Why Bother With A Business Impact Analysis? Before jumping on the bandwagon because someone just heard about business impact analysis you need to understand what it means, how to develop the analysis process, how to gather the data and confirm the responses, what can do for the business, and the relationship to business continuity. If anyone believes BIA is fast and furious it is “time to wake up.” Having been in the “disaster recovery”, now business continuity business for 30 plus years I have learned that over simplification of business continuity is common and rushing into things ends up costing more than the value possibly gained. The business impact analysis (BIA) is one of the best investments a business can make if they are developing or have a business or disaster recovery plan. After all, how can you protect and recovery something if you don’t know what you have, where it is in the business process and how much it is worth? There are a number of ways that business approaches business impact analysis (BIA), one of the most common methods is to ignore it and build contingency and recovery plans without the advantage of accurate information, others choose to spend considerable effort but achieve only marginal results. The intent here is to give guidance and insight into the focus areas of BIA to reach a comprehensive understanding of the business function(s) in the scope of the business continuity management program. As with other component analysis being conducted with a business continuity project, the need to have professional and skilled business continuity analyst or consultant managing the project is critical to the final results. Business impact analysis as with all stages and steps in business continuity management must be a repeatable process and conducted as the business changes or as technology may impact the ability to survive a serious interruption or disaster. What is Business Impact Analysis? Definition: Business impact analysis is the process of examining the components of the business to learn the value and relationships necessary to keep the business operating and productive. Business impact analysis results in the differentiation between critical (urgent) and non-critical (non-urgent) organization functions/ activities. A function may be considered critical if the implications of damage to the organization are regarded as unacceptable. This damage may be financial or reputation. Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law or is a vital link in operational flow of the business. For each critical (in scope) function, two values are then assigned: Recovery Point Objective (RPO) – the acceptable latency of data that will be recovered 1 Copyright 2012 William A. Million All rights reserved Recovery Time Objective (RTO) – the acceptable amount of time to restore the function The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of Disruption (MTPD) or Maximum Acceptable Down-Time (MADT) for each activity is not exceeded. Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information: The business requirements for recovery of the critical function The technical requirements for recovery of the critical function The ability of the business function(s) to operate for a period without information systems availability or supply chain availability Understanding Business Impact Analysis Business impact analysis plays a fundamental part in developing an organizations business and disaster recovery plans, and is essential to the establishment of the Business Continuity Management program. Executive management who understand the requirements of their business are able to balance risk with the cost of prevention, mitigation, and contingency solutions. Through the exploration of the components and relationships within the business it becomes possible to identify the potential financial risk specific to those areas of the business and the business in general. Impeding conducting and completing corporate business impact analysis tend to be top executives who oppose the research as being unnecessary or too costly for the organization’s makeup. Corporate spending in this area is often held back or too much is spent in the wrong places by the perceived uncertainty about the severity of the impact posed by security threats and budget factors. Skepticisms about potential consequences usually fade once the green light is on to complete a BIA and the preliminary results are shown. When coupled with the business continuity management program an effective BIA should be able to identify costs linked to failures including those of loss of cash flow, replacement of equipment, salaries paid during an interruption and those paid to catch up with backlogged work, loss of profits, impact to business image, and other qualitative and quantitative concerns BIA is should identify costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, loss of profits, and more. A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance. Where possible, impact is expressed monetarily for purposes of comparison. For example, a 2 Copyright 2012 William A. Million All rights reserved business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence. BIA Objectives The first need before starting this process is to assure that senior management is fully committed to the project. If they understand that there is a return-on-investment they should have no trouble announcing their support for the business continuity management program though creation and implementation of corporate level policy, letters to managers and employees. An assumptions backing BIA is that all parts of a business are dependent on some other part of the business or an entity outside the business. Those dependencies may have such strong ties that a small break in the chain will cause a cascade effect stopping a critical process or closing the business for some period of time. Being aware of interdependencies, potential regulatory, marketing, safety, product or service quality, and specific financial implications help to make the disaster recovery plan and program stronger. Interruption or loss to the business may be expressed monetarily for purposes of comparison and action focus. BIA should accomplish at least four points: 1. Determining the financial value of each organization as it relates to the total business. 