Crisis Management and Business Impact Analysis Techniques

A business impact analysis (BIA) is used to identify threats that can impact continuity of operations. These threats might be natural or man-made and should encompass everything from a telecommunications outage to a fire or hurricane. The results of the BIA should provide a clear picture of the continuity impact in terms of the impact to human and financial resources, as well as the reputation of the organization. To assess the risks associated with continuity, the BIA team should have a clear understanding of the organization, key business processes, and IT resources that support those processes. The BIA team should work with senior management, IT personnel, and end users to identify all resources used during normal operations. These resources might include both automated and manual processes. Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remains with executive management, such as the board of directors. The following steps can be used for the framework of business impact assessment:

• Gather business impact analysis data

  • Questionnaires or interviews

• Review the BIA results

  • Check for completeness and consistency

  • Follow up with interviews for areas of ambiguity or missing information

• Establish the recovery time for operations, processes, and systems

• Define recovery alternatives and costs

The BIA will help the organization understand the degree of loss associated with the business functions and associated systems. This covers financial loss as well as loss of customer confidence and damage to the organization's reputation. The BIA questionnaire and interviews should gather the following information from the business units:

• Financial impacts resulting from the incapability to operate for prolonged periods of time

• Operational impacts within each business unit

• Expenses associated with continuing operations after a disruption

• Current policies and procedures to resume operations in the event of a disruption

• Technical requirements for recovery

End-user involvement is critical during the business impact assessment phase of business continuity planning.

The BIA should include both quantitative and qualitative questions. Quantitative questions generally describe the economic or financial impacts of a potential disruption. These types of disruptions are measured in monetary terms, including both loss of income and expenses incurred during and after recovery. Quantitative impacts might include loss of revenue or sales, interest paid on loans, penalties for late payments to vendors, fines or penalties associated with contractual obligations, unavailability of operating funds, delayed or canceled orders, and so on. Expenses might include use of third-party services, emergency purchases related to recovery, rental or lease equipment, and relocation of employees. Qualitative impacts are impacts that cannot be quantified in monetary terms. These types of impacts are generally associated with the business impact of a disaster and include damage to reputation and loss of confidence in customer services or products. Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs.

A couple approaches can be taken to a BIA: The team might develop questionnaires for senior management and end users, or might gather information during an interview process. The important part of the process is to identify, sequence, and prioritize mission-critical processes. During the information-gathering phase of the BIA, the team will generally get information from individual business units. In addition to the information gathered from the business units, the team should identify the IT resources required for each process and the current disaster-recovery procedures. When the questionnaires are complete, the BCP team should conduct interviews to clarify information contained in the questionnaires, to ensure that the organization has identified time-sensitive business operations and services, financial risks, correct time frames for the resumption of operations, and estimates of the resources required for successful recovery. A sample of a BIA questionnaire is shown in Figure 5.1.

When the BIA questionnaires and the interviews are complete, the BIA team should begin to document the results in the form of a BIA recommendation report. This report should allow for the prioritization of recovery among the business functions, and also give the team an overall view of potential recovery scenarios within the organization. This overall view might highlight gaps where additional information is required. When the initial draft is complete, the BIA team should develop a summary sheet to send back to the interviewees for confirmation. This allows the interviewees to review the information and add information that might have come up since the initial questionnaire or interview. The BIA is an important step in business continuity planning because all future decisions are based on the information gathered during the BIA. It is important to ensure that the information is as accurate as possible and that individual business units and end users are closely tied to the development of the business continuity plan.

During the creation of the recommendation report, the BIA team must define time-critical business functions and processes and their interdependencies among the business units. The development of recovery scenarios depends on the clear definition of time-critical processes and the financial and operational impacts gathered during the BIA. Before the development of a BCP/DRP, the BIA team should develop a recommendation or findings report for senior management. The purpose of this report is to provide senior management with a draft priority list of the business unit service and support recovery, as well as the financial and operational impacts that drive the prioritization. This step will give senior management the opportunity to approve the recovery priorities and prepare them for the next phase, in which they will review the recovery solutions and associated costs.

The objective of a BCP is to ensure that the organization can continue operations and keep the costs associated with both downtime and recovery to a minimum. In reviewing the information gathered during the BIA, the team should determine what the critical information resources are related to the organization's critical business processes. This relationship is important because the disruption of an information resource is not a disaster unless that resource is critical to a business process. Per ISACA, each resource should be assessed to determine criticality. Indications of criticality might include these:

• The process supports lives or people's health and safety.

• Disruption of the process would cause a loss of income to the organization or exceptional costs that are unacceptable.

• The process must meet legal or statutory requirements.

An important factor is the time period in which critical information resources must resume processing before significant or unacceptable losses are suffered. These time periods will depend on the type of business. As an example, the technology resources (hardware, software, network, and so on) that are used in completing stock transactions would probably be deemed critical, and the disruption or delay in resumption of any component of these services would result in large financial losses for that organization. In contrast, a smaller organization, such as a nonprofit organization, might be able to go without technology resources for hours or a few days without significant impact to the organization.

In making this determination, the BIA team should consider two cost factors. The first is the cost associated with downtime. This cost is defined in terms of hours per days, and the cost usually increases quickly over time to a certain point at which it stops growing. The stop in growth reflects the point in time when the business can no longer function. The costs associated with downtime vary based on the organization but might include a drop in order transactions, the cost of idle resources, the cost associated with the incapability to invoice customers or collect billing information, and qualitative costs associated with damage to reputation, goodwill, or the loss of market share. The second cost factor is the cost associated with recovery or resumption of services by implementing the business continuity plan. These costs include the cost of the development and maintenance of the continuity plan, off-site premises, insurance, and resources associated with recovery and resumption. As stated earlier, an optimal BCP and associated strategies should be based on the point in time when both cost factors are at a minimum. As an example of balancing these costs, the business might be capable of sustaining a longer recovery time, which will generally be less expensive but will incur more downtime costs than a shorter recovery. The combination of these costs should be taken into consideration when developing the recovery strategies.

The BIA is used to help business units understand the impact of a disruptive event and should include the execution of a vulnerability assessment for critical business processes to identify natural, man-made, and technical threats. The implementation of the BIA requires a high level of support from senior management and requires extensive involvement from IT and end-user personnel. The information collected during the BIA is used to develop the actual business continuity plan, which includes plan implementation, testing, and maintenance.