Business Continuity and Disaster Recovery - Business Impact Analysis
Business impact analysis is a critical part of the business continuity planning process. This step quantifies data and gets into the real world issue of potential losses that can negatively impact your business. It is used to understand the most important impacts and how to best protect your people, processes, data, communications, assets and the organization's goodwill and reputation.
Organizations often think in terms of disaster recovery. Business continuity and the business impact analysis is more focused on keeping the business up and running and less focused on recovery after a disaster. The business impact analysis also is not focused only on the potential disasters, but on all potentially critical discontinuities. Key elements of the Business Impact Analysis are to identify critical business functions, establish the maximum acceptable outage time for each of these functions and then to determine the impact of not performing those functions. This can be measured against regulatory, legal, financial, operations or customer service requirements.
Once the adequacy of security and controls is evaluated and critical business functions and outage times are defined, the business continuity planner needs to develop an understanding of the probability of threats factored by the severity or impact and to start to develop a cost benefit analysis of the largest impact and highest probability threats.
It's virtually impossible to create an absolute value and prioritization of threats and impacts. Generally, a relational system is used to drive out the key priorities. Often, each threat is evaluated according to its probability and assigned a 1, 5 or 10 rating. Then, each threat is evaluated according to its impact on critical business functions and on the business overall. For example, a discontinuity in a critical business function of less than one hour might receive a value of 0. A discontinuity of one to eight hours might be ranked a 1, eight to twenty four hours might be ranked a 2 and over 24 hours might be ranked a 3. Obviously, these rankings need to be developed on a company specific basis. Probability factored by impact creates the relational prioritization list.
This approach to risk evaluation and control allows management to start to quantify the risks and potential impacts on the organization in a thoughtful and analytical way. This results not only in higher quality decisions, but also provides an audit trail that demonstrates that management is paying attention to its risk management responsibilities. These responsibilities might be established by regulatory or legal bodies, demanded as a contractual commitment by customers or simply expected by shareholders as sound and prudent management. The key corporate goals are to protect people, protect assets, protect data and to protect the brand and reputation of the organization.