DISCUSSION PAPER
Topic: Business Impact Analysis/Assessments 1.0 PURPOSE OF BUSINESS IMPACT ASSESSMENT
A business impact assessment (BIA), also called a business impact analysis, is a study of an organization’s functions for the purpose of estimating how well or poorly it can be expected to perform if its operations are disrupted. A BIA establishes a more rigorously defendable baseline for deciding how much continuity planning should be developed. Many continuity planners encounter the dilemma that after having identified solutions to avoid or minimize operating risk, senior management balks at the cost. This is especially the case when the benefits – not only for reduced impacts of risks but also improved daily operations – are nebulous or not clearly understood. A BIA provides a stronger analytical basis for making these decisions.
In general, planners and executives tend to underestimate the costs associated with disruptions because they overlook some sources of disruption costs. As a result, inadequate continuity plans may be constructed. This discussion provides a comprehensive list of the categories of “drivers” to reduce the likelihood that some costs are overlooked, and it examines the challenge of defining continuity planning correctly to provide a defendable base for decision-making.
This analytical process is called a business impact assessment, not because it applies only or primarily to organizations with profit motives, but because the process focuses on the results of disrupted business type operations. In this discussion, business impact will mean the same as government impact, where the concern is for disrupted government operations and their effect on the public at large and specific beneficiaries of the operations. “Organization,” “agency,” “business,” and “government” will be used interchangeably in this discussion.
2.0 HISTORICAL PERSPECTIVE
The essence of a BIA is measuring effects from disrupted operations. But measure what? And how? And under what premise? The context or frame of reference adopted in a BIA is critical.
Historically, performing a BIA would have involved rather straightforward tasks of estimating daily or hourly operating costs for the agency, and these costs would serve as a measure of the “value” at stake if the operations stopped. Twenty years ago, constructing a disaster recovery plan mostly focused on restoring computer and communication systems at recovery sites. The BIA provided cost estimates to trade off the anticipated duration of down time (without planned recovery capability) with the cost of maintaining restoration capability, typically measured in mean time (minutes, hours, days, weeks) to resume operations. This latter metric is sufficiently important that it has acquired its own acronym, RTO, or Recovery Time Objective.
The expectations of a BIA are expanding because of several trends and events. As information technology facilitates more rapid performance of services and delivery of goods, expectations of customers and the public in general for responsiveness are lowering the limits of acceptable down time. Restoration times are now often measured in micro-seconds (e.g., no interruption), seconds, minutes, and hours instead of days or weeks. Because recovery site costs escalate as response times drop, management must examine more critically their customer’s expectations. The BIA is thus becoming a vehicle for documenting variations in customer response requirements and differentiating response times required of recovery sites for different government functions.
The changing profile of operations risks is also shifting the focus or frame of reference for BIAs. The terrorist attacks of September 11, 2001 and the subsequent anthrax attacks raise the issue of loss of personnel and/or extended loss of facilities, not just computing centers. The deterioration in information security in new computer systems, the consequence of adoption of