The Business Impact Analysis (BIA): Building the Business Case for BC/DR

I admit it, I’m a BIA bigot. I’ve been doing them since 1980 and I’ve never found a more effective tool in building the business case that convinces senior management that BC/DR is important, worth the investment, and essential to corporate survival. A properly conducted BIA will provide the following business case data:

  • A more thorough understanding of the business and all of its components. Think of it as stepladder in the cubicle farm. Most organizations are fairly complex and consist of silos of business and technical activity. The BIA should include interviews with each component and will provide an overview of essential activities that will need to continue in the face of an unexpected outage. It will also gather in one place, sometimes for the first time ever, the identification of the complete technical resources required to support ongoing business processes, the interrelationships between business functions, and an understanding of the progressive degradation of critical functionality over time.

 

  • The impacts of outages on critical business functions. The BIA should be used to measure how well a business area can continue operating with the loss of some or all of its critical resources. The impacts should be estimated using parameters on operations, revenue, costs, obligations, customer impact, and corporate reputation. The effects should be measured over time so the impacts can be graphed and presented to management.

 

  • The identification of critical business processes. Every department has a mix of critical and non-essential or deferrable functions. The BIA interviews should be used to separate out those activities which support the most critical activities from those that a delay would have little or no impact. Once the most critical activities have bubbled to the surface, a recovery strategy to address those in a timely fashion can be developed. These critical activities are usually the ones which have the highest level of impact, whether it be financial, operations, or negative customer effects.

 

  • Recovery time objectives (RTO). A general rule of thumb is the more immediate the recovery, the more it costs and the more complicated recovery becomes. The BIA should identify the timeframes in which the outage increases the impact on critical functions to an unacceptable level. In the BIA methodology I have developed over the years I use an impact scale that rises from a score of zero (no impact at all) to a five (OMG, hair on fire, this is really, really bad). A good interviewer tries to talk the business representative off the ledge (Is it really a 5 at a half day of outage, or maybe only a 3?), but there will be activities that rise to the highest level of impact in a very short time. This information allows me to draw a pie chart that shows which functions require, in effect, immediate failover recovery and those that need to be recovered in the 24, 48, 72, and 96 plus hours timeframe. The chart becomes a great tool to use in the development of recovery strategies to meet the timeframe requirements, perhaps using different options for each slice.

 

  • Identification of gaps in the current state recovery capabilities. By now we know how fast the various critical functions need to recovered to reduce the effect of an outage. It’s time now to examine the infrastructure’s ability to meet those demands. For example, let’s say you discover a critical function must be recovered at an offsite location in 4 hours or less, but there is no server available there to support such a quick recovery. Or you uncover the fact that the database needed to support the application will take 96 hours to recover from tape, blowing your RTO out of the water if the most current data is not already there. Or you discover that failing over critical calls to another call center would extend wait times to an unacceptable level, thereby violating contract agreements. The good news is the BIA has identified gaps in the recovery capability that can be addressed. The Gap Analysis section of the BIA should include the costs and implementation efforts for the remedy and will provide the business case for doing so in a timely fashion.

 

  • Input for the development of future state recovery. This is the part where a good BIA marries the critical business activities and outage information, the RTO’s, and the Gap Analysis to create a high level roadmap of where the organization should be heading if they want to increase their recovery capabilities to an acceptable level. The data from the BIA can be used to influence both infrastructure and business planning. For example, the shortfalls in the Gap Analysis might be addressed by an upgrade in the offsite capabilities, a change in the timing and content of backups of critical data, or a move to virtual servers. It’s possible an organization could now justify splitting the data center between two locations with the capability of mutual recovery for critical resources. Or they could decide to use the pie chart to plan to provide for immediate failover needs in a co-location space while using a cloud arrangement for the more deferrable recovery requirements, thereby saving cost without increasing risks. Likewise, the BIA data can influence business planning to support decisions to outsource certain functions, split physical locations to reduce risk, or to simplify certain business processes.

With all the data collected, analyzed, and digested, a business case can be developed that outlines the threat, presents the business impacts over time, details the timeframes for recovery of critical functionality, identifies the gaps in recovery capabilities, and provides the makings of a high level roadmap that includes the effort and expense of increasing recovery capabilities to an acceptable risk posture. If you’ve done an effective BIA, the way forward should be much clearer and you’ve been able to build a persuasive business case that gives senior management the data it needs to make a good technical, business, and financial decisions.

Please feel free to leave comments on this blog or contact me at the number and email address above. Enjoy doing a BIA!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>