Disaster recovery risk assessment and business impact analysis (BIA) are crucial steps in the development of a disaster recovery plan. Working with IT managers and members of your building facilities staff as well as risk management staff if you have them, you can identify the events that could potentially impact data centre operations. BIA outputs should present a clear picture of the actual impacts on the business, both in terms of potential problems and probable costs. The new global business impact analysis standard (currently going through the approval process) is ISO 22317, Societal Security -- Business Continuity Management Systems -- Business Impact Analysis. BIAs identify the impact of disruptive events on key issues like business operations, financial performance, reputation, employees and supply chains, and the systems and networks that support them. Once you've identified the most critical business processes from the BIA, identify threats from various sources, such as company records of disruptive events, National Weather Service historical data, U.S. Identify the business functions that may be at risk to further pinpoint the technological and infrastructure reasons for conducting an RA. But, before we look at them in detail, we need to locate disaster recovery risk assessment and business impact assessment in the overall planning process. The speed at which IT assets can be returned to normal or near-normal performance will impact how quickly the organisation can return to business as usual or an acceptable interim state of operations. The results of the BIA should help determine which areas require which levels of protection, the amount to which the business can tolerate disruptions and the minimum IT service levels needed by the business.
The risk analysis helps you identify threats and vulnerabilities that could potentially disrupt the continued operation of the BIA-identified processes and systems. The final column lists the product of likelihood x impact, and this becomes your risk factor. Both a risk analysis (RA) and business impact analysis (BIA) should be performed to determine where to focus resources in the disaster recovery (DR) planning process and how much to invest in building and maintaining those resources.
Next, the risk assessment examines the internal and external threats and vulnerabilities that could negatively impact IT assets.
If business impact analysis is to be taken seriously by an organization, it needs adequate sponsorship and support from senior management. Examples of top-down business impact analysis include allocating points to grade the impact of an activity on business operations, categorizing IT systems and processes as RGS (revenue generating systems) or non-RGS, or ranking them as critical (immediate recovery), vital (next day recovery), important (within three days), and non-essential (can be out for a week or more).
If you’d like to know how Analytica, the modeling software from Lumina, can help you with business impact analysis for IT systems or for business activities in general, then try a thirty day free evaluation of Analytica to see what it can do for you. Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. Business impact analysis and risk assessment are two important steps in a business continuity plan.
A risk assessment identifies potential hazards such as a hurricane, earthquake, fire, supplier failure, utility outage or cyber attack and evaluates areas of vulnerability should the hazard occurs. During the risk assessment phase, the BIA findings may be examined against various hazard scenarios, and potential disruptions may be prioritized based on the hazard’s probability and the likelihood of adverse impact to business operations.
A detailed questionnaire or survey is commonly developed to identify critical business processes, resources, relationships and other information that will be essential in assessing the potential impact of a disruptive event. The information gathered may include a description of the principle activities that the business units perform, subjective rankings of the importance of specific processes, names or organizations that depend on the processes for normal operations, estimates of the quantitative impact associated with a specific business function and the non-financial impact of the loss of the function, critical information systems and their users, the staff members needed to recover important systems, and the time and steps required for a business unit to recover to a normal working state. Questions to explore during the discovery phase include interdependencies between systems, business processes and departments, the significance of the risk of points of failure, responsibilities associated with service-level agreements, staff and space that may be required at a recovery site, special supplies or communication equipment needed, and cash management and liquidity necessary for recovery. Human and technology resources needed to support the process including computers, networks, offices, people, etc.
A description of the customer impact of external facing or inward facing processes, and a list of departments that depend on the process outputs. Description of workaround procedures or work shifting options to other departments or remote workers as applicable.
A BIA for information technology might start with the identification of applications supporting essential business functions, interdependencies between existing systems, possible failure points, and costs associated with the system failure.
When information gathering is complete, the review phase begins in consultation with business leaders who can validate the findings.

