Goals of the Business Impact Analysis

  • Gain senior management support
  • Establish a project team
  • Develop a policy & strategy
  • Determine the critical processes and assets
  • Determine the maximum time that the business can operate without critical resources

Great business continuity management goes beyond the writing of a business continuity plan or disaster recovery plan. It is the proactive approach whereby an organization provides the critical resources to ensure that the critical business objectives continue to be met irrespective of the type, or severity of a disruption to normal operations.

The key benefits of strong business continuity management and a disaster recovery program include:

  • Detailed understanding of what your business absolutely must achieve (the critical objectives).
  • An understanding of what interruptions may be faced in trying to achieve these critical objectives.
  • Able to predict the probable outcome of controls and other mitigation strategies.
  • Procedures the business can follow to achieve the critical objectives should interruptions take place.
  • Understanding the criteria or triggers for implementing crisis and disaster recovery procedures.
  • All staff are aware of their roles and responsibilities when a major disruption occurs.
  • A clear understanding throughout the organisation of what accountabilities and responsibilities are in place when business continuity and disaster recovery response are in effect.
  • Consensus and commitment to the requirements, implementation and deployment of disaster recovery measures.

Commencement

When you first get started with your business continuity project, the key questions that you need to ask yourself are:

  • What is important to the business of my organization?
  • What does my organization depend on to operate?

Determine the need:

To be successful you must start well! You’ll need to clearly state your scope, objectives and desired outcomes of your project.

Suggested activities:

  • Utilize the critical business objectives identified in business strategies, business plans, and performance management tools
  • Consider geographical locations, functional units, client groups, essential plant/assets that may require continuity coverage.
  • Agree on a budget! Also consider any time constraints and deadlines.
  • Consider if you’ll develop your continuity plan in-house, use an expensive expert consultant, or use a cost effective template (See Disaster Recovery and Business Continuity Plan Template)

Business Impact Analysis

A good business impact analysis will allow you to determine what the maximum amount of time can elapse without critical resources.

The questions that you’ll be asking yourself and the key stakeholders will include:

  • What are our critical business resources?
  • What continuity procedures are in place at the moment?
  • What are the ‘likely’ scenarios that would effect our business ability to operate?

Above you’ll notice that likely is listed in quotes. This is to highlight the importance of keeping it real. Risk level is subjective by nature, however by keeping your continuity planning efforts focused on scenarios that are feasible will strengthen your project.

Impacts from a disruption can be categorised as either quantitative or qualitative.

Quantitative impacts are losses that are identified in quantities, percentages, or factors of standard that can be described in monetary terms. Qualitative impact instances are intangible losses that can impact operationally, but cannot easily be quantified in monetary terms.

Some examples of potential impacts in the event of a disaster are as follows:

QUANTITATIVE IMPACTS

  • Opportunity cost
  • Loss of clients
  • Penalties & fines
  • Increased operating costs
  • Reduced capital value
  • Loss due to physical damage
  • Loss due to injuries
  • Revenue and income
  • Increase in expenses during recovery efforts
  • Market Share

QUALITATIVE IMPACTS

  • Reduced operational efficiency
  • Reputation
  • Staff morale and well being
  • Loss of management control
  • Inter-departmental relationships
  • Legal, contractual or regulatory liabilities
  • Intellectual property, knowledge and data
  • Comment and regulatory attention
  • External relationships
  • Client satisfaction

The table below is an example of the impact to a businesses operations over varying durations. The table allows for normal times, when operations are at stable levels, and also critical times when business activities may be increased – this may be due to a number of factors however a good generic example is end of financial month/year processing.

The legend is located below the table. Illustrating the impact in this manner helps stakeholders agree on an appropriate recovery time objective.

Outage Time Normal Times Critical Times
1 Hours 0 0
1/2 Day 1 2
1 Day 2 3
2 Day 3 4
3 – 4 days 4 5
5 – 8 days 5 5
9 -14 days 5 5
15 – 30 days 5 5
0 – 60 days 5 5
Over 60 days 5 5

0 = No Interruption
1 = Minor Interruption – problem easily handled
2 = Moderate Interruption – business activity continues
3 = Major Interruption – business activity continues but with some difficulty
4 = Severe Interruption – continuation of business activity extremely difficult
5 = Complete Interruption – business activity ceases.

In the example above, it is safe to assume that a 2 to 3 day recovery time objective would be appropriate.

Next Process – Risk Analysis