why bother with a business impact analysis? do a bia.pdf · why bother with a business impact...

1 Copyright 2012 William A. Million All rights reserved

Why Bother With A Business Impact Analysis?

Before jumping on the bandwagon because someone just heard about business impact analysis

you need to understand what it means, how to develop the analysis process, how to gather the

data and confirm the responses, what can do for the business, and the relationship to business

continuity. If anyone believes BIA is fast and furious it is “time to wake up.” Having been in

the “disaster recovery”, now business continuity business for 30 plus years I have learned that

over simplification of business continuity is common and rushing into things ends up costing

more than the value possibly gained. The business impact analysis (BIA) is one of the best

investments a business can make if they are developing or have a business or disaster recovery

plan. After all, how can you protect and recovery something if you don’t know what you have,

where it is in the business process and how much it is worth?

There are a number of ways that business approaches business impact analysis (BIA), one of the

most common methods is to ignore it and build contingency and recovery plans without the

advantage of accurate information, others choose to spend considerable effort but achieve only

marginal results. The intent here is to give guidance and insight into the focus areas of BIA to

reach a comprehensive understanding of the business function(s) in the scope of the business

continuity management program. As with other component analysis being conducted with a

business continuity project, the need to have professional and skilled business continuity analyst

or consultant managing the project is critical to the final results. Business impact analysis as

with all stages and steps in business continuity management must be a repeatable process and

conducted as the business changes or as technology may impact the ability to survive a serious

interruption or disaster.

What is Business Impact Analysis?

Definition:

Business impact analysis is the process of examining the components of the business to learn the

value and relationships necessary to keep the business operating and productive.

Business impact analysis results in the differentiation between critical (urgent) and non-critical

(non-urgent) organization functions/ activities. A function may be considered critical if the

implications of damage to the organization are regarded as unacceptable. This damage may be

financial or reputation. Perceptions of the acceptability of disruption may be modified by the

cost of establishing and maintaining appropriate business or technical recovery solutions. A

function may also be considered critical if dictated by law or is a vital link in operational flow of

the business. For each critical (in scope) function, two values are then assigned:

Recovery Point Objective (RPO) – the acceptable latency of data that will be recovered

http://en.wikipedia.org/wiki/Technical

http://en.wikipedia.org/wiki/Recovery


Recovery Time Objective (RTO) – the acceptable amount of time to restore the function

The recovery point objective must ensure that the maximum tolerable data loss for each activity

is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period

of Disruption (MTPD) or Maximum Acceptable Down-Time (MADT) for each activity is not

exceeded.

Next, the impact analysis results in the recovery requirements for each critical function.

Recovery requirements consist of the following information:

The business requirements for recovery of the critical function

The technical requirements for recovery of the critical function

The ability of the business function(s) to operate for a period without information

systems availability or supply chain availability

Understanding Business Impact Analysis

Business impact analysis plays a fundamental part in developing an organizations business and

disaster recovery plans, and is essential to the establishment of the Business Continuity

Management program. Executive management who understand the requirements of their

business are able to balance risk with the cost of prevention, mitigation, and contingency

solutions. Through the exploration of the components and relationships within the business it

becomes possible to identify the potential financial risk specific to those areas of the business

and the business in general. Impeding conducting and completing corporate business impact

analysis tend to be top executives who oppose the research as being unnecessary or too costly for

the organization’s makeup. Corporate spending in this area is often held back or too much is

spent in the wrong places by the perceived uncertainty about the severity of the impact posed by

security threats and budget factors. Skepticisms about potential consequences usually fade once

the green light is on to complete a BIA and the preliminary results are shown. When coupled

with the business continuity management program an effective BIA should be able to identify

costs linked to failures including those of loss of cash flow, replacement of equipment, salaries

paid during an interruption and those paid to catch up with backlogged work, loss of profits,

impact to business image, and other qualitative and quantitative concerns

BIA is should identify costs linked to failures, such as loss of cash flow, replacement of

equipment, salaries paid to catch up with a backlog of work, loss of profits, and more. A BIA

report quantifies the importance of business components and suggests appropriate fund

allocation for measures to protect them. The possibilities of failures are likely to be assessed in

terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance.

