This article describes methodology and techniques for performing a comprehensive business impact analysis (BIA). This version of a BIA provides the foundation for the entire business continuity planning effort. Based on the various considerations addressed during the BIA, the process itself and related methodology can be equally as beneficial as the final written business continuity plan. The benefits derived from performing a comprehensive business impact analysis include:
- Reducing legal liability
- Minimizing potential economic loss
- Decreasing potential exposure
- Reducing the probability of a disaster ocurrence
- Reducing disruption to normal operations
- Ensuring organizational stability
- Ensuring orderly recovery
- Minimizing insurance premiums
- Reducing reliance on key personnel
- Increasing asset protection
- Ensuring safety of personnel and customers
- Complying with legal, statutory, and regulatory requirements
Business impact analysis is a concern of the entire organization, not just the computer systems. To develop a comprehensive business impact analysis, all business units and departments should be involved.
Top management must support and be involved in the BIA process. Management should be responsible for coordinating the process and ensuring its effectiveness within the organization. Adequate time and resources must be committed to the development of the BIA. Resources could include both financial considerations and the effort of all personnel involved.
Because top management has several high priorities related to the needs of the organization, it may be difficult to obtain the level of commitment necessary for a successful project. Recent disaster statistics may be useful in convincing top management that business continuity planning is an importation consideration.
A planning team should be appointed to participate in the BIA process. The planning team should include representatives from all functional areas of the organization. Key team members should include the Chief Financial Officer, Chief Information Officer, Vice President of Operations, Risk Management Officer, Security Officer, Facilities Manager, and key department managers. The team should define the scope of the analysis and be involved in setting priorities and reviewing the BIA findings and recommendations.
Although the exact nature of potential disasters or their resulting consequences are difficult to determine, it is beneficial to perform a comprehensive risk assessment of all threats that can realistically occur in the organization. Regardless of the type of threat, the goals of business continuity planning are to ensure the safety of customers and employees during and following a disaster.
The planning team should prepare a risk analysis that includes a broad range of possible disasters, including natural, technical, social and human threats. Each functional area of the organization should be analyzed to determine the potential consequence and impact associated with several disaster scenarios. The risk assessment process should also evaluate the safety of critical documents and vital records.
Items to consider in determining the probability of a specific disaster should include, but not be limited to:
- Geographic location
- Topography of the area
- Proximity to power sources, water bodies, and airports
- Degree of accessibility to the organization
- History of local utility companies in providing uninterrupted services
- History of the area's susceptibility to natural threats
- Proximity to major highways which transport hazardous waste and combustible products
- Proximity to nuclear power plants
- Other factors
All locations and facilities should be included in the risk assessment. The analysis should provide for the 'worst case' situation: destruction of the main facility. Rather than attempting to determine exact probabilities of each disaster, a general relational rating system of high, medium and low can be used initially to identify the threats with the highest probability.
The risk analysis also should determine the rate of occurrence and the impact of each type of potential threat on various business units and functions within the organization. It is important to assess the impacts and consequences resulting from loss of:
- Key external service providers
The planning team should also analyze the costs related to reducing potential exposures.
Because a goal of business continuity planning is to ensure the safety of personnel, customers, and assets during and after a disaster, a critical part of the planning process is to identify the preparedness and preventative measures in place at any point in time. Once the potential areas of high exposure to the organization are identified, additional mitigation measures can be considered for implementation.
Disaster prevention and preparedness begin at the top of an organization. The attitude of senior management toward security and prevention should permeate the entire organization. Therefore, management's support of business continuity planning can focus attention on good security and prevention techniques and better prepare the organization for the unwelcome and unwanted.
Disaster mitigation techniques include both procedural prevention and physical prevention. Procedural prevention relates to the security and recovery activities performed on a daily basis. Physical prevention and preparedness for disaster include special requirements for building construction, as well as the safety and protection of assets, records and personnel.
Adequate insurance coverage is a key consideration during the BIA. Having a business continuity plan and testing it may not, in itself, lower insurance rates in all circumstances. However, a good plan can reduce risks and address many concerns of the underwriter, in addition to affecting the cost or availability of the insurance.
Most insurance agencies specializing in business interruption coverage can provide the organization with an estimate of anticipated business interruption costs. Organizations may be obligated to customers to provide continuing services with minimum disruption. Most organizations that have experienced a disaster indicate that their costs were significantly higher than expected in sustaining temporary operations during recovery. Business interruption coverages may include extra expenses until normal operations can be resumed. However, coverages differ in the definition of resumption of services. As a part of the BIA process, these coverages should be discussed in detail with the insurer to determine adequate levels of insurance. Recent statistics indicate that 50% of businesses are underinsured for a major disaster occurrence.
