The BIA is always a hot topic in business continuity. Everybody wants to know how to do a Business Impact Analysis (BIA).
This interest is not misplaced, since the BIA is a critical part of an organization’s business continuity program.
Here’s our Business Impact Analysis (BIA) definition: A BIA provides you with a clear picture of the criticality of your business operations based on the processes they perform. A BIA helps you identify the dependencies that must be in place for those processes to run. This can include computer systems, vital records, etc. In essence, it serves as the foundation of any good continuity strategy. Once you understand which business processes are most critical to the livelihood of your company, you can then use this information to build an effective strategy. This strategy will only address those areas that need to be recovered and the time frame to recover them.
However, it is important to remember that the BIA is a waste of time if the organization neglects to use the results to correctly define and establish Recovery Time Objectives (RTOs).
If this is not done, the rest of your program will be seriously handicapped.
In today’s post, we’ll try to shed a little light on this often oversimplified but extremely important topic. Specifically, we will:
Recovery Time Objective (RTO) is the time in which a business process and its associated applications must be functional again after an outage event in order to prevent a defined amount of impact. In other words, RTO refers to the time it takes for the functional restoration of a business process. This means it’s close to where it was before the disruption.
RTOs are typically units of time such as 4 hours after the event, 12 hours after the event, 24 hours after the event, and so on. For less time-sensitive processes, they might be days or weeks after the event. The most critical and time-sensitive processes might have an RTO of 0 hours. FHave or processes with an RTO of 0 hours, systems must be in place to ensure they never go down. An important note on RTO: from a disaster recovery perspective, the RTO clock starts when the recovery starts (or is approved). Not from the start of the event.
Typically, an organization establishes around five RTO categories, some short and some long. Processes, and their associated systems and applications are placed in appropriate categories according to the process criticality determined in the BIA. Remember, we use the BIA to determine the impacts (both quantitative and qualitative) to each process over time. We do this to establish how soon you need to restore each to avoid serious impacts to the organization.
The importance of the RTOs is that they are the foundation of the rest of the recovery plan. They guide the development of your recovery strategies and technical implementation.
The RTOs are the goal; the recovery plan is the series of steps needed to meet the goal. Writing a recovery plan without having a clear picture of the RTOs is like planning a trip without a destination.
The main reasons it is important to get the RTOs right are simply stated:
For every environment or application in the recovery plan, it is vital that you make an informed judgment regarding how long that process is interrupted before it causes significant impacts to the organization.
Considering how important it is to set and assign RTOs properly, how do you go about doing this?
Defining the RTO categories prior to the BIA is just as important as performing the BIA to determine the correct RTO for a process. Without the appropriate RTO categories, the processes may not have a realistic recovery time.
The best way to determine the RTO for a process is to include your task as part of your BIA. Estimating the dollar and non-dollar impacts of a disruption helps you arrive at a realistic and objective RTO. But even without a complete BIA, you can still determine RTOs through a less formal process.
Here are a few tips:
The following are some of the most common mistakes organizations make in establishing RTO categories and assigning processes to them:
Those are some of the main things to keep in mind when establishing RTO categories and assigning your processes to them. Once you’ve mastered this, you’re in the right position to write recovery plans that provide meaningful protection to your organization.