Business Impact Analysis
Business Impact Analysis is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. The primary objective of a Business Impact Analysis (BIA) is to identify the assets that are required for continued business operations in the event of an incident or disaster.
Business processes define the full range of activities that any organization or business firm engages in. Consequently, these business process have business functions within them. The business functions describe, in detail, each specific activity that an organization performs in its daily operations in order to produce its product, provide its service or otherwise achieve its goal.
Business processes are grouped into two main categories; core business processes and support business processes. The core business process relate directly to the basic business of the organization with the operations identifying the main industry activity of the company. Support business processes facilitate the core business processes. The following are the core business process that are characteristic of any firm: These are the activities that are used in obtaining and storing inputs and also storage and transportation of finished products to the customers. These are the activities that are responsible for the transformation of inputs to finished final outputs. These outputs could either be goods or services.
This business process entails the activities that are associated with introducing a new, better or redesigned product or service into the market. Examples of these activities include; research, market analysis, design and also engineering.
These are the activities whose objective is to inform buyers who are existent or even potential buyers. Examples of these activities are advertising, promotion, tele-marketing, selling and management of retail.
These are the support services that are provided to customers after they have purchased a particular good or service. Such activities include training, help-desk services, customer support for guarantees and warranties and also call center services.
The support business processes that characterize any organization or firm include:
This support business process involves corporate governance, which translates to legal, finance planning and public government relations. It also involves accounting, building services, management and administrative support.
These are the activities that are associated with recruiting, hiring, compensating, training and dismissing of personnel to different areas.
This business process entails the activities related to maintenance, automation, design or redesign of equipment, hardware, software, procedures and technical knowledge (Brown, 2008).
The process of a Business Impact Analysis allows for targeted recovery strategies to be developed in the event of an emergency. Some BIA components should be critically evaluated for each critic business process in order to identify the minimum service level requirements for specific key process for each potential emergency (Snedaker, 2007).
In the case where electronic data must be available to recover specific process to a minimum service level, identify the necessary data source or sources.
If a data source is identified it is necessary to indicate how old the data can be to satisfy recovery that is last weekly backup, last monthly backup and also last quarterly backup.
This involves identification of needs and review options for off-site back up processes.
Identify needs throughout recovery time objectives in order to optimize recovery.
In this component, indicate how severely the process would be impacted considering current or existing mitigation measures. For example you can give attributes such as minimal, somewhat severe and severe.
Here, indicating how likely each specific threat could take place putting into consideration current or existing capabilities, mitigation measures and history.
The financial impact addresses the monetary impact and the manner in which lack of components will impact the company revenues, costs and potential legal constraints with financial penalties. The service impact addresses the non-monetary impact including how people, processes and technology are impacted by components not being available. The financial and service impacts include:
Inadequacy or lack of components for BIA will lead to loss of customers and suppliers due to the company’s problems or customers and suppliers experiencing disaster or disruption.
The company may lose staff due to death, injury, depression or a decision to leave the firm especially in the case of a significant business disruption or natural disaster.
Business disruption due to lack of components may result in a company having serious problems with their public relations. A well thought out PR plan and ensuring availability of all components are essential in these kind of failures where IT systems fail in that there is loss or theft of data, modification of data and inability to operate due to missing or corrupt data.
An organization or firm may fail to meet minimum regulatory requirements in the event of a certain business disruption.
It is clear that operations are impacted by any business disruption. It is important to have the business components in order to prevent this. The operational impacts must be identified and ranked in terms of criticality.
This impact addresses how banks and other financial institutions, investors and creditors respond to either a minor or major business disruption. They will react differently depending on whether the cause is natural or man-made.
This is the maximum time a business can tolerate the absence or unavailability of a particular business function. Different business functions have different MTDs.
This is the time that is available to recover systems and resources that are disrupted. Typically, it is one segment of the MTD.
This is time that is the second segment of the MTD. Normally, it takes time to get critical business functions back up and running once the systems are restored and therefore a WRT takes 2-3 days as compared to an RTO which takes up for instance only the first day of MTD.
This is the amount or extent of data loss that can be tolerated by the critical business systems of the organization. A good example is that different companies have different RPOs in that some perform real time data backup, some perform hourly or daily backups while others perform weekly backups.
Components are regularly composed for the purpose of offering more abstract services in a system that is being used for BIA. Each component has services and the services each component has creates interactions that promote dependencies. The functionalities of the system are not solely dependent on one component. Putting this into consideration, changing a component can affect that composite functionality, which is reflected in different components. Furthermore, replacing a new version of a specific component might involve replacing the components on which it depends, in order to preserve a specific system’s functionality. Most important thing to note when analyzing those aspects is the knowledge about possible component
These include an inventory of documents, databases and systems that are used on a day to day basis to generate revenue and then quantify and match the income with those processes as part of the BIA. A recovery strategy also involves personnel, equipment, facilities a communications strategy and more In order to effectively recover and restore component in the event of failure.
In component recovery, there also are human assets that are needed. Disaster recovery operations and procedures should be governed or addressed by a specific central committee. This committee must have representation from all the different company departments with a role in the disaster recovery process. Typically the departments that are directly involved include; management, finance, IT (several technology needs), electrical department, security department, human resource department and vendor management.
Just like other types of risk management policy, The Business Impact Analysis should develop and co-exist alongside the risk management continuous improvement model in order to properly determine relevant risks to the business and formulate test objectives to analyze. According to the risks that are existent the high level risks should be separated from the lesser level ones. This is achieved by aligning the risk to strategic objectives. A BIA should reflect the way an organization actually makes money/achieves its mission. In developing a BIA the management should understand how money flows through their organizations. Managers and other personnel should understand that a business contains many interactive pieces, all of which must work together in normal times (Blokdyk, 2017). The broad outline of a strategy should be apparent in BIA results. This is because a BIA presents requirements for disaster recovery plans. Consider other’s disruptions. The Company personnel and the management alike should understand that businesses today are interconnected and this therefore necessitates the concern for third parties who may also encounter disruptions.A business impact analysis is a means to an end that being recoverability, if not resilience. The quality of a BIA should therefore be judged not on what it says but on what it accomplishes.
Blokdyk, G. (2017). Business Impact Analysis Bia: A Concise and Practical Guide. New York: CreateSpace Independent Publishing Platform.
Brown, S. P. (2008). Business Processes and Business Functions. Washington: Monthly Labor Review.
Snedaker, S. (2007). Business Continuity and Disaster Recovery Planning for IT Professionals . Tucson: Syngress.