Business Impact Assessment
A Business Impact Assessment helps businesses clearly identify where their systems, processes and people are vulnerable during a system outage or disaster.
Many firms start planning for Disaster Recovery and Business Continuity without clearly understanding the impact to the business when the systems become unavailable. The business impact assessment is the first step towards developing and implementing an enterprise-wide Disaster Recovery Plan. It is a crucial step for several areas of Information Technology (IT) strategy and design. The assessment is also used for the design of future Information Technology systems to assure that systems meet the performance and availability needs of the business.
The benefits of a Business Impact Assessment include:
- Identify critical systems as first step towards an appropriate DR plan
- Help IT fully understand business processes and system priorities
- Help the business understand its vulnerabilities and help staff and management understand risks they may not be aware of (wake-up call or reality check)
- Help IT design future solutions that better meet the performance and availability needs of the business
A Business Impact Assessment (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. Disaster recovery planning is a multi-stage process, and one of the most vital of those stages is the Business Impact Assessment. A business impact assessment is where you determine the likely impact of a disruption to your organization in terms of loss of business, effects on your reputation, loss of staff and loss of data. In some ways it is the heart of the Disaster Recovery Planning process because it is during the business impact analysis you will determine the precise effects of disaster on your organization.
If a BIA is not performed, many firms over or under design their disaster recovery strategy and solution, thus resulting in massive ongoing costs. Too often the disaster recovery plan remains a nebulous hole of sunk money with no clear processes for handling an actual disaster. Without the BIA, the business and IT will not be in alignment in terms of priorities, recovery goals and continuity needs. The Information Technology team must first understand what the business needs are.
Businesses are relying more and more on IT. Furthermore, businesses need more from IT systems as an increasing number of its business processes rely on these systems. Specifically, its systems need to be adaptable, flexible, agile, manageable, and efficient to meet business needs.
Because Information Technology is integral to managing and running the business, business impact analysis to understand how system downtime affects the business is vital. The goal of business impact analysis is to understand which systems are critical to different business and functional units as well as the tangible and intangible (i.e. opportunity cost and goodwill) associated with system downtime. This in turn allows senior business leaders to make informed investment decisions when developing the necessary disaster recovery plans.
Output of the project
The Business Impact Assessment document details the critical systems used by each of the business units and functional groups within the firm. Qualitative and quantitative evidence is consolidated to estimate the maximum allowable downtime for each system and the corresponding costs associated with system downtime. Specifically, the document provides:
- Prioritized list of critical systems and applications for entire company
- List of critical applications specific to each business unit and function
- Costs per day of each critical system being down
- Maximum allowable downtime for each system
- Costs associated with systems being down for maximum downtime
- Identification of impact on customer service, community and customer good will, regulatory impact (e.g. fines), and legal impact (e.g. force majeure contract terms for not meeting contractual obligations)
As described above, this information is important to the Information Technology strategy of the business as it forms the basis of an overall disaster recovery plan.