2. Determine the relationship of each organization to the total business. 3. Provide a basis for identifying the critical resources required by the business. 4. Establish the recovery order of the critical business functions as related to the total business. Each of the noted points is found in each step when building the BIA project. Therefore, measuring the business must include; vulnerabilities, financial impact, operational impact, and technology requirements, in order to map the business properly. This final mapping will set the Recovery Time Objectives (RTO), Recovery Point Objective (RPO), Minimal Acceptable Configurations (MARC) and Maximum Acceptable Down-Time (MADT). The BIA may run concurrently with the hazard and threat analysis although the most important concept will be the integration of findings when setting strategy. The amount of time and resources necessary to complete the BIA will depend on the size and complexity of the institution. All business functions and departments should be included in this process, not just information technology. 3 Copyright 2012 William A. Million All rights reserved The BIA phase in business continuity planning is conducted to identify the potential impact of uncontrolled, non-specific events on the business process. It should also determine what and how much is at risk by identifying critical business functions and placing them in the dependent working order of the business process. The responses should estimate the maximum allowable downtime for critical business processes, recovery point objectives, backlogged transactions, and all costs associated with downtime. Management must also establish recovery priorities for business processes that identify essential personnel, technologies, facilities, communication systems, vital records, and data. The BIA considers the impact of legal and regulatory requirements such as privacy and availability of customer data and required notifications to the regulators and customers when the process is interrupted or relocated. Staff assigned to develop, conduct and analyze and report findings should apply uniform interview questions that can be used on an enterprise-wide basis. Uniformity will improve the consistency of responses and help the project compare and evaluate business process requirements. The BIA project may initially prioritize business processes based on their reported place in the business flow to the business’s strategic goals and support of safe and sound practices. Prioritization should be revisited as the processes are compared to various interruption and disaster scenarios so a workable business continuity plan(s) can be developed. During the interview and questionnaire process the use of prioritization or critical or non-critical terminology should avoid being used. There are few business units or staff that would consider themselves and last in priority or non-critical. Use where are you in the business flow, who do you support and who supports you as the means to identify in which order recovery will take place. Is there a BIA Methodology? There are many options available to executives when setting the strategy and process for a BIA. Since each organization must make a number of decisions and choices that depend on its particular situation. A large to very large business usually finds it is difficult and costly to perform a full depth and breadth detailed BIA. In lieu of the detailed process they may elect to examine larger components of the business and consider broader controls and solutions. A smaller business may have the option to conduct a full scale evaluation and be able to implement more specific controls and solutions. Due to the variations of need one is likely to use questionnaire and remote survey techniques while the other more personal interview and surveys will apply. Both questions and responses may be both quantitative and qualitative. There will be circumstances where a no dollar gain or loss may be seen as an intangible amount. These situations, qualitative, should have a clear descriptive of the actual or potential impact to assist the analyst in setting strategies and to permit inclusion in the summary results. 4 Copyright 2012 William A. Million All rights reserved When starting the BIA process as noted earlier, there are considerations and commitments that must be in place. For example: Action Ensure executive management commitment Work through an enterprise BCDR steering committee Identify what the deliverables and contents should look like. Develop the initial scope. Description A corporate policy has been enacted. Sponsorship notice has been sent out. The project will be funded Used to support the BCM Program and the BIA study. Format should be based on company expectations and standards. The scope should define type of BIA to be performed, the depth of research to gain the maximum amount of detail Identify the subject matter These staff may be internal or external and will review experts. the first summaries, and help guide the development of the survey questions. You cannot survey everone. Develop the data collection plan The company will select tools, devise procedures and inclusions for the data gathering. Conduct the interviews, Holding education sessions, workshops, interviews, and surveys, workshops. distributing and collection of data. Conduct analysis and develop Consolidating findings and key results. Prepare initial conclusions conclusions. Validate findings with subject This confirms the initial conclusions and that all key matter experts. areas have been included. Vulnerabilities, financial, operations and technical impacts have been assessed. Present validated findings to This presentation is to gain executive backing to executive management and continue and that the program budget will be fully approval to continue approved. Transition to strategy A course of action for responding to a disaster and the development starting point for a recovery plan. When the BIA project component is forced to stay at a minimal level the project coordinator may choose to focus questions on the senior executive level and the finance organizations to determine the key impact areas of the business. These groups are usually adept at knowing where an impact is likely to cause the most financial or image harm to the company. The BIA effort may then be re-presented with a narrower scope yet still have some value in providing guidelines for mitigation and recovery strategies. 