IDENTIFYING MISSION CRITICAL FUNCTIONS
The mission critical functions should be identified within all business units and departments. Critical functions include all information, processes, activities, equipment, and personnel needed to continue operations should a business unit or department be destroyed or become inaccessible.
To determine the mission critical functions of the organization, each department should document all important functions performed within that department. This information can be gathered by documenting daily activities within each department. An analysis over a period of two weeks to one month can indicate the principle functions performed inside and outside the department, and assist in identifying the necessary data requirements for the department to conduct its daily operations satisfactorily. Some of the diagnostic questions that can be asked include:
- What specialized equipment is used in the department and how is it used?
- What are lead times for replacing critical equipment?
- If the on-line systems were not available, how could the department continue to function?
- What parameters, guidelines, or procedures would be necessary to limit exposure during on-line systems downtime (i.e., management approval may be required of checks or disbursements above specified dollar amounts)?
- What is the minimum staff and floor space needed to continue operations at another facility?
- What special forms and supplies are needed for each departmental area?
- What communication devices (i.e., telephones, facsimile equipment, data transmission equipment) would be necessary to continue operations?
- Which employees have been trained to carry out several departmental jobs or responsibilities and could fill positions of key employees if they were unavailable?
OUTAGE IMPACT ANALYSIS
Once the mission critical functions have been documented, it is important to determine the impact of an outage to the critical systems and business functions. The impact depends on the type of outage that occurs, and the time that lapses before normal operations can be resumed. Other considerations may include the timing of the disaster and the potential impact on the organization (e.g., end-of-month). The following information should be carefully analyzed:
1.Business Function Description
- Size of the business function (e.g., total revenue, number of employees, number of customers, etc.)
- Main purpose of the business function (e.g., revenue generation, administrative, customer service, support function, ancillary function, etc.)
- Critical operations performed
2. Critical Systems
- Systems relied on to perform critical business functions
- System or application interfaces
- Maximum acceptable outage for the system considering both the user perspective and technical perspective
- Dependencies between business functions
- Dependencies between departments
- Dependencies between systems
- Dependencies between applications
- Loss of controls
- Major bottlenecks
- Potential stop in the workflow
- Complete interruption of the workflow
5.Future Business Function Changes
- Other changes
6.Impact of Not Processing
- Impact on customer service
- Noncompliance with government regulations
- Noncompliance with existing contracts
- Increase in personnel requirements
- Loss of revenue
- Loss of business
- Increased operating costs
- Loss of financial management capability
- Loss of competitive edge
- Loss of goodwill
- Negative media coverage
- Loss of stockholder confidence
- Legal actions
- Other impacts
Existing and required redundancy levels throughout the organization to accommodate critical systems and functions:
8.Alternate Processing Methods
Alternate processing methods for the critical functions in the event of a systems outage:
- Impact of using the alternative processing method
- Alternate processing costs
Based on the outage impact analysis, management can establish priorities within business units and departments for the overall recovery of the organization. The business functions can be assigned priorities in the following manner:
- Essential business functions - A disruption in service exceeding one day would seriously jeopardize the operation of the organization.
- Important business functions - A disruption of service exceeding one week would seriously jeopardize the operation of the organization.
- Nonessential business functions - This information would be convenient to have, but would not detract seriously from the operating capabilities if it were missing.
CONTINGENCY PLANNING COSTS
The results of the business impact analysis, and especially the costs associated with not processing, should be compared to the costs related to the contingency planning effort, including:
- Plan development costs
- PC business recovery software costs
- Subscription costs for recovery processing
- Declaration fees
- Usage fees
- Temporary location costs
- Administrative time
- Management time
- Redundancy costs
- Prevention/Preparation costs
- Insurance costs
- Consulting costs
- Relocation costs
- Travel expenses
- Unplanned expenses
- Other contingency planning costs
BUSINESS IMPACT ANALYSIS REPORT
It is important to prepare a report that describes the results of the business impact analysis process. The information in the report should be developed and documented during the process of performing the BIA.
Organizations should develop comprehensive business continuity plans that address all the critical operations and functions of the business.
The business impact analysis provides the foundation for the entire planning effort. Based on the various considerations that should be addressed during a business impact analysis, the process itself can be equally as beneficial as preparing the written business continuity plan.
Geoffrey H. Wold, CPA, CMA, CSP, CISA, CCP, CMC, is the National Director of Information Technology Consulting at McGladrey & Pullen. Mr. Wold is also a member of the DRJ's Editorial Advisory Board.Printed In Fall 1996