Having worked for numerous companies in a consulting or full-time employee capacity, I have led and seen numerous business continuity and disaster recovery planning in various stages of maturity. However, one key element stands out and I have stepped in to rescue failed Disaster Recovery Plan (DRP) consulting initiates due to one key missing element.
This missing element is the lack of a Business Impact Analysis (BIA). What is a BIA and why is this so important?
A BIA aims to identify critical business functions and the impact of a disruption to them and provides an important starting point for defining disaster recovery strategies that are used to respond to disruptive events. It must be the first place your start when developing and updating your DRP. Your DRP can not effectively standalone with a BIA.
The BIA determines what needs to be recovered and how quickly. It is one of the most difficult tasks to perform and one of the most critical to get right. The more time you have to bring a business function back in service following a disaster, the more your recovery options increase. The BIA is invaluable for identifying what is at stake following a disaster and for justifying spending on protection and recovery capability.
All business functions and the technology that supports them need to be classified based on their recovery priority.
Two components of a BIA are:
Recovery Time Objective (RTO) is targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable
Recovery Point Objective (RPO) is the maximum targeted period in which data might be lost from an IT service due to a major incident.
Performing a BIA can be a time consuming challenge and I strongly suggest that you seek expert help in this area. The process can be complex and connections between people, products, process and partners can easily be missed. Even in the very smallest of companies its taken me a minimum of three to four weeks to collect data, perform the analysis, document and get approval. In larger companies this can take months and up to a year for large global operations.
The format of a BIA can range from fairly simple to very complex. The focus should be to have just the right amount of information. Never too much or too little.
At minimum you want to document:
- What your critical business functions are
- What the potential impact of an incident may be on these process
- What the dollar impact of the loss may be
- Likelihood of an impact occurring
Without a BIA you could potentially:
See extend periods of outages due to incorrect recovery times and recovery points
- Lose data
- Lose of staff
- Cause deep negative financial impact for a company
- Open a company to potential law suits
- Waste lots of money on developing, testing and implementing a DRP
A failure of a CIO to begin disaster recovery planning without a BIA could be disastrous for a company.
CIOs make sure that you or you infrastructure and operations leaders include this critical step in your DRP journey.
Directors/Managers of IT Operations and Infrastructure can perform this step if they haven’t already and make adjustments to your DRP.
CEOs and CFOs – Make sure you ask your IT leadership if this critical step is included in your DR implementations and re-evaluated on an annual basis.
Corporate Directors – Ask your CEO if your IT team has a DRP as part of the overall Business Continuity Plan (BCP). If not then they must and ensure there’s a BIA.
Even a cursory BIA is better than none. Don’t put your company or career at risk for missing this critical step in your overall BCP initiatives.