5 Copyright 2012 William A. Million All rights reserved A business that fails to consider the true value of business impact analysis exposes themselves to experiencing continued lost dollars without knowing where controls will be most effective. What Are BIA Questions? When making the decision regarding a process to use the following questions, in some form, should be considered: (listed in no particular order.) Provide a description of the department or function. Describe the customers served. The customer may be may be another department or internal business function of the same company or external to the company. What are the key skills required to perform the identified critical functions? What is the estimated or actual revenue of the function? Are there penalties for interruption or loss of data? Is the process subject to compliance with laws or regulations? Is the process subject to specific service level agreements or contracts? What are the critical business cycles? What are the external dependencies of the business process/ Have operational procedures been documented and are they used daily? What are the key software applications? What specialized equipment is required and how is it used? The questions and data being sought are endless and for best results they need to be focused on your business. There are as many questions to be considered as there are different businesses. An examination of the business under examination will be the deciding factor when developing the business impact analysis. At least always consider these categories of concern: o Visibility, Liability, Revenue, Image, Process and Production Visibility – How soon will the public and stakeholders notice that there is a problem? Liability – Are there laws or regulations that must be met? Revenue – What is the revenue loss from immediate to some time period? Image – Will the company’s long term image be tarnished? Process – What affect will an interruption have on the total product or service the company offers? Production – How will production be maintained during an interruption? 6 Copyright 2012 William A. Million All rights reserved Tools Software is readily available for Business Impact Analysis, but remember, you must be able to easily customize it for your business and be simple enough to use without having to train every survey taker. The potential complexity is a reason to understand the need to use skilled people in this total endeavor. There is no monetary saving to a poorly designed and executed business impact analysis project. The results are equal to the effort expended. How-To Approach BIA To this point the general concepts and a high level value of business impact analysis has been pointed out. Getting started does require commitment, management backing, and the cooperation of all who will be participants. There is little room for false starts and poor returned information may lead to a catastrophic end in the midst of a possible future bad situation. In this discussion area management and the planning professional should be working closely together and mutually supportive. The stakes are high and the results worth the effort. It is best during the investigative period to avoid use of the term PRIORITY, as all will want to be seen in the realm of business as important, and priority implies importance. A safer way to approach the need for either additional protections or speedier recovery is to ask for where a department or process fits in the WORK OR BUSINESS FLOW. As noted the effect of a disaster on the business can easily result in more than the short term loss of business and damage to property. There are a number of areas which may be impacted by an adverse event: Financial results Good-will and reputation (via customer service, image, legal status, etc.) Compliance Health, Life & Safety Social impact at large (relations with the community, environment impacts, national security, etc.) Examination of the company soul should point out strengths, unique components, core business, revenue cycles, as well as offering a resource for strategies of prevention, mitigation, recovery, and restoration. Multiple BIA Support and Process Mechanisms Tool sets are readily available for business impact analysis. Software, word files, excel files, data bases, books, on-line, contractors, group sessions, interview guides, or create your own. Pick up any copy of a Business Continuity or Disaster Recovery trade magazine in they are filled with promises and advertisements. Remember, you must be able to easily customize it for your business and be simple enough to use without having to train every survey taker. The potential complexity is a reason to understand the need to use skilled people in this total endeavor. There 7 Copyright 2012 William A. Million All rights reserved is no monetary saving to a poorly designed and executed business impact analysis project. The results are equal to the effort expended. Since there is no one form or methodology to fit every company the following diagrams are solely representative of the variety of approaches and BIA layouts. Home Grown 8 Copyright 2012 William A. Million All rights reserved The Porter – Value Chain 9 Copyright 2012 William A. Million All rights reserved To perform BIA, one may want to look at the entire Michael Porter’s Value Chain. Building a picture of the business using the Value Chain is worth the effort. FIRM INFRASTRUCTURE • Real Estate Services • Legal • Etc. HUMAN RESOURCE MANAGEMENT Insurance (medical, life, etc.) Benefits Administration Mobile Workforce Mgmt Education & Training Time & Attendance Payroll & Personnel Recruiting, Hiring, Retention, etc. Etc. IN • • • • RG • • • • MA SUPPORT ACTIVITIES • Corporate Office Mgmt • Finance • Accounting TECHNOLOGY DEVELOPMENT • Project Mgmt • Etc. • Engineering • Programming PROCUREMENT INBOUND LOGISTICS OPERATIONS • • • • • E-Commerce