicts how quickly each of your company business lines’ daily revenues decline in the event of a major disruption in comparison to the other two. 
Note that the snack food retailer loses almost all revenue after the first day. This is because in a “commodity” market a caller will order from a competitor almost immediately. It is also more difficult for this customer to get customers back after it loses them, since there is little room to discount the product or make other concessions. The margin on sales is next to nothing. This company would be in the most serious trouble after a disaster.
The second company as we said is involved in real estate ventures. Most people pay their rent monthly. Therefore, except in the event where a disaster occurred on the 31st of the month (thus preventing cash posting) the effect would be nominal. This is not to say these folks would not scream if their system was down, but they would in fact survive. 
The third core manufacturing company on the other hand is more complicated. It has several distinct classes of customer. About one third of these customers buy plastic meat wrap from your company. This is an easily attainable product from other suppliers. These “commodity product” customers could order elsewhere on day one. 
Another one third of the customer base is termed “aligned distributors” who could order elsewhere, but would probably wait a few days because of an existing business relationship or commission structure. In other words, they might wait longer since your company holds them with a lucrative commission or bonus structure. This particular customer mix produced the center line showing a significant, but less immediate revenue loss.
Lastly, a third of the base of companies representing your customers order specialized or customized products with nowhere else to go for them. Maybe they buy a custom bag which is the only kind in the industry to package a specialty product. Perhaps it would take too long for them to transfer complex graphics used for the bag labels to a competitor. Either way, they are stuck with you, and their ultimate success depends on how quickly you get back in business. So essentially the scenario of a major disasters with ABC Polymers Inc. core manufacturing would transpire like this:
•Nonexclusive customers bail out day one. (1/3 of your business)
• Exclusive customers jump ship about day three. (Another 1/3)
• Monopoly customers take days to leave, but years to get back (The last 1/3).
These “monopoly” customers are the ones who staked their business fortunes on your company and were let down most severely. In the words of one executive in a business not unlike this one, “They are the hardest to lose, but the hardest to get back if you ever do.”
In general, what kinds of companies have the shallowest graphs? These include companies with a high rate of “word-of-mouth” referrals, or in other words, companies perceived to be really good deals.
So who has the steepest graph? Typically, people are really gun shy when it comes to money. Banks are high on the list. Brokerages maybe even more so. If your broker is out of service, and you just have to make that trade today, you will call a competitor no matter how good the relationship with your present broker is. Other companies include operations like catalog sales organizations, “Home Shopping” networks and the like, particularly those geared toward impulse sales. Nobody calls back tomorrow to make an impulse purchase.
To summarize, a fatal mistake in the business impact analysis phase is to homogenize users together, and assume that their “pain threshold” and willingness to pay for protective systems is the same. It isn’t, as this section has clearly illustrated.
It will be necessary to make reliable estimates, by knowing what a department does and whether they can do anything else when an automated system fails. As a rule, “knowledge” workers (I.E. attorneys, engineers, managers, etc.) can usually find something else to do if a system is down. They may be on the phone or in meetings for example. “Production” workers however (customer service reps, telemarketers, inbound sales centers) are completely dependent on the system to do their job, thus the hit in productivity is more pronounced. 
Using the more critical inbound sales agent (production worker) as a base, it is possible to peg your estimation of the costs of certain types of outages based on loaded personnel costs procured from the Human Resources organization. These are simply intended as a high level overview regarding the lost productivity measurement of network outages, based on selected components. They are very useful in making a preliminary estimate of the cost of an outage, especially when presented in a group setting.
How does someone present something as complex as a business vulnerability analysis, not only to peers, but to the broad cross-section of competing interests in the typical large corporation? There are ways. Lets discuss a few, using the fictitious ABC Polymers Company once again as our guide. The following slides show a convenient method for contrasting three diverse business lines in an interdepartmental setting. Try this. Illustrate each of the 3 business divisions with at least three high level slides, in the following fashion:
A. A “Focus” slide showing high level issues and business overview.
B. A “Dynamics” slide, designed to show how long the business could operate in a major automated system.
C. A Cost / Benefit slide designed to represent the line of business need vs. perceived benefit. (i.e., some systems desired by the Food Company may be somewhat passé to the Real Estate & Investment Company) 
Then color-code the “solution” slide (the Cost / Benefit slide) to illustrate the relative cost/benefit by business unit. It’s an instant ice breaker since each business unit feels like you are sensitive to their unique needs, making them all the more eager to support you.
These multicolored tables at the end of each business impact slide section show the relative cost based on the associated risks to the components in the environment. Where the risk is high and the costs are very low, the decision is not a costly one and requires little thought. These are indicated in RED. However, where the risk is low and the costs are high to very high, it is unlikely that the business line would want to go through with the action. These areas are indicated in GREEN. The bulk of the costs in the moderate range and the moderate risk areas are the ones worthy of further discussion. These are indicated in YELLOW. The recommendations stay the same for each business unit - only the COLORS change to reflect the differing business dynamics, pain threshold and willingness to pay of each individual business unit.
It is possible to save some time on your analysis and not sacrifice quality. For example, most of the money figures could come directly from business line financial controllers, since they are in a position to know, and generally give a straightforward answer. Operational capabilities for the most part should come from the AVP or VP level, in order to provide both a core business and technical perspective. 
If produced properly, these slides will be the cornerstone of your executive presentation for support and funding as well as serving as a springboard to fruitful discussion and thoughtful technological planning.
The multicolored tables at the end of the business impact slide section shows the relative cost based on the associated risks to the components in the environment. 
• Where the risk is high and the costs are very low, the decision is not a costly one and requires little thought. These are indicated in RED. For example, “Keep Spare Parts on Site by all manufacturers for Router cards, switch cards and hub cards.” and “Change and monitor passwords on network routers and issue separate passwords to users. Keep a log of all major changes.”
• However where the risk is low and the costs are high to very high, it is unlikely that the business line would want to go through with the action. These areas are indicated in GREEN. These are considerations which will probably never be acted upon unless in combination with another project in order to mitigate the cost. Things like: “Want to eliminate all possibility of cable failure? Rewire the whole building and run two cables to each workstation.”
• The bulk of the costs in the moderate range and the moderate risk areas are the ones worthy of further discussion. These are indicated in YELLOW. These are “let’s talk about it” alternatives, like: “Replace or duplicate all MAUs with managed MAUs to prevent beaconing from taking down entire rings.” and “Install water detectors in cable shafts near restrooms.”

