What is a business impact analysis (BIA)?
It is designed to ensure that the right business continuity solution is put in place. It identifies the mission-critical business functions and ensures that no business functions get overlooked. It may be clear, for example, that a company needs to protect the main server, but applications such as replicated databases on other machines where discrete information is captured, or individual users saving data locally, may be overlooked but could still be of vital importance to the business.
Remote working is also beginning to present an increased business continuity challenge as this of working becomes more widely adopted. Remote users need to be able to back up data, and must also be able to restore information should there be a problem with their piece of equipment. Remote connections to the office must be reliable, which may involve the setting up of a secondary service in case of failure.
The main function of the BIA is to identify the organization's minimum business and IT requirements in order to remain in business. The BIA will also specify the required timeframe - recovery time objective (RTO) - by which these functions must be restored following any periods of unacceptable interruption, caused, for example, by systems failures, power outages, flood, fire, terrorist attack, or denial of access to office premises. And from this information, the foundation of your business continuity plan (BCP) is laid.
In addition to providing a basis for the BCP, the BIA challenges companies to begin to develop a business continuity culture by asking what the impact on the business would be if these functions were not recovered within the designated timeframe. This can often serve as justification in terms of ROI for the implementation of a business continuity plan in the first place.
Apart from identifying the critical processes and applications, the BIA also considers the most important thing without which a business could not continue - the people. Who is fundamental to the continuance of the business? How soon do they need to be in possession of information or systems?
If, for example, your call center operation has been identified as a mission-critical function, then enabling its ongoing presence in time of disaster is important. Suppliers, customers and shareholders will all want to be reassured that the business is functional - therefore ensuring the immediate availability of call center personnel, telephony, PC functionality and alternative office space will be a vital part of your BCP. However, other departments may be 'less' critical, so their restoration can be planned to occur at a later time period according to the recommendations of the BIA.
More about the recovery time objective
Understanding the RTO for various functions is an important element of BCP. As indicated above, a full understanding of the RTO for your organization's business units provides the foundation for the entire planning process. Unless you have ascertained how quickly you require a particular application or department to be available again, you cannot build a BCP that respects these critical recovery milestones or how to achieve them. For instance, a financial institution may find that its most critical function is its dealing room. Without it, the organization could lose millions in just a few minutes. Therefore, the recovery time for the trading function needs to be as short as possible.
Alternatively other functions (marketing perhaps), while important to the company's overall strategy, may not need to be recovered in a matter of minutes. In fact, it may be possible to function adequately without your marketing department for hours or even days. Correct understanding of your business operations' RTOs enables you to devise a plan for timely and effective business restoration.
Just as your BIA will advise you on the order of priority for the restoration of business and IT functions, it will also reveal the extent to which each function needs to be restored. This recovery point objective (RPO) is the reality check of business continuity, for it reminds you to focus on the essentials of recovery. For example, you may be able to successfully recover with only 30 percent of staff rather than your entire workforce; or cope with data that is 24 hours, rather than 24 seconds, old; or from a shared rather than dedicated recovery facility. Or perhaps will you need the instantaneous fail-over synonymous with high availability.
Whatever your requirement, the BIA will determine the relevant RPO for each application or function and from this you can ascertain how each part of the business would be recovered in the case of an interruption, thereby developing a BCP tailored to the myriad recovery needs of your business.
Why use a third party?
A BIA can be done in-house, but is often influenced by internal politics, which serve to hamper the progress of the individual or team assigned to conduct the BIA. In addition, in-house business managers are more likely to ask for unnecessary applications to be recovered alongside the mission-critical ones. This generally results in unrealistic demands and a more expensive solution.
Independent consultants can take a more objective approach, will challenge the assumptions of the in-house team and provide the benefit of broad experience. Independent consultants are also often regarded as having more credibility than in-house counterparts, which can accelerate decision-making at the board level to the benefit of the planning process.
How to build BIA into policy
The BIA will lead to the development of a business continuity plan, with each application and system allocated a RTO and RPO. Business continuity management policy follows on from this again, as the BCP once developed cannot remain a static item. Rather, the BCP must become a part of corporate culture, subject to ongoing testing, auditing and maintenance to ensure it develops as the business changes.
Without a BIA, companies run the risk of over- or under-engineering their business continuity solution. Either way, large amounts of money can be spent on a solution that isn't fit for purpose and fails to meet the business needs of the organization. Should such a plan need to be implemented, there is every possibility that recovery will be compromised by a solution that is not formed upon the correct basis.
A builder would never conceive of erecting the walls of a house before its foundations were laid; just like the proverbial house built upon the sand, it could not hope to last. Trying to build a BCP without the BIA will have a similar effect - it truly is the foundation for any business continuity strategy.
Phil Carter is director of planning solutions at SunGard Availability Services (www.sungard.com).