A BUSINESS IMPACT ANALYSIS (BIA) can help identify an organization's critical processes, their recovery time objectives (RTOs) and recovery point objectives (RPOs). Information gathered is used to prioritize recovery of processes or functions, develop recovery strategies, and develop recovery plans. BIAs can help identify process interdependencies, map process flows, and also determine critical IT dependencies helpful in developing disaster recovery strategies and recovery plans. The process of developing and distributing a BIA includes question design, working with survey recipients to complete the surveys, and analyzing and presenting the results. Once is not enough. Companies merge, split apart, or enter new markets and subsequent BIAs confirm prioritization or aid in re-prioritization of process recovery and IT recovery.
Subsequent BIAs, conducted at least annually, capture the changes with technology, business processes, lines of business, locations, resources, and more. Maintaining current BIAs can be a tedious, but not impossible, process. In fact, the BIA can be used to gather information on a number of activities associated with business continuity planning.
Peeling Back the Layers
With apologies to Shrek, BIAs are like onions. No, they shouldn't stink or make you cry; they should be layered. The initial BIA will be more in-depth than subsequent annual surveys. To start, interview department heads to get a general idea of which functions are critical to the survival of the organization. Develop a BIA survey to identify the criticality of these processes in each department-be sure to include their interdependencies, operational, financial, and regulatory impacts. Once all BIA information has been gathered and analyzed, identify a cut-off to include Tier 1 RTOs (the shortest RTOs with the greatest vulnerabilities). A second survey should be developed to expand on the original. Include critical application dependencies and any existing workarounds for the critical processes identified. Also use the second survey to identify unique resource requirements, monthly or weekly impacts, and existing or potential recovery strategies. Distribute the expanded survey, with responses from the original survey, to the owners of processes with Tier 1-level RTOs. Upon completion of the expanded BIA, develop and implement recovery strategies and recovery plans for these most critical processes and their interdependencies. Next, look at the results from the first BIA and identify Tier 2 RTOs and repeat the process. Continue the layer-by-layer approach to cover the rest of the organization as needed. Once the initial BIA process has been conducted in an organization, other forms of BIAs can be used to grow, develop, and maintain an organization's business continuity program. The organization can use information it gained from its first BIA to learn a lot more on how to better prepare for disasters.
A Survey to Update Plans and Recovery Strategies
When performing plan maintenance, especially scheduled maintenance, take the time to review the processes for which plans have been developed. Do, or should they, still exist? Have they changed, and how? Have new processes been added or moved to another department or location? Have their interdependencies changed? How? RTOs and RPOs also need to be reviewed. If they have changed, their recovery strategies may need to be changed also. A BIA survey can be developed that includes a list of processes by department. It should include currently documented interdependencies, RTOs, process owners, and plans to which they belong. Distribute the survey to department heads for review and update with the plan owners. This will get department heads involved and updated, and will provide plan owners with support from their department heads and enable closer communication and greater team decision- making. Conducting the survey also allows department heads to communicate with each other about interdepartmental dependencies.
Once updated information has been gathered from the survey, the information can be used to manage updating recovery processes based on priorities determined in the survey. This is a simpler, yet effective, method of conducting an annual BIA and can take significantly less time to conduct, manage, and process. Certain planning software enables export of plan information, such as process names and RTOs, as well as import of identified changes directly back into their respective plans, thereby streamlining plan maintenance activities.
A Survey to Assess the Program
Conducting a survey to find out how things are going with the business continuity program is not a BIA per se, but it can be very worthwhile. Understanding how to be more helpful, how to make things less painful-and more meaningful-can make a big difference in how well a business continuity program is put and kept together. Are business continuity activities conducted at a good time during the year? Avoid a period where a major project is going on that is consuming most of people's schedules, or when several major deadlines are on the horizon that are preventing staff from devoting the appropriate time and energy for business continuity activities. In assessing the business continuity program, find out how well everyone knows the plans. This sort of survey offers business continuity team members an opportunity to let planners know how they can better work with them, and hopefully, make improvements to the program. It enables everyone to provide input and make a difference and it shows that their opinions, ideas, and contributions are appreciated and respected.
A Survey to Analyze Critical Records
Understanding the importance and amount of records required for recovery of processes or functions is vital. A good overall understanding of what these records are, where they come from or go to, and where and how they are stored can help an organization manage and protect critical information. Simply making an assessment of all critical records in an organization can be as big as a BIA survey. If lost critical records can be reconstructed, the process to do so needs to be documented along with the people responsible, time frames, and resources needed to restore the records. Depending on the organization, contracts, litigation papers, client records, e-mail and even voice-mail can be considered vital records. Inability to reproduce such records when needed could result in legal liabilities. The BIA survey format can be used to query personnel about vital records.
A Survey to Assess IT Backup and Retention
One of the assumptions every recovery plan should have is to expect to recover only resources stored or located offsite. Not only does data need to be stored offsite, but also it is as important for data to be appropriately backed up for the identified RPOs. Using the BIA survey format to ask about IT backup and retention issues makes the task of compiling this information much easier. Data that remains onsite or just onsite over a weekend, especially if Friday is a heavy production day, could mean a significant amount of lost data if a disaster occurs over the weekend-or possibly worse-over a holiday weekend. A BIA survey should be developed to determine what data are kept offsite, where they are located, how often backups are made, how long tape restores take, and any other storage questions important to the recovery of the organization. Understanding this information about your organization can be very helpful in taking mitigative actions for preserving the integrity of critical data. Clarifying site details on accessibility, authorized request/release of stored items, environmental and security controls, and location should also be included in the survey. Performing an IT assessment will help an organization implement appropriate measures to protect its electronic data and ensure availability at time of need. It will ensure data are moved offsite to an area that will less likely be impacted by a same disaster such as an earthquake, hurricane, or ice storm. Information from the assessment can also help in identifying practical locations for storage and recovery. For example, it could identify a location between two major company locations en route to or near the recovery facility. The BIA survey format affords a myriad of uses. It allows for identification of current status, provides direction for efforts going forward in developing or maintaining an effective business continuity program, produces a baseline from which to build recovery strategies, and more. Expanding beyond the use of a typical BIA provides an efficient method to collect numerous types of information from a large number of respondents that can enhance or build out an existing business continuity program multi- directionally. Linda Pahkim, CBCP, is a consultant with Strohl Systems Group, Inc. and works nationally and internationally on all aspects of business continuity. She is the Speakers Bureau Coordinator for the Business Recovery Managers Association in Northern California providing educational presentations on BCP. Also trained in California's Standard Emergency Management System, Pahkim participates in disaster preparedness activities with local counties and cities.Pakhim can be reached at (800) 634-2016.