Fulfillment Distribution Warehousing Etc. • Sales Automation • Sales Force Automation • Advertising • Bus. Intelligence • Retail Services • Etc SERVICE • • • • Service Mgmt Help Desk Call Center Customer Req’s Mgmt (CRM) • Etc. IN ERP/MRP Accounting Ops Mgmt Time Tracking Reporting Workflows Prof. Services Project Mgmt Messaging Productivity Collaborative Etc. MARKETING & SALES RG • • • • • • • • • • • • OUTBOUND LOGISTICS MA • E-Procurement • Warehousing • Supplier Relationship Management (SRM) • Etc. • E-Procurement, Etc. PRIMARY ACTIVITIES Every company’s business process (or processes) can be viewed using the Value Chain. We simply need to look at what applies to the particular business process, specific to the industry and function of the business. The best way to do so is to start with the analysis of the product. The nature of the product will determine which Value Chain’s cells (containers) are included in its production. Once diagramed the production path can be imagined being stopped at any point and the effect on the following groups can be shown. There are processes within those critical cells which can be easily drawn out as the result of a few interviews of the business’s personnel. Once the high-level processes are identified, the sub-processes can be drawn as well and so on to a certain level of detail where it may become obvious which components of business infrastructure support these processes. There are a number of component areas of enabling business processes: Technology Facilities People Knowledge (know-how) Data Money Client Stakeholder 10 Copyright 2012 William A. Million All rights reserved Porter model may help development of the questions to be asked and the areas of the business to be included. A BIA provides the best results when it is executed as a structured interview using a common set of questions tailored to the part of the business in focus. The goal is quantitative results indicating the financial and supply chain impacts and qualitative results indicating the physical requirements and potential image impacts. The Value Chain presents the business picture as primary and support activities. The process to define the questions may be best looked as a reverse engineering method. Since the diagram indicates both key activities of every business function and those functions can be cross related to any other function the result of the BIA needs to indicate the critical ties. After a description of the process or function the questions change to critical paths and dependencies on other functions. Critical indications may be cyclic, financial, regulatory, supplier and image driven. As seen in the diagram all are included. Following this road the questions begin to define themselves. For example; asking who are your customers and where are they located provides the geographic market, even if the customer in within the same company, which may be related to areas under threat of natural disaster. This seasonal threat may have long lasting effect on company revenue. Knowing this the final report may include the recommendation to expand the marketing area or to accumulate a hedge against the downturn in business. A requirement to be served may be based on a regulatory reporting requirement, such as taxes, this would necessitate questions relative to cycles of business. These cycles may overlap or remain segregated, but when the pattern is examined the protection and recovery strategy may evolve to be a flat solution which is less expensive to initiate and can incorporate a greater portion of the business. Recovery Time Objective, Recovery Point Objective, Maximum Acceptable Down Time, all identified in the investigative process must be considered as qualitative and valuable data. Mitigation schemes, backup process, and recovery methodology and technology implementation, and point of declaration of action will be derived from the reports. The referenced processes are likely to drive some lesser reported needs into a higher demand category. When a critical process has reliance on a declared lesser process then the second process must be upgraded to match or move ahead of the process reporting the dependence. Following the concept the series of needed responses drives the formation of the inquiry. The responses when diagramed facilitate the identification of departments, processes, or even vendors that are especially key to the continuation of the business. With the questions identified and the response needs to be filled in the next step is to get the nest step in the project, the actual interviews and reporting sessions underway. The kick off meeting and the rally of management support may appear to be unnecessary yet it is the open demonstration of management commitment that will assure participation. The quality of the reported detail will likely be more accurate. 11 Copyright 2012 William A. Million All rights reserved Comprehending the results Once the surveys and interviews have been completed and collected the BIA is yet to be considered complete. Unless a final evaluation is conducted the ties and relationships within the business are still to be confirmed. The quantitative values are still to be set and qualitative impacts need to be documented in the reports. The to-do list starts with: Review manager feedback and, where appropriate, revisit reported findings accordingly or add to outstanding issues Prepare draft BIA report listing initial impact findings and issues Issue draft report to participating managers and request feedback Update the report. Create the business process and dependency map. described in the next few sub-chapters. Schedule a workshop or meeting with participating manager(s) to discuss initial findings, when necessary Again update the BIA report to reflect changes arising from these meetings Prepare final Business Impact Analysis report according to organization or house standards Formal presentation of Business Impact Analysis findings to peers and executive bodies These few steps are representative of the iterations before presentation to senior management, however, since the BIA results are critical to the continued success of the business and relative to the next major project step, Risk Analysis, confirmation and support of the findings is crucial to the success of the Business Continuity Management Program. 