Business impact analysis is used to identify and mitigate the impact of potential risks. Some business processes are more critical than others -- for example, a crash in the central computer server could mean disaster, while an isolated roof leak might not be cause for serious concern. The purpose of business impact analysis is to collect data on the potential risks and vulnerabilities, analyze and prioritize the risks and plan recovery solutions.
Planning involves getting senior management support, followed by meetings with other managers to understand the various process vulnerabilities. A project team should be assembled, with representatives from all business units, including the information technology department. Some members will participate on a part-time basis because business units are usually not able to afford losing key personnel for extended periods of time.
Using observations and questionnaires, data is collected on process vulnerabilities, linkages with other processes and the process' relative importance to the organization. For each business process, the data collected includes a list of all inputs and outputs, maximum outage time before impact is felt, dollar value of the potential impact during outages, human and physical resources required for maintenance, history and frequency of past outages, potential legal implications and possible short-term, workaround solutions.
Data analysis involves processing the collected data to evaluate the cost implications of process vulnerabilities, such as extended service outages or virus attacks on the company servers. The analysis should identify the criticality level, recovery time objective (RTO) and recovery method for each process within a business unit. Some processes are critical -- for example, the corporate intranet – with RTOs of an hour or two, while a disruption in others might be tolerated for two days or longer. The recovery method for a high-criticality process might be data backup and replication; for low-criticality functions, longer lead-time solutions, such as relocating operations to a new facility, might be considered.
Prioritization flows from the criticality level and RTO assessments of the analysis phase. A formal meeting with business unit managers should be used to prioritize the processes because multiple units are often affected due to dependencies. The RTOs should be organized into bands or groups, starting with the highest criticality functions -- the ones with the shortest RTOs -- and building up to the longer RTO groups.
The final element is the preparation of a report for senior management approval. A cost-benefit analysis should be included showing the potential losses for each business unit if disaster recovery and other risk mitigation measures are not implemented, along with the costs for those measures. Senior management must sign off on the risk reduction and recovery solutions and approve related contingency budgets. Companies should review their risk management policies on a regular basis because business conditions, technologies and process vulnerabilities change constantly.