2.7 Business Impact Analysis (BIA) 69
Chapter 2
resources to reduce and correct potential losses. For this reason, some peo-
ple prefer to address the threat/vulnerability pairs as observations instead of
findings in the risk assessment report. A suggested report format is shown
in Appendix A.
2.7 Business Impact Analysis (BIA)
A business impact analysis is a process of identifying the critical business
functions and the losses and effects if these functions are not available. It
involves talking to the key people operating the business functions in order
to assess the impact an event would have on business operations. The pur-
pose of the BIA is to correlate specific system components with the critical
services that they provide and, based on that information, to characterize
the consequences of a disruption to the system components. The BIA pro-
cess must begin with executive sponsorship of the effort and the support
and involvement of senior management, because a good BIA will involve an
unprecedented study of the organization. The BIA is a collective undertak-
ing with those whose continuity is sought and those who are major contrib-
utors to the various business processes and are intimately involved in the
assessment of their value. The results of a BIA will rank, order, and position
each business and support function in an order for recovery based on orga-
nizational knowledge. Results from the BIA should be appropriately incor-
porated into the analysis and strategy development efforts for the
organization’s COOP, BCP, and BRP.
Effective analysis is essential in plan development, strategy selection, and
reduction of recovery costs. Impact analysis involves the owner/business
function/program manager’s input to understand precisely what the agency
risks losing, should there be a disruption or disaster. While overall responsi-
bility lies with the business functional unit leader, information needed for
recovery comes from all levels of management. The IS organization alone
cannot provide that information. The effort needs to be a “meeting of the
minds” that results in identifying, qualifying, and quantifying the terms
“critical” and “intolerable impacts.” Only the owner can identify, quantify,
and qualify these impacts. Impact analysis ensures the intolerable impacts
are the main consideration in defining the direction, scope, and appropriate
recovery strategies for plan development. Simply put, the shorter the time
in which the impacts become intolerable, the hotter the strategy (most
resources in place, ready to use). Conversely, if the impacts are tolerable for
two weeks or more, then a colder strategy (resources identified, but not in
place) is indicated.
70 2.7 Business Impact Analysis (BIA)
One of the lesser-known advantages of performing a BIA is the aware-
ness level of many of the organization’s employees rises significantly as BIA
interview questions and “what if” scenarios are discussed. This can have the
advantage of speeding the progress of the project and helps to gather con-
sensus and support from areas of the organization, which otherwise would
not have understood the importance of enterprise-wide recovery plan devel-
opment, testing, and maintenance.
Impact analysis is often confused with risk assessment. Risk assessment
is associated with determining the potential losses of a threat versus the cost
of the protective measure against the value of the asset. It is related to deter-
mining how much to spend on prevention and protection. Although risk
assessments are a very important step in the analysis, all of the information
needed for recovery planning does not result from this one step.
Interview people from all the functional and support areas who know
the business processes and can respond to a structured questionnaire quan-
titatively. Interviewees should range from those who feel the organization
“cannot survive without me” to those who “hold the organization together
with their bare hands.” BIA conveys the needs of the organization and what
the impacts would be if critical functions were not recovered in a timely
fashion. BIA results are the foundation and cornerstone of the plan and
strategies selected to use in the event of a disaster.
2.7.1 Identification of Key Business Processes
The BIA should include a list of the key business areas of the organization.
This list should be in order of importance to the business. Areas that should
be considered include:
Accounting and Reporting
Customer Service Handling
E-mail and Ecommerce Processes
Finance and Treasury
Human Resources
Information Technology
Maintenance and Support
Marketing and Public Relations
Production Processes
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