Where possible, impact is expressed monetarily for purposes of comparison. For example, a


business may spend three times as much on marketing in the wake of a disaster to rebuild

customer confidence.

BIA Objectives

The first need before starting this process is to assure that senior management is fully committed

to the project. If they understand that there is a return-on-investment they should have no trouble

announcing their support for the business continuity management program though creation and

implementation of corporate level policy, letters to managers and employees.

An assumptions backing BIA is that all parts of a business are dependent on some other part of

the business or an entity outside the business. Those dependencies may have such strong ties

that a small break in the chain will cause a cascade effect stopping a critical process or closing

the business for some period of time. Being aware of interdependencies, potential regulatory,

marketing, safety, product or service quality, and specific financial implications help to make the

disaster recovery plan and program stronger. Interruption or loss to the business may be

expressed monetarily for purposes of comparison and action focus.

BIA should accomplish at least four points:

1. Determining the financial value of each organization as it relates to the total business.

2. Determine the relationship of each organization to the total business.

3. Provide a basis for identifying the critical resources required by the business.

4. Establish the recovery order of the critical business functions as related to the total

business.

Each of the noted points is found in each step when building the BIA project. Therefore,

measuring the business must include; vulnerabilities, financial impact, operational impact, and

technology requirements, in order to map the business properly. This final mapping will set the

Recovery Time Objectives (RTO), Recovery Point Objective (RPO), Minimal Acceptable

Configurations (MARC) and Maximum Acceptable Down-Time (MADT).

The BIA may run concurrently with the hazard and threat analysis although the most important

concept will be the integration of findings when setting strategy. The amount of time and

resources necessary to complete the BIA will depend on the size and complexity of the

institution. All business functions and departments should be included in this process, not just

information technology.


The BIA phase in business continuity planning is conducted to identify the potential impact of

uncontrolled, non-specific events on the business process. It should also determine what and

how much is at risk by identifying critical business functions and placing them in the dependent

working order of the business process. The responses should estimate the maximum allowable

downtime for critical business processes, recovery point objectives, backlogged transactions, and

all costs associated with downtime. Management must also establish recovery priorities for

business processes that identify essential personnel, technologies, facilities, communication

systems, vital records, and data. The BIA considers the impact of legal and regulatory

requirements such as privacy and availability of customer data and required notifications to the

regulators and customers when the process is interrupted or relocated.

Staff assigned to develop, conduct and analyze and report findings should apply uniform

interview questions that can be used on an enterprise-wide basis. Uniformity will improve the

consistency of responses and help the project compare and evaluate business process

requirements. The BIA project may initially prioritize business processes based on their reported

place in the business flow to the business’s strategic goals and support of safe and sound

practices. Prioritization should be revisited as the processes are compared to various interruption

and disaster scenarios so a workable business continuity plan(s) can be developed.

During the interview and questionnaire process the use of prioritization or critical or non-critical

terminology should avoid being used. There are few business units or staff that would consider

themselves and last in priority or non-critical. Use where are you in the business flow, who do

you support and who supports you as the means to identify in which order recovery will take

place.

Is there a BIA Methodology?

There are many options available to executives when setting the strategy and process for a BIA.

Since each organization must make a number of decisions and choices that depend on its

particular situation. A large to very large business usually finds it is difficult and costly to

perform a full depth and breadth detailed BIA. In lieu of the detailed process they may elect to

examine larger components of the business and consider broader controls and solutions. A

smaller business may have the option to conduct a full scale evaluation and be able to implement

more specific controls and solutions. Due to the variations of need one is likely to use

questionnaire and remote survey techniques while the other more personal interview and surveys

will apply. Both questions and responses may be both quantitative and qualitative. There will be

circumstances where a no dollar gain or loss may be seen as an intangible amount. These

situations, qualitative, should have a clear descriptive of the actual or potential impact to assist

the analyst in setting strategies and to permit inclusion in the summary results.


When starting the BIA process as noted earlier, there are considerations and commitments that

must be in place. For example:

Action Description

Ensure executive management

commitment

A corporate policy has been enacted. Sponsorship notice

has been sent out. The project will be funded

Work through an enterprise BC-

DR steering committee

Used to support the BCM Program and the BIA study.

Identify what the deliverables

and contents should look like.

Format should be based on company expectations and

standards.

Develop the initial scope. The scope should define type of BIA to be performed,

the depth of research to gain the maximum amount of

detail

Identify the subject matter

experts.

These staff may be internal or external and will review

the first summaries, and help guide the development of

the survey questions. You cannot survey everone.

Develop the data collection plan The company will select tools, devise procedures and

inclusions for the data gathering.

Conduct the interviews,

surveys, workshops.

Holding education sessions, workshops, interviews, and

distributing and collection of data.

Conduct analysis and develop

conclusions

Consolidating findings and key results. Prepare initial

conclusions.

Validate findings with subject

matter experts.

This confirms the initial conclusions and that all key

areas have been included. Vulnerabilities, financial,

operations and technical impacts have been assessed.

Present validated findings to

executive management and

approval to continue

This presentation is to gain executive backing to

continue and that the program budget will be fully

approved.

Transition to strategy

development

A course of action for responding to a disaster and the

starting point for a recovery plan.

When the BIA project component is forced to stay at a minimal level the project coordinator may

choose to focus questions on the senior executive level and the finance organizations to

determine the key impact areas of the business. These groups are usually adept at knowing

where an impact is likely to cause the most financial or image harm to the company. The BIA

effort may then be re-presented with a narrower scope yet still have some value in providing

guidelines for mitigation and recovery strategies.


A business that fails to consider the true value of business impact analysis exposes themselves to

experiencing continued lost dollars without knowing where controls will be most effective.

What Are BIA Questions?

When making the decision regarding a process to use the following questions, in some form,

should be considered: (listed in no particular order.)

Provide a description of the department or function.

Describe the customers served. The customer may be may be another department or

internal business function of the same company or external to the company.

What are the key skills required to perform the identified critical functions?

What is the estimated or actual revenue of the function?

Are there penalties for interruption or loss of data?

Is the process subject to compliance with laws or regulations?

Is the process subject to specific service level agreements or contracts?

What are the critical business cycles?

What are the external dependencies of the business process/

Have operational procedures been documented and are they used daily?

What are the key software applications?

What specialized equipment is required and how is it used?

The questions and data being sought are endless and for best results they need to be focused on

your business. There are as many questions to be considered as there are different businesses.

An examination of the business under examination will be the deciding factor when developing

the business impact analysis.

At least always consider these categories of concern:

o Visibility, Liability, Revenue, Image, Process and Production

Visibility – How soon will the public and stakeholders notice that there is

a problem?

Liability – Are there laws or regulations that must be met?

Revenue – What is the revenue loss from immediate to some time period?

Image – Will the company’s long term image be tarnished?

Process – What affect will an interruption have on the total product or

service the company offers?

Production – How will production be maintained during an interruption?


Tools

Software is readily available for Business Impact Analysis, but remember, you must be able to

easily customize it for your business and be simple enough to use without having to train every

survey taker. The potential complexity is a reason to understand the need to use skilled people in

this total endeavor. There is no monetary saving to a poorly designed and executed business

impact analysis project. The results are equal to the effort expended.

