A business impact analysis (BIA) will enable the organization to properly prioritize and organize focus areas in the event of a disaster. Those without BIAs tend to treat all business functions with the same priority, which can mean delayed recovery, unnecessary expense, or failure to protect critical processes and systems.
“Due to highly automated and integrated business processes, organizations suffer significantly when IT, network access or cloud services are unavailable or performing poorly,” says Lowell Shulman, research director. “Organizations require a disaster recovery plan that includes formal BIA to consider the impacts of disruptions to all essential businesses processes and their dependencies. A BIA will enable an organization to focus efforts and investment on those business functions/processes that are most critical to the organization and set expectations for a prioritized recovery timeline.”
Companies looking to create a BIA should follow these steps:
Prework: Build the teams and framework to enable a successful BIA
For the BIA to be effective and thorough, cross-functional involvement is vital. This allows the framework to be reflective of the priorities of the entire organization. A project lead must pull together a team with representation from key organizations that includes an executive sponsor, business operations and optional members from legal, finance, HR and other business units. This team will define the goal and scope, set the timeline, select necessary tools and define a business impact framework.
Read More: Gartner Research and Advice for Disaster Recovery
Step 1: Gather business impact data and recovery requirements
Step 1 requires organizations to design and perform a BIA survey. This survey will capture key data about business operations and the potential impact of that business function being unavailable. Start with a list of business functions from each business unit. This survey should be conducted primarily by those within the BIA team and should be supplemented with in-depth interviews with extended team members.
Step 2: Consolidate the business impact data
The next step is to assemble the BIA data gathered from the surveys and use the data to identify all necessary components of mission-critical and business-critical business functions. This will ensure that these processes and their dependencies are identified, including whether timely restoration or recovery is needed or possible. From this data, the team should build business process flowcharts with all internal and external components and dependencies.
Read More: Gartner Research and Advice for Disaster Supply Chain Risk Management and Recovery
Step 3: Analyze business impact data and define recovery practices
During this step, the team should collate requirements and objectives for business continuity and disaster recovery. The end result should be a report that reflects the true needs of the organization. The team should agree to a prioritized list of critical processes and components, evaluating financial and nonfinancial impacts. This is the time to identify and define recovery sequences to ensure that the business is up and running to acceptable standards as soon as possible. This analysis should be shared with key stakeholders for validation and feedback
Free Research: Use IT Disaster Recovery Tiering to Build a Recovery Strategy That Works
Step 4: Promote, leverage and update BIA over time
Present the results of the BIA to the executive sponsor and extended team, as well as external partners who will need to act on it. The presentation should have key findings as well as implementation priority recommendations. Remember, this is not a static document but one that should be regularly updated, particularly given the frequent updates and changes in IT and business applications. Best practice is to review the document at least once per year or as part of the process to update or deploy business processes.