In the immediate aftermath of Hurricane Harvey and with Hurricane Irma preparations in full swing, it’s important for all organizations to carefully examine their plans for dealing with a natural disaster.
As companies have increased dependence on IT systems to deliver their services more quickly, the ability to recover from the effects of disasters has become more important and more complex.
During and immediately following a disaster, the primary focus for business and IT leaders should be on ensuring the safety of employees and helping out where possible.
Executives affected by these disasters — and those who witness them — recognize the need to plan for these unexpected events. Identifying the most critical business functions and how much investment is required to protect them is critical.
Free research: : Five Must-Learn BCM Lessons From Hurricane Sandy
A business impact analysis (BIA) will enable the organization to properly prioritize and organize focus areas in the event of a disaster. Those without BIAs tend to treat all business functions with the same priority, which can mean delayed recovery, unnecessary expense, or failure to protect critical processes and systems.
“Due to highly automated and integrated business processes, organizations suffer significantly when IT, network access or cloud services are unavailable or performing poorly,” says Lowell Shulman, research director. “Organizations require a disaster recovery plan that includes formal BIA to consider the impacts of disruptions to all essential businesses processes and their dependencies. A BIA will enable an organization to focus efforts and investment on those business functions/processes that are most critical to the organization and set expectations for a prioritized recovery timeline.”
Companies looking to create a BIA should follow these steps:
Prework: Build the teams and framework to enable a successful BIA
For the BIA to be effective and thorough, cross-functional involvement is vital. This allows the framework to be reflective of the priorities of the entire organization. A project lead must pull together a team with representation from key organizations that includes an executive sponsor, business operations and optional members from legal, finance, HR and other business units. This team will define the goal and scope, set the timeline, select necessary tools and define a business impact framework.
Step 1: Gather business impact data and recovery requirements
Step 1 requires organizations to design and perform a BIA survey. This survey will capture key data about business operations and the potential impact of that business function being unavailable. Start with a list of business functions from each business unit. This survey should be conducted primarily by those within the BIA team and should be supplemented with in-depth interviews with extended team members.
Step 2: Consolidate the business impact data
The next step is to assemble the BIA data gathered from the surveys and use the data to identify all necessary components of mission-critical and business-critical business functions. This will ensure that these processes and their dependencies are identified, including whether timely restoration or recovery is needed or possible. From this data, the team should build business process flowcharts with all internal and external components and dependencies.
Step 3: Analyze business impact data and define recovery practices
During this step, the team should collate requirements and objectives for business continuity and disaster recovery. The end result should be a report that reflects the true needs of the organization. The team should agree to a prioritized list of critical processes and components, evaluating financial and nonfinancial impacts. This is the time to identify and define recovery sequences to ensure that the business is up and running to acceptable standards as soon as possible. This analysis should be shared with key stakeholders for validation and feedback
Step 4: Promote, leverage and update BIA over time
Present the results of the BIA to the executive sponsor and extended team, as well as external partners who will need to act on it. The presentation should have key findings as well as implementation priority recommendations. Remember, this is not a static document but one that should be regularly updated, particularly given the frequent updates and changes in IT and business applications. Best practice is to review the document at least once per year or as part of the process to update or deploy business processes.
Gartner has made the following research available for free to help any organization impacted by Hurricane Harvey or preparing for Hurricane Irma: Use Business Impact Analysis to Enable Effective Business Continuity and Disaster Recovery Programs.
Read our free research series on business continuity and disaster recovery planning and disaster supply chain risk management and recovery.