From the Business Impact Assessment (BIA) to the Preparedness Document

The Business Impact Assessment (BIA) is the initial information gathering process before developing the preparedness document, e.g., the DRP, BCP, COOP, etc. Upon completion of the BIA, development of the plan is a slam dunk.

Tom Abruzzo, president and founder of TAMP Systems explains…

The Business Impact Analysis, or as most practitioners call it, the “BIA,” is the initial information gathering process for disaster recovery, business continuity and continuity of operations planning. After completion of the BIA, development of the corresponding preparedness document, e.g., the disaster recovery plan (DRP), business continuity plan (BCP), continuity of operations plan (COOP), etc. is a slam dunk.

Among several steps, the BIA qualifies and quantifies the impacts of services-affecting or disaster incidents over varied timeframes. The analyzed disaster impact information obtained during the BIA helps to define the recovery and continuity objectives, such as the:

• Maximum Allowable Downtime (MAD), which is an estimation of the maximum time that can be tolerated as a result of a disruption.
• Recovery Timeframe Objective (RTO), which is the timeframe target number of hours or days to recover operations/processes and/or applications following an outage, e.g., one hour, 24 hours, three days, etc.
• Recovery Point Objective (RPO), which is the point in time to which systems and data must be recovered after an outage, e.g., one hour prior to outage, end of previous day’s processing, etc.

Recovery and continuity objectives can be considered the Targets.

The BIA thoroughly scrutinizes – both quantitatively and qualitatively – the impacts of not being able to perform day-to-day technology or business operations. The disaster impact information that is analyzed in order to define the recovery continuity objectives generally consists of:

• Temporary and permanent financial and non-financial impacts of disaster incidents for varied timeframe outages.
• Legal and regulatory impacts of our client’s inability to carry-out their operations during timeframe outages.
• Interdependencies (both internal and external). These include, applications/systems, recovery resources (personnel, equipment, facilities, vendors, vital records, etc.), and ancillary or other required resources/dependencies.
• Workaround contingency options or procedures that may be used if the operation/process or application owner’s facility or technology became inoperable. Although this information does not help to determine disaster impact information, the BIA is sometimes a good time/place to obtain it.

Outputs from a DRP BIA and a BCP BIA are different: A DRP BIA identifies and maps applications/services to their business operations/processes, interdependencies, and ancillary resources.

On the other hand, a BCP BIA identifies and maps business operations/processes to their applications/systems, interdependencies, and ancillary resources.

Essentially, the results of a BIA provide the foundation building blocks for the development of the overall preparedness document mentioned above, that is, the DRP, BCP, COOP, etc.

Upon completion of the BIA, you should have collected and analyzed the necessary disaster impact information to allow you to define the recovery and continuity objectives, which will in turn allow you to identify suitable backup, recovery and continuity strategies that will have the ability to achieve the defined objectives.

Another output of the BIA will allow you to prioritize your recovery and continuity operations, which will be a component of your preparedness document. That is, in a DRP BIA, the order in which you will recover your applications/services; or in a BCP BIA, the order in which you will recover your business operations/processes.

Also upon completion of the BIA, you should have collected the recovery resource and interdependency information for your applications/systems and/or business operations/processes.

The following are other components of your preparedness document. So, essentially it’s easy to obtain information that’s left to complete your preparedness document.

• Assembly area locations, which are pre-planned meeting places/ locations following evacuation after a disaster incident.
• Emergency Operations Center (EOC) locations, which are pre-planned meeting places for management to manage disaster recovery and business continuity operations.
• Alternate work locations, which are pre-planned places to go to reestablish mission critical operations after a disaster incident.
• Notification procedures and telephone tree contact lists
• Application/service startup procedures and/or workflow diagrams.
• Communications recovery procedures and related network diagrams.
• Business operations/processes startup and recovery procedures and related workflow diagrams.
• Vital recovery and restoration procedures, which is essential for restoring and reestablishing your operations.
• Emergency procedures and contact information for emergency agencies, vendors and contingency partners. These should include: 911 or equivalent for ambulance, fire, police, gas leakage, poison control, air or marine emergency, American Red Cross, etc. Contact information for communications backup and recovery resources such as satellite phones or broadband satellite internet access, grief counselors, FedEx’s Custom Critical for surface/air and white glove delivery services, FEMA, insurance claim mediators, local office of emergency management, real estate brokers, salvage & cleaning contacts, security services contacts, etc.

Tom Abruzzo is the president of TAMP Systems, which has earned and maintains a CBCV certification from Disaster Recovery Institute International (DRII)Tom and his company is 1-800-252-4080, tabruzzo@tampsystems.com, www.tampsystems.com.

See http://www.rothstein.com/data/dr350.htm for information on the DRS Disaster Recovery System by TAMP.

Be Sociable, Share!

• 

Tags: BIA, Business Impact Analysis, business impact assessment