How-To Approach BIA

To this point the general concepts and a high level value of business impact analysis has been

pointed out. Getting started does require commitment, management backing, and the

cooperation of all who will be participants. There is little room for false starts and poor returned

information may lead to a catastrophic end in the midst of a possible future bad situation. In this

discussion area management and the planning professional should be working closely together

and mutually supportive. The stakes are high and the results worth the effort. It is best during

the investigative period to avoid use of the term PRIORITY, as all will want to be seen in the

realm of business as important, and priority implies importance. A safer way to approach the

need for either additional protections or speedier recovery is to ask for where a department or

process fits in the WORK OR BUSINESS FLOW. As noted the effect of a disaster on the

business can easily result in more than the short term loss of business and damage to property.

There are a number of areas which may be impacted by an adverse event:

Financial results

Good-will and reputation (via customer service, image, legal status, etc.)

Compliance

Health, Life & Safety

Social impact at large (relations with the community, environment impacts, national security,

etc.)

Examination of the company soul should point out strengths, unique components, core

business, revenue cycles, as well as offering a resource for strategies of prevention,

mitigation, recovery, and restoration.

Multiple BIA Support and Process Mechanisms

Tool sets are readily available for business impact analysis. Software, word files, excel files,

data bases, books, on-line, contractors, group sessions, interview guides, or create your own.

Pick up any copy of a Business Continuity or Disaster Recovery trade magazine in they are filled

with promises and advertisements. Remember, you must be able to easily customize it for your

business and be simple enough to use without having to train every survey taker. The potential

complexity is a reason to understand the need to use skilled people in this total endeavor. There


is no monetary saving to a poorly designed and executed business impact analysis project. The

results are equal to the effort expended.

Since there is no one form or methodology to fit every company the following diagrams are

solely representative of the variety of approaches and BIA layouts.

Home Grown


The Porter – Value Chain


To perform BIA, one may want to look at the entire Michael Porter’s Value Chain. Building a

picture of the business using the Value Chain is worth the effort.

FIRM INFRASTRUCTURE

HUMAN RESOURCE MANAGEMENT

TECHNOLOGY DEVELOPMENT

PROCUREMENT

OUTBOUND LOGISTICSINBOUND LOGISTICS OPERATIONS MARKETING & SALES SERVICE

MA

RG

INM

AR

GIN

PRIMARY ACTIVITIES

SU

PP

OR

T A

CT

IVIT

IES

• Corporate Office Mgmt• Finance • Accounting

• Insurance (medical, life, etc.)• Benefits Administration • Mobile Workforce Mgmt• Education & Training

• E-Procurement, Etc.

• E-Commerce

• Fulfillment

• Distribution

• Warehousing

• Etc.

• Service Mgmt

• Help Desk

• Call Center

• Customer

Req’s

Mgmt

(CRM)

• Etc.

• Sales Automation

• Sales Force

Automation

• Advertising

• Bus. Intelligence

• Retail Services

• Etc

• ERP/MRP

• Accounting

• Ops Mgmt

• Time Tracking

• Reporting

• Workflows

• Prof. Services

• Project Mgmt

• Messaging

• Productivity

• Collaborative

• Etc.

• Engineering• Programming

• E-Procurement

• Warehousing

• Supplier

Relationship

Management

(SRM)

• Etc.

• Real Estate Services • Legal • Etc.

• Time & Attendance• Payroll & Personnel • Recruiting, Hiring, Retention, etc. • Etc.

• Project Mgmt • Etc.

Every company’s business process (or processes) can be viewed using the Value Chain. We

simply need to look at what applies to the particular business process, specific to the industry and

function of the business. The best way to do so is to start with the analysis of the product. The

nature of the product will determine which Value Chain’s cells (containers) are included in its

production. Once diagramed the production path can be imagined being stopped at any point and

the effect on the following groups can be shown. There are processes within those critical cells

which can be easily drawn out as the result of a few interviews of the business’s personnel.

