Home > Information Security Magazine > Features > Business Survival 101: How to Perform a Business Impact Analysis
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  

  FEATURES  

  COLUMNS  

  HOT PICK & PRODUCT REVIEWS  

  ARCHIVES  

  SUBSCRIBE/RENEW  
 

Business Survival 101: How to Perform a Business Impact Analysis
by Ed Moyle
Issue: Nov 2006
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   NEXT PAGE  >

[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] Risky Business [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
By PAUL ROHMEYER

A business impact analysis must be performed in a risk context.

An early step in conducting a BIA is to define what is meant by the phrase "business impact" within the context of an organization's risk environment. Assessing the impact of a system outage or other technical event requires an understanding of the risks associated with underlying business processes and supporting information systems.

Organizations face many different types of risk, including health and...


BROWSE BY TAG
Network Intrusion Detection and Analysis,   Enterprise Network Security,   Information Security Incident Response,   Features,   VIEW ALL TAGS


safety, customer satisfaction, reputation and financial.

Health and safety risk applies to the physical well-being of customers, company employees and the public. Customer satisfaction risk is typically focused on the organization's ability to continue delivering high quality products and services to customers. Reputation risk is often the most serious to businesses, as events can quickly destroy a good name that had been fostered over many years and at a great expense. Financial risk relates to the impact a disruption may have on a company's ability to generate revenue; another financial consideration is the cost associated with responding to and recovering from an outage or disruption.

The degree or value of impact can be estimated by considering the factors associated with each risk type. For example, customer satisfaction risk can be estimated by considering the effect of potential system unavailability for any period of time. Several factors can decrease or increase the actual impact, such as the day or time of the risk event; your BIA should summarize the individual risk factors and present an aggregate rating for each function or process.

Ultimately, your BIA should include a recovery time objective (RTO) for each business function that identifies the longest tolerable disruptions. Cyclical industries should adjust their RTOs to recover faster during traditionally busy times.

Once the relevant risks are understood, your organization can use its BIA to estimate the impact of events on critical business processes and functions, the supporting information systems and their interdependencies.

Paul Rohmeyer, Ph.D., is an assistant professor at Stevens Institute of Technology and an IT risk management consultant.
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]

Content Collection
While there are many methodologies available for performing an impact analysis and numerous conventions for structuring the final document, effective BIAs have more to do with content than format.

At a minimum, the BIA should contain a comprehensive catalog of business and support functions within the organization; some description of those functions, lists of critical systems and other resources involved in maintaining them; and a spider web of dependency/support relationships between the surveyed business functions.

Getting this minimal data can be a serious chore. Typically, most BIA endeavors begin by asking managers directly for specific details about the areas of the business for which they are responsible. Many BIA initiatives will start by sending questionnaires to sales managers, marketing executives and business unit directors that ask for information related to the function, operation and dependencies of the processes they oversee. These questionnaires are less intrusive to the business than gathering the information via an interview, so they're used more often.

Responses from the key managers can be used to map out dependency relationships and locate "hidden" processes, such as low-visibility functions or those performed outside the firm by a vendor or trusted partner. Examples are outsourced support-desk help or vendor-provided maintenance. These functions might be critical to business operation, but given their vendor-supplied nature, they may not be apparent in budgets or have dedicated personnel. These previously untracked activities can be added to a master inventory and their managers invited to participate in the BIA process; their input may yield even more areas to examine.

At the end of the exercise, the business is left with a comprehensive catalog of all functions and a precise road map of how they interact. The remaining task is to document those relationships and ensure updates are made as processes change.

In addition to documenting how business processes interact, it's important to collect financial information about them. Access to finances allows you to predict potential lost revenue, productivity costs and opportunity costs related to downtime in individual business units. Business managers will likely have basic profit and loss information for systems, but since you ultimately want to shed light on total downtime costs, you'll need to gather additional data.

To create this more detailed financial profile, enlist other areas of the firm to help. For example, the compliance department can provide insight into the fines or penalties that may be incurred if a particular process suffers downtime, while the legal department can help you understand what potential contractually de-fined fees you might owe if you are unable to provide service to clients for an extended period of time.

This financial picture can then be tied to the dependency information collected so that you can see, in dollars, the impact of one or more processes being unavailable.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2010, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts