Business impact analysis is a critical part of the business continuity planning process. This step quantifies data and gets into the real world issue of potential losses that may negatively impact your business. It is used to understand the most important impacts and how to best protect your all the people, processes, data, communications, assets and the organizations goodwill and reputation.
Organizations commonly think in terms of disaster recovery. Business continuity and the business impact analysis is more focused on keeping the business up and running and less focused on recovery after a disaster. The business impact analysis also is not focused only on the potential disasters, but on all potentially critical discontinuities. Key elements of the Business Impact Analysis are to identify critical business functions, establish the maximum acceptable outage time for each of these functions and then to determine the impact of not performing those functions. This might
be measured against regulatory, legal, financial, operations or customer service requirements.
Once the adequacy of security and controls is evaluated and critical business functions and outage times are targeted, the business continuity planner needs to develop an information of the probability of threats factored by the severity or impact and to start to develop a cost benefit analysis of the largest impact and highest probability threats.
Its virtually impossible to create an absolute assessment of worth
and prioritization of threats and impacts. Generally, a relational system is used to drive out the key priorities. Often, each threat is evaluated according to its probability and assigned a 1, 5 or 10 rating. Then, each threat is evaluated according to its impact on critical business functions and on the business overall. For example, a discontinuity in a critical business function of less than one hour might receive a assessment of value of 0. A discontinuity of one to eight hours might be ranked a 1, eight to twenty four hours might be ranked a 2 and over 24 hours might be ranked a 3. Obviously, these rankings absolutely need to be developed on a company explicit
basis. Probability factored by impact creates the relational prioritization list.
This approach to risk evaluation and control allows management to start to quantify the risks and potential impacts on the organization in a thoughtful and analytical way. This results not only in higher quality decisions, but also provides an audit trail that demonstrates that management is paying attention to its risk management responsibilities. These responsibilities might be established by regulatory or legal bodies, demanded as a contractual commitment by customers or simply expected by shareholders as sound and prudent management. The key corporate goals are to protect all the people, protect assets, protect data and to protect the brand and reputation of the organization.
Midwest Data Recovery Inc.
312 907 2100 or 866 786 2595
Robert Mahood has significant technology and management experience in data communications, internet, storage, disaster recovery and data recovery. He is currently the president of Midwest Data Recovery. www.midwestdatarecovery.com