12 Copyright 2012 William A. Million All rights reserved Here are some survey findings from a moderate size business: Application Use The business unit list cross referenced to the application each uses Business defined application criticality where 5 is very critical 13 Copyright 2012 William A. Million All rights reserved Business function recovery time requirements indicating a majority of the departments have a 12 hour or less recovery need. Business function recovery point objective requirements indicating a majority of the departments have a 12 hour or less data loss tolerance. 14 Copyright 2012 William A. Million All rights reserved Charted responses are easily created using Excel or PowerPoint and are very effective when presenting summary results. Summaries need to be created with descriptive and the proofs. When a process is initially claimed to be critical to the business verification is needed and further investigation to determine the mitigations and funding needed for protection. Define Criticality of Business Functions and Records, and Prioritize The BIA responses now contain the needs business and the process flow. During the startup of the BIA levels of criticality, recovery time objective levels or tiers should have been agreed to and now processes and things will drop into the fields. Since business and the public have become dependent and expectant it is very likely some processes will be reported with multiple levels of criticality. The appropriate response is first to verify then to negotiate with management single or multiple levels of criticality. When reaching the strategy phase of BCM available solutions or what the business is willing to sponsor may set the final criticality level or tier. “Tier” is a common term used to simply describe where in the recovery order something falls. Diagram Representations of BIA Results Examine the next diagram displaying the mapping of the imaginary related group of BIA surveys. Widget production and the process flow with the dependencies are shown in the diagram. Creating a diagram of work flow and dependencies tied to declared critical times allows a visual of the interdependencies and what is likely to happen if any given process is taken out of the flow. 15 Copyright 2012 William A. Million All rights reserved These components or things are drawn on the same diagram with the processes and then the preliminary analysis of potential business impact and criticalities may commence. The diagram depicted provides insight into how this works using an example of a widget production. This approach is very effective at identifying which processes depend on which “things” and therefore it is possible to identify which processes will be mostly affected when certain ‘things’ fail. This will allow, based on business considerations, to design the strategy for ensuring business continuity of said processes by enhancing the survivability of the things which are critical to their activities. This process is performed best in a bottom-up fashion by tracing which things support which processes. On the other hand, this approach offers an opportunity for a top-down analysis. In this analysis, critical processes are identified, marked, and then the sub-processes and things that support them are identified in turn and earmarked for enhancements. Other departments may have the same or be one of the cells in the chart. Depending on how complex you care to make the diagram all interrelations can be displayed. By observation eliminating any given cell in the diagram lends to seeing the implied interruption. Although the diagram is shown with business implications the same type of diagramming is appropriate for computer application and database relationship mapping. Since Business Continuity Management is about disaster avoidance, mitigation and prevention, followed by recovery, focus areas become evident when charted. Impact Over Time: There is an importance in understanding not only the instantaneous loss impact, but to understand the impact of the incident changed with time. If a product is unavailable for one day it is an inconvenience to the consumer, when it is unavailable for a week they will switch to another product and likely not to switch back. Knowing what the time related impacts can do to the business may be more important than the momentary financial loss. A well designed BIA will ask the time questions. The time gap analyzed is up to the business to choose and may extend to 30 or more days. Time impact is usually not linear in affect but will have periods where the impact flattens, then rises sharply. Time and Impact may be displayed graphically or numerically. Here again the image, when used in a presentation is more effective than a list of numbers. 16 Copyright 2012 William A. Million All rights reserved Start to end impact: Time Weighted Impact 17 Copyright 2012 William A. Million All rights reserved Priority Impact Examination of priority impact against the same 6 items as the previous images shows that product visibility to the customer and the ability to manufacture the product is top concern. Priority is often confused with importance when in effect it should relate to order of recovery and where mitigation controls are focused. Priorities when overlapping or where indications exist to a dependency on a process rated at a lower priority will cause the lesser rated process to be upgraded to an equal or possibly earlier point in a recovery. Summary Well now that the pot has been stirred and the ingredients have mixed there is a lot in the stew. Business impact analysis is a necessary and valuable work item but requires education, commitment, funding and time. The involvement of the entire business top to bottom and side to side is what makes the difference and becomes one of the main cornerstones of the Business Continuity Program. How to accomplish the BIA is up to the business, use surveys and interviews, flyers and on-line, software or do-it-yourself, you or a consultant or you with a consultant whatever is selected complete the process. 18 Copyright 2012 William A. Million All rights reserved