Once the high-level processes are identified, the sub-processes can be drawn as well and so on to

a certain level of detail where it may become obvious which components of business

infrastructure support these processes. There are a number of component areas of enabling

business processes:

Technology

Facilities

People

Knowledge (know-how)

Data

Money

Client

Stakeholder


Porter model may help development of the questions to be asked and the areas of the

business to be included. A BIA provides the best results when it is executed as a structured

interview using a common set of questions tailored to the part of the business in focus. The

goal is quantitative results indicating the financial and supply chain impacts and qualitative

results indicating the physical requirements and potential image impacts.

The Value Chain presents the business picture as primary and support activities. The process

to define the questions may be best looked as a reverse engineering method. Since the

diagram indicates both key activities of every business function and those functions can be

cross related to any other function the result of the BIA needs to indicate the critical ties.

After a description of the process or function the questions change to critical paths and

dependencies on other functions.

Critical indications may be cyclic, financial, regulatory, supplier and image driven. As seen

in the diagram all are included. Following this road the questions begin to define themselves.

For example; asking who are your customers and where are they located provides the

geographic market, even if the customer in within the same company, which may be related

to areas under threat of natural disaster. This seasonal threat may have long lasting effect on

company revenue. Knowing this the final report may include the recommendation to expand

the marketing area or to accumulate a hedge against the downturn in business.

A requirement to be served may be based on a regulatory reporting requirement, such as

taxes, this would necessitate questions relative to cycles of business. These cycles may

overlap or remain segregated, but when the pattern is examined the protection and recovery

strategy may evolve to be a flat solution which is less expensive to initiate and can

incorporate a greater portion of the business.

Recovery Time Objective, Recovery Point Objective, Maximum Acceptable Down Time, all

identified in the investigative process must be considered as qualitative and valuable data.

Mitigation schemes, backup process, and recovery methodology and technology

implementation, and point of declaration of action will be derived from the reports. The

referenced processes are likely to drive some lesser reported needs into a higher demand

category. When a critical process has reliance on a declared lesser process then the second

process must be upgraded to match or move ahead of the process reporting the dependence.

Following the concept the series of needed responses drives the formation of the inquiry. The

responses when diagramed facilitate the identification of departments, processes, or even

vendors that are especially key to the continuation of the business.

With the questions identified and the response needs to be filled in the next step is to get the

nest step in the project, the actual interviews and reporting sessions underway. The kick off

meeting and the rally of management support may appear to be unnecessary yet it is the open

demonstration of management commitment that will assure participation. The quality of the

reported detail will likely be more accurate.


Comprehending the results

Once the surveys and interviews have been completed and collected the BIA is yet to be

considered complete. Unless a final evaluation is conducted the ties and relationships within the

business are still to be confirmed. The quantitative values are still to be set and qualitative

impacts need to be documented in the reports.

The to-do list starts with:

Review manager feedback and, where appropriate, revisit reported findings accordingly

or add to outstanding issues

Prepare draft BIA report listing initial impact findings and issues

Issue draft report to participating managers and request feedback

Update the report.

Create the business process and dependency map.

described in the next few sub-chapters.

Schedule a workshop or meeting with participating manager(s) to discuss initial findings,

when necessary

Again update the BIA report to reflect changes arising from these meetings

Prepare final Business Impact Analysis report according to organization or house

standards

Formal presentation of Business Impact Analysis findings to peers and executive bodies

These few steps are representative of the iterations before presentation to senior management,

however, since the BIA results are critical to the continued success of the business and relative to

the next major project step, Risk Analysis, confirmation and support of the findings is crucial to

the success of the Business Continuity Management Program.


Here are some survey findings from a moderate size business:

Application Use

The business unit list cross referenced to the application each uses

Business defined application criticality where 5 is very critical


Business function recovery time requirements indicating a majority of the departments have a 12

hour or less recovery need.

Business function recovery point objective requirements indicating a majority of the departments

have a 12 hour or less data loss tolerance.


Charted responses are easily created using Excel or PowerPoint and are very effective when

presenting summary results. Summaries need to be created with descriptive and the proofs.

When a process is initially claimed to be critical to the business verification is needed and further

investigation to determine the mitigations and funding needed for protection.

Define Criticality of Business Functions and Records, and Prioritize

The BIA responses now contain the needs business and the process flow. During the startup of

the BIA levels of criticality, recovery time objective levels or tiers should have been agreed to

and now processes and things will drop into the fields. Since business and the public have

become dependent and expectant it is very likely some processes will be reported with multiple

levels of criticality. The appropriate response is first to verify then to negotiate with

management single or multiple levels of criticality. When reaching the strategy phase of BCM

available solutions or what the business is willing to sponsor may set the final criticality level or

tier. “Tier” is a common term used to simply describe where in the recovery order something

falls.

Diagram Representations of BIA Results

Examine the next diagram displaying the mapping of the imaginary related group of BIA

surveys. Widget production and the process flow with the dependencies are shown in the

diagram. Creating a diagram of work flow and dependencies tied to declared critical times

allows a visual of the interdependencies and what is likely to happen if any given process is

taken out of the flow.


These components or things are drawn on the same diagram with the processes and then the

preliminary analysis of potential business impact and criticalities may commence. The diagram

depicted provides insight into how this works using an example of a widget production.

This approach is very effective at identifying which processes depend on which “things” and

therefore it is possible to identify which processes will be mostly affected when certain ‘things’

fail. This will allow, based on business considerations, to design the strategy for ensuring

business continuity of said processes by enhancing the survivability of the things which are

critical to their activities. This process is performed best in a bottom-up fashion by tracing which

things support which processes.

On the other hand, this approach offers an opportunity for a top-down analysis. In this analysis,

critical processes are identified, marked, and then the sub-processes and things that support them

are identified in turn and earmarked for enhancements.

Other departments may have the same or be one of the cells in the chart. Depending on how

complex you care to make the diagram all interrelations can be displayed. By observation

eliminating any given cell in the diagram lends to seeing the implied interruption. Although the

diagram is shown with business implications the same type of diagramming is appropriate for

computer application and database relationship mapping. Since Business Continuity

Management is about disaster avoidance, mitigation and prevention, followed by recovery, focus

areas become evident when charted.

Impact Over Time:

There is an importance in understanding not only the instantaneous loss impact, but to

understand the impact of the incident changed with time. If a product is unavailable for one day

it is an inconvenience to the consumer, when it is unavailable for a week they will switch to

another product and likely not to switch back. Knowing what the time related impacts can do to

the business may be more important than the momentary financial loss. A well designed BIA

will ask the time questions. The time gap analyzed is up to the business to choose and may

extend to 30 or more days. Time impact is usually not linear in affect but will have periods

where the impact flattens, then rises sharply.

Time and Impact may be displayed graphically or numerically. Here again the image, when used

in a presentation is more effective than a list of numbers.


Start to end impact:

Time Weighted Impact


Priority Impact

Examination of priority impact against the same 6 items as the previous images shows that

product visibility to the customer and the ability to manufacture the product is top concern.

Priority is often confused with importance when in effect it should relate to order of recovery and

where mitigation controls are focused.

Priorities when overlapping or where indications exist to a dependency on a process rated at a

lower priority will cause the lesser rated process to be upgraded to an equal or possibly earlier

point in a recovery.

Summary

Well now that the pot has been stirred and the ingredients have mixed there is a lot in the stew.

Business impact analysis is a necessary and valuable work item but requires education,

commitment, funding and time. The involvement of the entire business top to bottom and side to

side is what makes the difference and becomes one of the main cornerstones of the Business

Continuity Program. How to accomplish the BIA is up to the business, use surveys and

interviews, flyers and on-line, software or do-it-yourself, you or a consultant or you with a

consultant whatever is selected complete the process.

why bother with a business impact analysis? do a bia.pdf · why bother with a business impact...

Documents