Business Impact Analysis

Several times I have mentioned about Business Impact Analysis (BIA) but I have never written a whole post about that. We are going to see a closer look about some of the elements of BIA and how it is related to the overall process of Incident Management and Incident Response.

The overall purpose of BIA is to generate documents that help executive management has a good idea of what impact a particular incident that we can have on the business of our organization.

We have three main goals. The first goal is to prioritize how critical certain process and systems in an area of our business are. Therefore, each business unit process must be identified and prioritized as far as mission criticality. It's also need to be valued as far as what type of incident can occur and the impact in our organization. As a result, the higher the impact the higher the priority of that particular system. The second goal is to estimate the downtime. Therefore, we have to estimate the Maximum Tolerable Downtime (MTD) for each system. How much downtime can the system tolerate to still be viable? This can be the longer period of unavailability of critical processes, services and information assets before our company can no longer operate. And finally, the third goal is what are our resource needs. What are the requirements for these critical processes? We also have to identify those during the Business Impact Analysis. Obviously, the most time sensitive and higher impact to our processes and systems, they are going to need the most resource allocation.

Our Business Impact Assessment can involve four key steps: First of all, gathering information for identifying which business unit is the most critical to our organization and it can drill down the tasks for those critical business that we need to do to ensure business survival. Second, performing a vulnerability assessment. Third, analysing the data we have compiled from our information gathering and vulnerability assessment process. During this third step we can identify inter-dependence between different departments, we can also identify potential documentation threats and about these threats we can provide alternatives methods to respond. And finally, documenting.

The four steps commented before are going to lead to the overall BIA report which give us three things. First, it should establish the escalation of loss over time. In other words, the more hours our critical systems are down, how is that going to impact to our organization as far as time, money and the overall impact in the industry? Second, it should identify the minimum resources that we need to recover. Thirdly, it helps us to prioritize the recovery of processes and supporting systems.

The way the BIA is going to be implemented in the organization really depends because each organization is different but there are some things and elements that they are common in all organizations in the way the implementer can duck a BIA. There are five common elements that we can see next:
  • Describe the mission of business unit.
  • Identify critical functions.
  • Identify time cycles to deliver functions.
  • Estimate impact on business operations.
  • Estimate recovery time.
Best regards my friend and remember, if you have any question, go ahead!!