Any IT service provider working with your business must understand the importance of a Business Impact Analysis. Your organisation should consider processes and functions as critical if the failure to execute them is likely to result in an unacceptable negative impact on your business. Typically, the kind of negative impact would relate to one of four key categories of business:
- 1. Legal – including regulatory compliance
- 2. Financial
- 3. Reputational
- 4. Environmental
Risk assessment is a process that takes place regularly within any IT deployment, especially when creating/implementing a GRC (Governance, Risk and Compliance) framework. A Business Impact Analysis (BIA) often precedes a risk assessment and is essential for your organisation to understand how a disaster will affect your business and what would be the resulting consequences.
Business Impact Analysis and Disaster Recovery
A BIA is core to any disaster recovery plan because it helps your organisation prioritise the functions that you should bring back online. BIA and efficient business continuity depends on the accurate assessment of recovery time objectives.
You should understand which of your IT systems can be offline and how long is an acceptable recovery time for those systems. Additionally, you must know what the impact of those systems being unusable for a range of periods. (See the Cost of IT downtime). For mission critical systems, your IT service provider should employ an instant failover with auto-detection disaster recovery.
For less demanding business processes, it may be more cost effective to have a manual system of recovery. A BIA justifies your organisation’s spend on recovery measures and often saves money because you can safely say which systems need less expensive options. Low cost recovery for non-critical systems could be anything from an occasional server reboot to a backup restore, rather than a multiple server systems used for instant failover setups.
What Should a BIA Include?
As with any disaster recovery and risk assessment, there are the usual business losses that stem from inhibited cash flow while systems are down, but there are many more considerations including:
- 1. Staff wages during unproductive times and increases in wages when clearing any resulting backlogs
- 2. The cost of replacing or repairing IT equipment and any charges that are additional because of uncosted support. Ideally, you should have an agreement that is inclusive of support with any IT service provider
- 3. Profit losses that are not recoupable when systems return online. This could be from a loss of transactional capability, order processing or any other kind of lost trade
- 4. Losses of data that result from a poorly planned backup system – your live systems with critical data should have an instant back up available at all times.
What the Analysis Results Should Tell You
Understanding recovery timeframes and costs are obviously key reasons for conducting a BIA, but it should include details about how the analyst gathered the information. This can sometimes be an automated process, manual action or a mixture of both. An executive summary allows you to draw accurate conclusions about where to focus resources and how to plan against losses.
Speak with your IT service provider to understand what your BIA should include and how often you should conduct a fresh analysis. Businesses and IT systems change, so the precautions you put in place are not a ‘set and forget’ exercise.