All too often, presentations on how to perform a 'business impact analysis' fall short on the 'analysis' component of the project. There have been scores of wonderful presentations on 'risk analysis' questionnaires, describing which areas should be surveyed, with in depth discussions on what to look for, but all lacking substance on how to proceed once the data has been collected.
This lack of direction is primarily due to a failure to develop a scoring process for responses along with guidelines which would help to standardize responses into a discreet range of possible answers. In addition, most surveys fail to compare the survey responses to distinct threat probabilities to determine the level of risk. And most importantly, they do not provide a means for measuring the effects of 'what-if?' scenarios to illustrate various strategies which would mitigate the effects of disasters.
Most people believe that the questions that need to be asked are subjective, and any attempt to score responses would result in arbitrary numbers without any true relationship to their importance. This belief would be true if there were no structure given to the range of responses and no intelligent thought given to the phrasing of the questions posed.
For example, some questionnaires ask if there is physical security protection in the building, and perhaps allow its reliability to be rated on a scale of 1 to 10. Of course, depending on how they are viewed by the respondent, answers could vary widely. Also, there is no indication, in the form of a guideline, as to what to evaluate, or how to rate each element of the category.
Since most surveys are performed on paper questionnaires, any attempt at providing imbedded guidelines only lengthens and complicates the survey forms. This results in a reduction of responses or a lack of cooperation due to the limited amount of time the respondents have to dedicate to the task.
Through project planning, providing guidelines, scoring of responses and analyzing results the survey team can develop a methodology that will result in documented evidence to support their conclusions and recommendations. The following are guidelines which will assist in developing a successful analysis.
PLANNING THE EVALUATION
The planning of a business impact analysis (BIA) begins with determining how responses are to be evaluated and how to measure these responses against threat probabilities and financial or operational impact. Basically, there are three elements in the risk equation; threats, assets and mitigating factors. Simplified, the relationship is:
Threats * Assets
Risk = ----------------------
Threats (T) are events or situations which would cause financial or operational impact to the organization. These are measured in probabilities, such as 'may occur 1 time in 10 years' or 1:10. Each threat has a duration (d) of time in which the business or operation would not be able to function. For example, a power outage may have a duration of 4 to 8 hours depending on the type of outage (Regional grid, local transformer or building feed). This factor (d) will determine the financial impact. Each functional manager should know what the cost would be to the company if their operation would not be able to function for a duration of time.
Assets (A) are composed of many elements. They are not only the physical assets (equipment, material, supplies, furnishings, etc.) that are owned by the organization, but include financial assets as well. Revenues lost for the duration, additional costs to recover, fines and penalties incurred, lost good will and competitive advantages are all components of the asset figure. The figure that should be used in the formula is the total value of all assets reduced by their insurance coverage.
Mitigating factors (M) are the protection devices, safeguards and procedures which are in place that reduce the effects of threats. Notice that mitigating factors do not reduce threats, they only reduce the effect of threats once they have occurred. For example, a threat of an earthquake is not reduced by the improvement in the building structure. This is important, since threats remain fairly constant for each location and only change when the environment changes. That is why a BIA should be done annually to discover how changes in the environment affect the functions of the organization and how mitigating factors (the surveys) have responded to the changes.
Using the above equation, a risk factor can be identified for each functional unit of the organization. If the questions are phrased properly, and answers are measurable, the equation will consistently provide a risk factor that will reflect the vulnerability of each function.
Now let's look at the survey questionnaire(s). First, we need to determine what surveys are needed, and how they are to be scored. Secondly, there needs to be a finite number of questions so that the equation will correctly compute relative risks. The questionnaire should be consistent across the entire organization, so that apples are not compared to oranges and the figures can 'roll up' through higher levels of the organization structure.
The best approach to the questionnaires is to ask a limited number of specific questions, and provide a choice of responses which may best describe the environment. There should be a maximum (ideal) score for each response and a limited number of choices with the most probable response somewhere in the middle. This permits project manager to analyze several alternatives and recommend the most effective solution.
There are three types of surveys that need to be conducted. The facility survey, the computer and communications survey and the business function survey. Asking the appropriate questions on each survey is the key to success. Following are some examples that should be used in any approach.
THE FACILITY SURVEY
The facility survey should be performed once a year for each location. It should be completed by the facility manager with support from the building security and systems personnel. This questionnaire should divide the exposures of a facility into 20 categories:
2. External Exposure
3. Fire Fighting
4. Fire Detection and Alarms
5. Lightning Protection
6. Water and Flood Exposure
7. Regional Environmental Threats
8. Physical Security
9. Emergency/Disaster Program
11. Roof Condition/Maintenance
12. Building Electrical Service
13. Air Handling Equipment (HVAC)
14. Cooking equipment/Kitchens/Vending Areas
15. Computer Room Construction Maintenance
16. Backup Power Supply
17. Boilers/Heating Equipment
18. Smoking Controls
19. Telephone Service (Voice)
20. Emergency Services Response
THE COMPUTER AND COMMUNICATIONS SURVEY
The computer and communications survey, like the facility survey, should be performed once a year for each location. This questionnaire is directed toward the systems people, with support from the facility manager. Most likely the data will be collected from several sources. In this case, one person familiar with the issues should serve as the respondent and collect the appropriate answers from those most knowledgeable. The same formula holds true for this survey. Following are twenty suggested categories for this survey:
2. Network Access Controls
3. Physical Security
4. Archived Data
5. Vital Data
6. Backup Procedures
7. Recovery Procedures
8. Backup Equipment
9. Backup Facility
10. Test Plan
11. Network Diversity
12. PBX Backup
13. Network Documentation
14. Spare Parts Inventory
15. Backup Services
16. LAN Configuration
17. Personnel Availability
18. Off Site Storage
19. Operations Personnel
20. Technical Personnel
THE BUSINESS FUNCTION SURVEY
The third questionnaire is directed at the business functions themselves and should include input by the head of the function.
However, the lower in the organizational structure this survey is conducted, the more precise the measurements can become. Also, it should be noted that in addition to the survey of vulnerabilities, the Business Function will need to supply the 'cost of outage' data.
As with the other surveys, there should be a limited number of categories. Following are 20 suggested topical categories:
1. Critical Operations
2. Critical Records
3. Critical Equipment
4. Critical Supplies
5. Critical Vendors
6. Critical Personnel
7. Facility Backup
11. Computer Systems
12. Voice Communications
18. Product Timeliness
20. Recovery Procedures
It is important that the questions be generic enough to apply to any business function.
The second component of the Business Function Analysis is the Financial Assets including the 'Cost of Outage' data. This is the most critical element in the BIA, since it goes directly into the analysis equation.
Therefore, the head of the function should provide this information and important guidelines should accompany the request. The questionnaire should be devised to collect the estimated loss of revenues in the event of an outage for several time periods. It is important to request the outage costs to the function in specific time frames only.
As stated earlier, Assets (A) are composed of physical assets (equipment, material, supplies, furnishings, etc.) that are owned by the organization. Lost Revenues, additional costs to recover, fines and penalties, lost good will (including competitor advantage) and delayed collection of funds (loss of float) are all financial assets that would be impacted by a disaster.
There are a multitude of threat scenarios to be considered in any BIA. A minimum of 35 threats scenarios have been identified which have a high enough probability to be considered as possible causes of business interruption. Each threat has a probability ratio.
For example, as a result of the recent event in Oklahoma City, terrorism has a probability of 1:2 in the United States at this time.
Each year these probabilities would have to be researched and revised to determine the current risk factor. A data base containing threats by category and by region of the world's business communities, along with their probabilities and documented sources, would be a great asset for anyone doing a Business Impact Analysis.
Each threat presents a different estimated outage duration. That is to say, a major fire or explosion could cause an interruption of several days to many weeks, while a power outage would most likely be less than 8 hours.
It is important to note that the existence of a recovery plan does not alter this outage duration in the equation. This will be factored into the results based on the three questionnaires. Do not attempt to modify the outage durations because of other factors.
Unquestionably, the volume of data collected and the number of variables involved in the equation will demand a computer system to provide any meaningful comparative analysis.
One must remember that the total equation for the impact analysis is a sum of equations for each threat, by function. The resulting equation then has the form:
( Td * Rd ) + ( A - I )
Risk = X ------------------------
( F ) + ( C ) + ( B )
Where : X = Sum for all Business Functions
T = Threat for duration
R = Revenues lost for duration
A = Assets (includes physical/financial costs)
I = Insurance coverage
F = Facility survey score
C = Computer /Communications survey score
B = Business Function survey score
Substituting hypothetical figures into this equation would result in a number which could graphically represent the level of risk realized by a given business function for a specific threat.
This same process for all threats to a given business function would represent its overall risk factor.
Good project management techniques and controls are the key to success of any business impact analysis. Well planned questionnaires combined with standardized evaluation criteria will insure that comparative results can be obtained, recommendations are meaningful and their justifications can be documented.
By structuring questionnaires to allow responses to be measurable, a quantitative analysis can be performed to determine the most effective protective devices and procedures.
Applying a mathematical formula to these responses and making caparisons to 'ideal' or 'optimal' situations, a set of alternative solutions can be identified which will provide a basis for your recommendations.
No one will envy the amount of work you need to do, but at least you will have documentation to recommend improvements and you will be able to graphically illustrate their benefits.
Using standardized scoring and analysis techniques, your recommendations and benefit analysis would have a much higher level of credibility.
Printed in Winter 1996
Robert Jackson is president of Decision Support Systems, Inc.