Business Impact Analysis
Business Impact Analysis
Introduction
A business impact analysis is a critical process that entails prediction of various consequences during or after a disruption of the business operations. It aims at gathering information that the management needs to develop effective recovery strategies (Hiles, 2002). As the economic conditions change across the globe, there have been various changes in the markets and the environment of all businesses that are characterized by factors such as; social, political, technology and the physical environment. The interaction and variance of all these factors may subject the business to high chances of different risks. These risks tend to affect the firms operations adversely.
The common effects that have been reported in previous studies include; loss of incomes, imposed regulatory fines, delayed sales, delay of new business plans, contractual penalties, increased expenses and other shocks from the market. These issues come; as a result, of various risks in the environment that the firm is operating from. The best method to solve all these problems is through the use of the business impact analysis (Hiles, 2002). Therefore, the paper digs to unearth the different techniques that are used for establishing component priorities, component reliance and dependencies as well as making recommendations for the development of the BIA.
Techniques for Establishing Component Priorities
The establishment of the priorities in various components of the analysis of the business impact is the most critical step. A commonly used technique is the foresight BIA tool that is based on Microsoft Excel. It provides the planners with means on how to analyze the importance of any process, recovery priority, recovery time frame objectives, resilience and all other resources that are required in the BIA process (Goh and Cheok, 2002). This tool identifies the component priorities that assist the planners to confirm if their loss prevention programmes are adequate. Risk assessment method is highly depended in giving priorities to various business processes and functions. In this process the planners make use of bottom- up method conducted from various departments of the business firm. This technique is designed to collect and draw relevant information from the different process owners and aims at relating their view of the risk exposure and the impact of the interruption to their process. These two techniques must go together in order to ensure that there is ease of validation and consistency of response.
Methods for Establishing Scenarios and Components
Attack success scenario development (ASSP) is a method that is relied on during establishment of scenarios and components during the BIA. The BIA teams through this technique have to create a series of scenarios that depict the effect of the event of the different risks or threat on each anticipated area. The profiles of these attacks should the typical attack, indicators of the attack, the methodology used and the consequences attached to the threat. To add on this, the method ensures that these scenarios are categorized with their alternate outcomes ranging from the best to the worst. Potential damage assessment proceeds to estimate the cost of the worst and the best outcomes, and enable the BIA team to determine the possible strategies that must be adopted to recover from the two extreme cases. Related Plan Classification method allows the team to establish a related plan from the ones identified from RPC. Financial impact assessment (FIA) method is used to establish if the adequacy for the financial and service resources available for the intervention plan to be adopted (ASC and Kim, 2012).
Time Recovery Frameworks
Recovery time frameworks are crucial in BIA since they determine the success and achievement of the BIA intervention plans within the stipulated time. Maximum tolerable downtime (MTD) is a common technique used in identifying the time frame recovery. Other techniques include work recovery time (WRT) and recovery time objective (RTO) that fall under the MTD technique. MTD gives that maximum time that the entity can tolerate the unavailability of a particular process or function within its operation. On the other hand, the RTO gives the available time that the firm has to recover the disrupted resources and systems. It branches from MTD and it allows the management to get the systems back to their normal functioning. The remaining time is considered to be the work recovery time when the systems are normal. For instance, if the MTD is given as three days, and the BIA team takes a day to get the systems in order, then the WRT is the remaining two days. RTO is critical and determines whether the systems will function or not (Kim, DRBC and GST, 2012).
Component Reliance
Component reliance is a critical process that identifies the dependencies that must be relied on to implementing the intervention plan. The dependencies include specific resources such as skills and expertise, technology among other facilities. These dependencies are either internal or external ranging from IT support to legal services. Most businesses have used the traditional questionnaire technique to business impact to analyze the various dependencies that the firm management needs to formulate an intervention plan to the threats identified. Incidence response (IR) method is the key method that is used to identify the quantity of resources that are required in the BIA plan. The human asset is part of the internal dependencies that the team relies on to implement a successful intervention plan (Goh and Cheok, 2002).
Recommendations
For a successful disaster recovery, every business must be able to conduct an effective business impact analysis. The BIA provides managers with reliable data that guides through potential costs of disasters. In addition, it guides in the selection of the best strategy to adopt such that the firm may recover its operations the soonest possible. A good and effective BIA defines well its scope, the main objectives, and it’s time frame for implementation. The BIA team should be able to assess the various risks that are more prone to their business. There should be reliable techniques that enable the team to prioritize the various risks and components. Both foresight BIA Excel tool and the bottom – up techniques should be incorporated to collect relevant information from all the levels of management on how they weigh these risks. The management should view this exercise as a mini project; therefore, they may make use of well-structured questionnaires. Identification of the impacts that results from different disruptions may be evaluated well from questionnaire point of view. Both quantitative and qualitative aspects of data collection foresee the success of assessing the impacts (Snedaker, 2007).
Definition of clear criteria of scenario development is necessary to the BIA team and the management of the firm. The team that is conducting the disaster recovery has the responsibility to administer ASSP technique to establish how different units of the business depict the impact of the underlying event. Open-ended questionnaires are highly recommended to assess the consequence of various scenarios that come along with a typical disaster. Therefore, data collected through human interaction is known to give the best insights rather than relying on observation-based technique. These aspects will help the management team to plan the time frames and the anticipated resources to use in order to make business operations resume (Snedaker, 2007).
It is highly recommended to the BIA team that, it is essential to formulate the time frame of the plan through making use of the RTO, WRT and the MTD methods discussed in the paper. The recovery time objectives are formulated after identifying the expected interdependencies. The maximum tolerable period is necessary to be communicated to the various stakeholders to avoid internal conflicts in the organization such as strikes. With a clear time fixtures, the BIA team effectively analyze the component reliance to establish the dependencies necessary for the recovery plan. Resources should be availed sufficiently to avoid any inconveniences; as a result, of delays. Incidence response technique should be used in this process to foresee the success of the plan. All these aspects guarantee the BIA team an effective recovery plan.
References
Asia Simulation Conference, & Kim, J. H. (2012). Advanced methods, techniques, and
applications in modeling and simulation: Asia Simulation Conference 2011, Seoul, Korea, November 2011, Proceedings. Tokyo: Springer.
Kim, T., DRBC (Conference), & GST (Conference). (2012). Computer applications for software
engineering, disaster recovery, and business continuity: International Conferences, ASEA and DRBC 2012, held in conjunction with GST 2012, Jeju Island, Korea, November 28-
December 2, 2012. Proceedings. Berlin: Springer.
Goh, M. H., & Cheok, R. (2002). Conducting your business impact analysis. Singapore: Hibis
Consulting Singapre.
Hiles, A. (2002). Enterprise risk assessment and business impact analysis: Best practices.
Brookfield, Conn: Rothstein Associates.
Kim, M. K., Sherrena, B., & Helen, I. (January 01, 2013). Business research in virtual worlds:
possibilities and practicalities. Accounting, Auditing & Accountability Journal, 26, 3, 352-373.
Snedaker, S. (2007). Business continuity & disaster recovery for IT professionals. Burlington,
MA: Syngress.