Skip to content

Identifying Priorities in Business Continuity Planning (BCP) using Business Impact Analysis (BIA)

October 1, 2008
tags: ,

There are four main questions to ask during the BIA:
• What business processes are mission-critical?
• What are the RTOs?
• What are the RPOs?
• What is the cost of interruption and the resulting downtime for different business and IT processes?

RTO and RPO involve cost and benefit analysis. For RTO, the faster you need to be back in
operation, the more expensive the recovery options. For RPO, the more-critical the need for data
currency, the greater the cost of maintaining that currency

Check out to DRII’s — Business Impact Analysis — http://www.drii.org/ — for a review of additional topic information that BC professionals need to consider when conducting a BIA.

Service-Level Needed RPO and RTO Recovery Method
Tier 1 Business Service 15 Minutes to 1 hour Critical Architecture replicated at offsite DC
Tier 2 Business Services 4 hours, less than 24 hours Data stored at warm facility
Tier 3 Business Services 24 hours less than 36 hours Tape Recovery, sourced
Tier 4 Business Services 24 hour less than a week Equipment arrives by drop shipment

• What critical functions are carried out in the department? Classify the process as critical (that is, has a direct effect on revenue, expense control or regulatory requirements) or normal (that is, has no direct effect on revenue, expense control or regulatory requirements).
• If these critical functions were not performed, then what would be the effects of the outage per day (on your customer, legal, regulatory and financial reputations), and how would that change over time and at different times of the year? It can be difficult to get the CFO to disclose possible financial losses if certain functions were not performed. If you have complete executive buy-in, then specific numbers are not necessary, because these numbers are usually needed to sell the BCM concept or justify hiring a consultant. However, you can quantify the negative impact per time box using a range of dollars (for example, $1 million to 5 million), not exact figures. Work with the financial support
people for each department.
• How fast does this critical process need to be back in production operations? RTO helps establish the recovery priority order.
• How much data can you afford to lose between the time of the event and when you need to be back in operation? How much will the lost data and resulting lost business cost you to recreate or redo? RPO will determine your data replication choices.
• What are the personnel resources needed to perform business operations for the agreed-on time frame outlined in the scenario? You don’t need everyone during recovery; having them might mean that recovery is delayed, which impacts the ability to recover. There should be a staffing progression during the recovery of production: immediate, intermediate and optimum.
• What is the minimum number of people by role needed to support the immediate recovery (for example, anywhere from one day to one week, depending on the RTOs and RPOs) of critical processes?
• What is the number of people needed to run production in the intermediate time frame (for example, between one and four weeks)?
• What is the optimum number of people by role needed to support the critical processes fully and the staffing progression between the RTO and the time the business unit needs to get to the optimum staffing level?
• What work-arounds exist for processes during the recovery/resumption of processes?
• What applications and other software support the business process?
• What office equipment (such as faxes and copiers), stand-alone PCs, special
equipment, check printers, forms and documentation are required?
• Which vital records are used in the process?
• What dependencies on vendors and external service providers exist?
• What are the process interdependencies in and external to the business unit and
organization?
• What are the known alternatives for conducting business (you might already know some of these practices because of events that were single-focus business interruptions, from prior internal planning, or from work with customers and third-party service providers)?
• What is the impact of a loss of chain of command, including temporary and permanent
succession?

Use a matrix to manage this information for each interview. Using this format ensures that each
department is asked the same questions and that omissions are easily identified for follow-up
discussions and completion. It is important to rationalize metrics to ensure that different effects
can be compared and prioritized

In the BIA report, you will identity the following information:
• Critical business processes and their associated RTOs, RPOs, software, hardware, vital
records, critical resources/equipment and vendor dependencies.
• Interdependencies of internal and external business processes (this helps to identify incongruities in the RTOs/RPOs and establishes an overall recovery timeline for all business processes).
• Personnel requirements, which help you define recovery teams; space requirements at alternate locations, including virtual space (such as virtual conference rooms); and activities such as cross-training, which ensures that you have adequate personnel recovery coverage in the event of a regional disaster. The workforce can be personally affected, providing personal emergency preparedness training and establishing emergency notification call trees and procedures.
• Known work-arounds (for example, alternative business processes already in use because of localized or in-house business interruptions experienced in the past to help business continue during a disaster, and to soften and balance RTOs between two critical business processes).

BIA Software Tools
• CPACS, LLC — RiskPAC (http://www.cpacsweb.com/)
• eBRP Solutions — eBRP Toolkit (http://www.ebrp.net/)
• EverGreen — Mitigator (http://www.evergreen-data.com/)
• LBL Technology Partners — LBL Contingency Planner, ContingencyPro
(http://www.drplan.com/)
• Strohl Systems — BIA Professional (http://www.strohlsystems.com/)
• SunGard — PreCovery Impacts (http://www.availability.sungard.com/)

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: