Putting Together A Business Impact Analysis


Business Impact Analysis

[Image Credit]

In December of 1995, Malden Mills – makers of Polartec – suffered a fire at their Lawrence Massachusetts plant which destroyed the factory. The company had decided that employee retention was so critical to their operations that they kept paying the salaries of 3000 employees for 3 months while the plant was being rebuilt.

When a business interruption happens, companies must balance out the cost of the disaster, the cost of recovery, and the cost of damage control. And sometimes this may require that the company take some extreme measures in order to protect their operations.

If they haven’t taken the time to analyze the risks and plan for these incidents in advance, the company might not be prepared to take the necessary actions to recover from such an emergency.

That’s why – before putting together a disaster recovery and business continuity plan – it’s important that organizations take the time and evaluate every possible disaster scenario, and examine their potential impacts on various critical business processes throughout the organization.

Hello, I’m Roseanne with Storagepipe Solutions.

In this video, we’ll take a quick look at what makes up a Business Impact Analysis. Then, we’ll walk you through a very basic example to give you an idea of how this would apply in the real world.
Business Impact Analysis (BIA)

The primary aim of a Business Impact Analysis is to discover what business processes are vital to your organization, and to gain an understanding of how an interruption within any of these processes will impact the organization.

For IT departments, a Business Impact Analysis will help them think of their systems in terms of the business processes they support. Too often, IT managers will make incorrect assumptions about IT systems and their importance within the organization.

  • • Building security and video surveillance might be considered a critical. But these systems are of very little use after a natural disaster destroys the building. Bringing these systems back online can wait.
    And even if you make a correct assumption about a system being critical, you still need to know why.
  • If email servers go down, will all employees need the capability to send/receive emails, or will this functionality be restricted to certain departments or key people?

There are other systems that might be used very frequently, but that would not severely affect the company if they were to go offline.

In order to truly understand what the impact of a business interruption would be on the company, you need to get insight and cooperation from every functional department.

A simple framework that’s you can use in performing your own Business Impact Analysis includes the following steps:

1. Identify key business processes
2. Determine recovery requirements and resource interdependencies
3. Identify impact on operations
4. Prioritize business processes , and establish recovery requirements

A formal business continuity and disaster recovery plan should not be created until your Business Impact Assessment plan has been completed. Otherwise, you could end up creating a plan which is counter-productive or ineffective.

In order to identify key processes, you need to get all of the departmental decision makers to participate in this discussion. Your goal will be to identify the key activities of each department, and to get an understanding of which most processes are important and where interdependencies might exist.

  • The customer support department might believe that their CRM systems are business critical, but the key business functions of their department consist mainly of helping clients resolve technical issues. If the CRM systems go down, technical issues could still be resolved while notes are taken down on paper. And the call details could then be typed in when the CRM comes back online.

It’s also important to keep track of interdependencies between departments.

  • Although time tracking systems might be considered a function of the HR department, HR might not consider them to be business-critical in an emergency. However, these systems could be very important to operations at LEAN or Six Sigma companies.
  • Although certain areas of Marketing – such as lead generation and advertising – may not be business-critical during a natural disaster, it may be important to have an emergency PR plan in place to protect the company’s reputation during this event.

Your Business Impact Analysis should take every possible business interruption into account, and examine how it affects business processes across all functional departments.

Let’s take a look at a typical Business Impact Analysis for a company.

Company A is a large mail-order clothing retailer.

Online sales represent 90% of their revenues, and the rest are called in by phone. Although they offer an online catalogue of over 20,000 off-the-shelf items, about 5% of sales come from an online tool that lets customers design their own custom-printed shirts.

They also manage an online message board which doesn’t generate revenue, but helps in maintaining customer relationships.

They are based out of a single location, which features:

• an office
• a call center
• a large warehouse

Some of the potential risks that this company might face include:

  • Theft
  • Fire, flood, or earthquakes
  • Power outages
  • Server crashes or datacenter malfunctions
  • Loss of a key employees
  • Web site hacks or DDoS attacks

For this example, we’ll assume that a water pipe had burst in the floor above, completely soaking and destroying their server room and taking their entire web presence offline. What key business functions would be affected by this event?

  • Pending order lists and order tracking
  • Tracking in-stock items
  • Online customer assistance
  • Credit card processing
  • Online message board
  • Web site product search database
  • Static online catalogue
  • Online t-shirt design tool
  • Stock replenishing and ordering
  • IT hardware maintenance

So far, we’ve focused mostly on IT and shipping. But other areas of the business will also be affected.

  • Pay-Per-Click advertising
  • Public Relations and Social Media
  • Compliance with consumer protection laws, vendor agreements and tax laws
  • Server room clean-ups and renovation
  • Allocation of funds for purchasing of new servers
  • Reporting of sales data to financial systems
  • Obtaining an emergency loan for unexpected expenses

Now that we have a basic idea of what processes would be affected by this incident, we need to think about what the business impact would be of such an incident.

  • Online retail customers have a high cost of acquisition. If the average lifetime value of a client is appraised at $20,000, then losing just a few customers due to poor service or inaccurate shipping might be a major problem. Therefore, shipping and order tracking could be considered critical to the operation of the company.
  • Although rebuilding the server room might seem critical to the operation of the business, that might not be the case since the IT systems can be temporarily hosted at another datacenter during the re-build process. In this case, bringing systems back online would take priority over fixing the server room.

Restoring the web site might seem like a business-critical function, but it’s important to think about this system in terms of its associated business processes. The online catalogues and credit card processing are responsible for the majority of revenues, so these systems could be considered business-critical.

Other areas of the web site require a lot of resources and maintenance, but might deliver little value to the organization. These would include the t-shirt design tool, the online message board, and the database-intensive product search system.

You also have to keep cross-functional considerations into account.

  • Selling or promoting out-of-stock items might be against the law. The company could be accused of bait-and-switch or some other consumer protection violation. This is why it’s important to get input from the Legal department.
  • The marketing department might need to take their PPC ads while the site is down for maintenance. They may also need to issue coupons to customers who received their orders late as a result of the interruption.

Now that we have a general idea of how this event would impact the business, we can more effectively prioritize the different business functions for recovery. The easiest way to do this would be with Low, Medium and High priority labels.

Taking the store online and enabling credit card processing capability would be considered as High-priority items. And re-building the physical servers would be considered a Medium priority in the event that the web site can be temporarily hosted from another rented datacenter.

Other areas of the web site such as search, message boards and the t-shirt design tool can be considered Medium or Low priority items since they require maintenance and resources, without contributing significantly to the company’s ability to generate revenues during the crisis.

The reporting of sales data to financial systems can be considered a low priority since there will likely not be a significant business impact if financial reports are delayed by a few weeks. Stakeholders will probably be a bit more patient in times of crisis such as this.

Now that you’ve prioritized the various business functions, you’ll also need to set recovery objectives for each. Two of the most important recovery objectives are Recovery Point Objectives and Recovery Time Objectives.

Recovery Point Objectives – often called RPO – establish how much data you can afford to lose in case of a disaster.
If you perform backups every Friday at 6pm, and you have a server crash on Friday at 4pm, then you’ll lose 7 days worth of data. This kind of backup policy maintains an RPO of 7 days. Recovery Point Objectives can vary based on the kind of data being preserved.

  • Losing a day’s worth of work files might inconvenience employees, but it won’t destroy the company.
  • Losing an hour worth of online transactions could cause serious problems for an online store.

Recovery Time Objectives – also called RTO – dictate how much downtime you can tolerate for a certain business process.

This is where a thorough Business Impact Analysis can really deliver value, since there is often a direct trade-off between cost and recovery time. The faster you want your systems back, the more you can expect to pay. By focusing strictly on the most critical processes, you can reduce the costs associated with business continuity.

In our example, the online store would ideally remain online perpetually. If the primary servers should ever go down, there should be a remotely hosted emergency failover facility on standby at all times. This is a Recovery Time Objective of a few minutes, or even seconds.

As you can see, we’ve only lightly touched on some of the issues that would be affected by this incident. A more thorough analysis would require more time than this presentation allows.

For example, we’ve only covered one business interruption scenario. If the server room flood had leaked down to the warehouse and destroyed merchandise, we would encounter a whole different set of business problems.

It’s important to note that the Business Impact Analysis only deals with how a disaster would affect the business. At this stage, you’re not proposing any potential solutions. The reason is that – after a thorough Business Impact Analysis – you may find that just a few plans of action can solve most of the business interruption scenarios.
Remember, you’re trying to find a balance between:

  • disaster costs
  • recovery costs
  • damage control costs

A Business Impact Analysis is especially useful since it helps you see at IT systems as a series of business processes, and forces you to think about how those processes affect the organization.

In another video, we’ll talk about how you can take the information obtained through the Business Impact Analysis, and use it to craft an effective disaster recovery and business continuity plan.

I hope this presentation has been helpful. If you have any further questions, please leave them in the comments below, and we’ll make sure to answer them for you. And if your company would like assistance in maintaining the availability of IT systems that support critical business processes, make sure to visit for more information.
Thank you for watching.

Leave a Reply