Overview of Exposure in Terms of Cost Benefits Core Business Network Systems

Costs
Very High Want to eliminate all possibility of cable failure? Rewire the whole building and run two cables to each workstation.Move all servers to a computer room environment. Arrange for duplicate access facilities from the telephone company.Duplicate all power supplies and logic cards for all Routers to prevent single point of failure. 
High Keep the same wiring, but run a second wire to all users. Duplicate only main fiber and cable runs.Replace or duplicate all MAUs with managed MAUs to prevent beaconing from taking down entire rings. Install new, comprehensive network management system for a “Johnson Space Center” level of command and control.
Moderate Duplicate wiring to the bay areas only, run single threaded out to workstations. Install water detectors in cable shafts near restrooms. Duplicate power cards, logic cards and software in company’s Internet firewall server. Duplicate 64Kb circuits to all outlying regional offices.
Low Install more pay telephones on site in case of a major C.O. failure. Train users and develop standards. Change Routers to accommodate dual porting for mission critical applications.
Very Low / None Keep spare parts on site by all manufacturers for Router cards, switch cards and hub cards.Change and monitor passwords on network routers and issue separate passwords to users. Keep a log of all major changes.
Exposure Very Low / None Low 
Moderate 
High

Overview of Exposure in Terms of Cost Benefit Core Business Equipment Systems

Costs
Very High Install 22 gauge cable to overcome distance limitations and allow greater intermixing of service. Relocate furnace equipment which backs up to interface room. Rehome all station-side cable which presently is single-threaded through the PBX distribution frame.
High Upgrade Cisco 4000’s to 5000/6000 “Ultra” series to provide redundant power, CPU and logic. Rehome 50% of incoming “800” service to a second “Class-1” CO outside Dallas. Install dry-pipe sprinkler system in transmission services room. Install a Network Management System for the WAN, including SNMP “hooks” to read network (SONET) data from circuit providers.
Moderate Install a development / test firewall, duplicate firewall WAN connections, and increase manpower. Install power failure rollover phones for supervisors in all critical work areas. Eliminate or re-route water pipes in interface rooms. Install backup AC rectifier power AT&T G3 switches in switch room, etc.
Low Firm up responsibilities for security between mid-range and firewall groups. Install a backup circuit to ADVANTIS. Install -48V battery backup power for DACS and SONET equipment in transmission services. 
Very Low / None Install additional pay telephones. Keep supply of quarters on hand. Keep extra cellular phone batteries on hand. Add procedures for utilizing two way radio in major system failures. Install emergency “1FB” lines on copper facilities in strategic equipment and command areas.Organize and document contingency procedures for dealing with major network and system failures, including rerouting, recordings, response teams, etc. Document and test.
Exposure Very Low / None 
Low 
Moderate
High

Overview of Exposure in Terms of Cost Benefit Core Business Documentation and Policy Considerations

Very High Review and document all Help Desk support and escalation procedures. Move all servers to hardened site for security and control. Form high level LAN Standards Committee.
High Strengthen procedures for physical inventory of equipment. Document a formal process for PC rollout which can be standardized and duplicated. Appoint and document an interdepartmental “Change Control Czar” or Configuration Board to approve all changes.
Moderate Identify and document applications slated for operating system conversion. Strengthen performance/availability management systems. Refine Client/Server System certification and test process. Establish a separate Help Desk number for standardized production (revenue impacting) workers.
Low Document and clarify high level responsibility for PC rollout. Revisit PC rollout schedule for 1997/98 — Document a sustainable deployment rate.
Very Low / None Establish vendor arrangement for on-site depot or storage of servers and parts. Verify problem tracking systems for informal floor support. Implement a procedure for disposal of transitioned PCs and equipment (proprietary data). Eliminate PC software acquisitions through informal channels.
Exposure Very Low / None
Low
Moderate
High

Overview of Exposure in Terms of Cost Benefits: 
Core Business Workstation & PC Considerations

Complexity
Very High Review and document all Help Desk support and escalation procedures. Move all servers to hardened site for security and control. Form high level LAN Standards Committee.
High Strengthen procedures for physical inventory of equipment. Document a formal process for PC rollout which can be standardized and duplicated. Appoint and document an interdepartmental “Change Control Czar” or Configuration Board to approve all changes.
Moderate Identify and document applications slated for operating system conversion. Strengthen performance/availability management systems. Refine Client/Server System certification and test process. Establish a separate Help Desk number for standardized production (revenue impacting) workers.
Low Document and clarify high level responsibility for PC rollout. Revisit PC rollout schedule for 1997/98 — Document a sustainable deployment rate.
Very Low / None Establish vendor arrangement for on-site depot or storage of servers and parts. Verify problem tracking systems for informal floor support. Implement a procedure for disposal of transitioned PCs and equipment (proprietary data). Eliminate PC software acquisitions through informal channels.
Exposure Very Low / None
Low
Moderate
High

Summary

There are many other errors not mentioned here which are possible in the business impact analysis phase of a major business recovery planning effort. These represent just a few of the most common. Bear in mind however, many companies skip this step altogether - the most fatal and unforgivable error of all. 
That means the organization will never really know what the mission is, what they are protecting, what outage costs them, or how to garner the support to get the job done. It is therefore imperative to do a thorough job on this first phase, to avoid being doomed from the start.



Portions of this article were adapted from Leo Wrobel’s two new books, Business Resumption Planning (C) 1997, Auerbach Publishers and The Definitive Guide to Business Resumption Planning (C) 1997 Artech House Books. Reprinted with permission. You can contact his web site at www.dallas.net/~premiere or call (972) 228-8881.


DR World Main Index  |  Return to DRJ's Homepage

 

Disaster Recovery World© 1999, and Disaster Recovery Journal© 1999, are copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole or part is prohibited without the express written permission form Systems Support, Inc.