You’ve convinced management to do a BIA, and now it’s time to jump in. But, wait! A proper business impact analysis requires some preparation. You don’t jump into a body of water without looking at it first and changing into swim trunks or at least taking everything out of your pockets. Otherwise, you might hit a rock or damage the phone in your pocket. The same logic applies to a BIA. Preparing for a BIA is critical to its success.
Here, we’ll outline the prep work required to conduct a solid BIA; one that is worth your while and creates tangible results. In the following, we assume a basic understanding of the concept and components of the BIA.
A typical BIA uses a more formal process consisting of interviewing stakeholders, scoring that uses impact categories to calculate an RTO, and reviewing and discussing dependencies, applications and RPOs. This can take significant time, but there are other options. In addition to the formal BIA you can perform:
Before we dive into preparing for a BIA, we should have a quick reminder on the difference between the RTO and RPO. The RTO is the recovery time for a process or application; the RPO is the recovery point or maximum amount of data loss for an application that is acceptable.
Here are some things to keep in mind:
The following is an example of the scoring categories for a formal BIA. These can be modified or reduced for an informal or questionnaire.
For both quantitative and qualitative categories determine the score range (such as 1 – 4 or 1 – 5). Again, anything more does not add value. For the quantitative category determine the dollar range for each score. This will be different for each organization. It is often based on the revenue of the organization and how much it is willing to lose, then broken down relatively evenly across the score values
Ideally, you would include all the departments in the organization, but if time or budget is limited, it may make sense to identify only the most critical processes and departments. See above for a discussion of performing a formal or informal BIA depending on the need or criticality of departments.
Once you’ve selected the departments, identify the participants. Include both management and individual contributors, but do not try to include all individuals performing a process or in a department. Individuals participating need to be able to see the impact the process has across the organization.
If you are using either a formal or informal BIA, you will still need to develop a questionnaire to use or a “pre-work” document for the departments to complete prior to the interview to help facilitate the discussion. Ensure that you have included an example of how to fill out either document, as well as the appropriate level of detail and information.
No matter what BIA strategy you use, preparing for a BIA is the key to making it efficient and effective. Something is better than nothing, so even an informal “back of the envelope” discussion on process RTO needs and applications required will get you the information necessary to develop a basic strategy and will provide IT with some information to start on the technology recovery strategy. You may still not have all the information you need, but this outline provides a guide on how to get started. Good luck on your BIA!
Need more help? Check out our guide to creating a functional BIA.