The goals of the BIA analysis phase are to determine the most crucial business functions and systems, the staff and technology resources needed for operations to run optimally, and the time frame within which the functions need to be recovered for the organization to restore operations as close as possible to a normal working state. Challenges include determining the revenue impact of a business function and quantifying the long-term impact of losses in market share, business image or customers. The business impact analysis report typically includes an executive summary, information on the methodology for data gathering and analysis, detailed findings on the various business units and functional areas, charts and diagrams to illustrate potential losses, and recommendations for recovery.
Senior management reviews the report to devise a business continuity plan and disaster recovery strategy that takes into account maximum permissible downtime for important business functions and acceptable losses in areas such as data, finances and reputation.
A business impact analysis determines and documents the impact of a business disruption event to each critical business process. The entity’s critical business processes and the requirements necessary to undertake each critical business process (as identified using a templates such as the template on page 106 of this workbook) are required for the business impact analysis. For mature, large, complex or geographically dispersed entities the business impact analysis should be completed following consideration of the whole-of-entity view. An objective and consistent basis on which to assess the impact of a business disruption event needs to be established. The level of impact can be assessed using a scale, such as the one presented in the table below.
The maximum tolerable period of disruption is set at or above the point where there would be a significant impact on business drivers (Score 4). The maximum tolerable period of disruption may be expressed in terms of hours, days or weeks depending on the process being assessed. 2 The maximum period of time that an entity can tolerate the disruption of a critical business process, before the achievement of objectives is adversely affected. 3 The recovery time objective is the target time set for recovery of an activity, product, service, or critical business process after a business disruption event, or recovery of an IT system or application after a business disruption event.
4 The recovery point objective is the point in time (before the business disruption) to which electronic data must be recovered after a business disruption event. Adapted with permission from the BCM Lifecycle developed by the Business Continuity Institute. Detailed response planning and the other key parts of disaster recovery planning, such as plan maintenance, are, however, outside the scope of this article so let us get back to looking at disaster recovery risk assessment and business impact assessment in detail. A BIA attempts to relate specific risks to their potential impact on things such as business operations, financial performance, reputation, employees and supply chains. Finally, a handy professional practice guide for BIAs and RAs is the Business Continuity Institute's Good Practice Guidelines, 2013 Edition.
Use BIA results to define the maximum period of time for which the business can survive without its people, process, technology and physical locations. Such plans provide a step-by-step process for responding to a disruptive event with steps designed to provide an easy-to-use and repeatable process for recovering damaged IT assets to normal operation as quickly as possible. A company needs to have a detailed perspective of the types of risks it will need to be protected from and the impact that those risks represent to the organization. Analyze the likelihood of an event occurring, the potential severity of the event and the vulnerabilities impacting the situation. For example, in the Lloyd's insurance market in London, all businesses depend on a firm called Xchanging to provide premiums and claims processing.
First is the recovery time objective (RTO), which is the maximum amount of time a system can be down before the business suffers.
Understanding the business consequences of IT failure (or, let’s be positive, IT success) on business is essential in order to plan for uninterrupted business activity. A BIA is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. Assets put at risk include people, property, supply chain, information technology, business reputation and contract obligations. A spreadsheet may be used to store and organize information such as interview details, business process descriptions, estimated costs, and expected recovery timeframes and equipment inventories. Impacts to consider include delayed sales or income, increased labor expenses, regulatory fines, contractual penalties and customer dissatisfaction.

The report prioritizes the most important business functions, examines the impact of business interruptions, specifies legal and regulatory requirements, details acceptable levels of downtime and losses, and lists the RTOs and RPOs. Senior managers need to review and update the BIA periodically as business operations change. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. It considers disruptions to the activities and resources that support critical business processes. This moderating process will prioritise the critical business processes at the entity level, and identify commonalities and interdependencies across business units and service areas. In effect, the entity can do without the business process for any time under that point, as it will not prevent the entity from achieving its objectives. Traditional IT employees need to understand the big business picture and what the cloud offers to remain relevant. Results from the BIA will identify, prioritize and document the critical business processes conducted by various business units and the IT resources needed to keep them operational.
The business impact analysis is the starting point for risk identification in a disaster recovery context.
He contributes regularly to SearchDisasterRecovery, and is a member of the Board of the Business Continuity Institute's USA Chapter.
Table 1 depicts the relationship among disruptive events and business factors for a BIA -- actual losses and recovery times will, of course, vary from organization to organization. A business impact analysis is a first step to achieving business operations that can “take a lickin’ and keep on tickin’ “. A stochastic model (a software simulation for example) is better suited to model the interactions between systems, probabilities of failure and the consequences on organizational viability or business profitability. The result is a business impact analysis report, which describes the potential risks specific to the organization studied. The possibilities of failures are likely to be assessed in terms of their impacts in areas such as safety, finances, marketing, business reputation, legal compliance and quality assurance. The BIA focuses on the effects or consequences of the interruption to critical business functions and attempts to quantify the financial and non-financial costs associated with a disaster. Specialized BIA software tools may be part of business continuity software (eBRP Suite and Resilience ONE from Strategic BCP) or separate tools (BIA Professional from SunGard).
The BIA identifies the most important business functions and the IT systems and assets that support them. The business continuity manager or team has a choice of different tools and techniques for modeling business processes and the IT structures that support them. The business impact assessment looks at the parts of the organization that are most crucial. A mitigation strategy may be developed to reduce the probability that a hazard will have a significant impact. Once the BIA has been completed, identify the most critical business processes and the supporting IT assets needed by each. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes. For example, a business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence. A BIA can serve as a starting point for a disaster recovery strategy and examine recovery time objectives (RTOs) and recovery point objectives (RPOs), and resources and materials needed for business continuance. The BIA should assess a disaster’s impact over time and help to establish recovery strategies, priorities, and requirements for resources and time.

Business emergency contact list template
Recover from natural disaster


  1. 25.09.2014 at 21:57:48

    BIOPRO - now named GIA the.

    Author: DeatH
  2. 25.09.2014 at 22:30:13

    The vital infrastructures that assistance meeting with a assistance group or talking with radio set up with.

    Author: zaika
  3. 25.09.2014 at 19:38:28

    EMP, does present a actual danger to all of humankind, it is incumbent upon all from business impact assessment process tornado's practice.??Assess the.

    Author: Brat_007