Scope

The storm before the calm? It makes sense when you think about it. When you start addressing the business at a business level, you may stir up a few things. For example, a client retains their data 'forever' off-site. Why, you ask? Very good question. First, it is a legal powder keg: Should anyone file suit, they would be able to subpoena all of those records. Second, it costs a lot of money for those tape cartridges. The answer I received was innocent enough: We don't know how to categorize our data properly and differentiate its importance. The more I probed, the more uncomfortable things became at the business level, because we uncovered an area that the business really needed to address but had been left undone for many years.

This planning kit provides the initial information necessary to create a compelling business impact analysis (BIA) that will help you identify the critical components of your environment and the cost associated with their unavailability. We hope using this planning kit helps you achieve a sense of calm knowing that you will be well prepared in the event your company experiences a disaster.

An Introduction to BIA

We touched on BIAs in Appendix D. In this appendix, we go into greater detail. Let's begin with defining exactly what a business impact analysis is. As mentioned in the previous appendix, a BIA is an evaluation of your company's strengths and weaknesses with respect to its ability to recover from a severe business interruption to a complete disaster. While the BIA can stand on its own, it should also be included as a component of the DR plan. Here's what you should look at as you conduct this type of analysis:

• Intellectual property, critical hardware, software, and any custom applications

• Your time to recovery, based on the amount of money your company will stand to lose, plus the level of importance for this particular application, server, or service

• The conditions your data should be in at the very least in order to recover successfully, including how old the data is

When planning for DR, you should take into consideration the entire process of determining, implementing, and documenting everything that must be done in order to return some critical component of your business to its normal working order following a disaster. There is a common methodology used by a number of clients for DR planning that involves seven steps. If you have the DR planning kit, you will be familiar with these steps, listed here:

1. Perform BIA.

2. Perform risk assessment.

3. Determine recovery strategies.

4. Update/develop backup plan and operations guide.

5. Update/develop a recovery plan.

6. Test.

7. Update and maintain the DR plan.

We will be concerned with only Step 1 in this planning kit. The use of BIAs in a DR plan will help address the needs of the business and the business units with respect to data protection and availability by providing a means to define the importance of each component of the business unit and how each will have an impact should it become unavailable for a period of time. What you should find as a result of conducting BIAs is that you now have the basis for all the other steps in your DR planning process.

As you begin the process of interviewing the business unit managers, data owners, and administrators, you will begin to identify certain areas and associated costs that may not line up with the financial expectations for this business unit's recovery. Therefore, a second interview with the business unit managers would be required to resolve or reprioritize their goals so that they fall in line with the financial picture. However, you may find that recovering this business unit's applications would require more money than otherwise financially allocated. Based on which direction this goes, it may in fact force changes to be made to the backup plan, DR plan, or even the budgets.

The BIA is a methodology that helps to identify the impact of losing access to a particular system or application to your organization. The BIA process is primarily an information-gathering process. In the end you will take away several key components for each of the business units you have worked with, some of which we have listed here:

1. The criticality a particular system or application has to the organization

2. How quickly it must be recovered in order to minimize the company's risk of exposure

3. How current the data must be at the time of recovery

This information is essential to your DR and backup plans, as it describes the business requirements for backup and recovery.

In the past, most organizations viewed the IT staff as the bits-and-bytes types who didn't interface well with others. That is starting to change, and performing things like a DR plan and a BIA help a great deal in our marketing effort and in fostering relationships with the various business areas. The business unit managers will be attracted to the relationship by the information you provide to them, such as the impact to the business a disaster could bring to this particular unit.

The information that is collected during the interview process will be the basis for the analysis, which in turn will be used within the DR plan. We have included sample lists and forms to use during your interview process. You may choose to use these or create your own. Whatever you decide, we strongly recommend that you use something and maintain a level of consistency throughout your analysis.