The business impact analysis (BIA) is an important component in the function of a business. The BIA identifies any vulnerabilities in the business and works towards developing a risk management plan to reduce the risks associated with these vulnerabilities. The exploratory component of the BIA serves to identify the threats. This component is then followed by the planning phase that will develop strategies for risk management. In this paper I will attempt to describe the methods for establishing component priorities of the BIA including business functions, BIA scenarios, financial impact of components and recovery time frameworks. Through these steps a BIA can be established that could be followed by the business to protect itself against threats.
For an effective BIA process, the business must be able to account for any possible situation that could disrupt the operations of the business. The process must also account for the impact on the business after a potential threat. “While having a business impact analysis two objectives should be clearly set up that are recovery point objective and recovery time objective” (“Business Impact Analysis-A technique for recovering from a loss incident,” 2010). These objectives will be used to establish the guidelines of the business operation to determine what the business is capable of managing and what would require additional safeguards.
The business can incorporate a step by step process through getting individual departments to conduct an analysis of their areas. The departments would begin with identifying the function of their department. This would establish the business processes of the individual department. Once the business processes are established, each area must be analyzed against three areas: both domestic and international finance risk of the loss of that department, regulatory risk of not performing the function of the department, and reputational risk of not performing that function. Koustic (2013) established that calculating the loss of the company is one of the most important steps of the BIA process. “The main criteria while doing the analysis must be the damage of any potential data loss to the company – in terms of money or other impacts like legal, reputation, etc.” (Koustic, 2013) Financial risks “may include loss of revenue, loss of interest on bank balances, the cost of borrowing to meet cash flow, loss of revenue from sales, interest value on deferred billings, penalties from not meeting contractual commitments or service levels, opportunity lost during the downtime, and losses from processing transactions at market risk as of the date received. Regulatory risk may include penalties for not filing financial reports or tax returns on time, fines or penalties for noncompliance with regulatory requirements in place for your business, or the need to pull products off shelves because of lost product-testing information” (“Disaster Recovery: The How To and Prioritization Practices," 2013). Customer or reputational risk includes a loss in consumer confidence as well as market share, claims of liability, media coverage of customer complaints, goodwill loss, and also competitive advantage (Ibid, 2013). Through identifying these losses, the business can determine the departments that would need to develop risk management plans that would protect their company.
Once the roles and functions of the various departments are established it can easily be determined what would happen if these functions were to stop. The team would also be able to determine how long it would take to resume the functions of that department. Both quantitative measures such as actual dollars per minute, hour, or day of downtime and qualitative measures, which predict certain outcomes based on the knowledge or experience of the individual can be used to calculate the loss to the business. After the information is gathered a concrete analysis will be obtained that will provide information on everything the company does, what impact it would have if the function could not be performed, how quickly that impact would be felt, and how significant the impact will be. Gathering this information is the first step in building a risk management plan.
Once the information is obtained a BIA report can be written. The report is important as it provides the evidence for the steps that are being taken to protect the company. The BIA report should include an executive summary, objectives, scope, data, summary of finding and recommendations. The formal BIA report can then be presented to senior management so that they can take the next steps to establish the risk management plan. The report must be able to not only provide evidence for the risks but also convince upper levels of management to incorporate the recommendations provided in the report. The business must then ensure that these steps are being followed and maintained as Infotech established maintaining risk plans are important parts to the risk management plan. The report is a great opportunity to demonstrate to senior management why recovery when a disaster happens is imperative and why there needs to be support by business leaders (“Business impact and risk assessment,” 2013).
The BIA report is considered an important element in developing the contingency plan for the company’s information technology as well as all other aspects. This contingency plan is even more essential as it directly impacts the security principal that is available. Security professionals must be involved throughout the exploratory and planning process of the BIA. They must also play an important role in influencing the BIA report development as their expertise can guide the recommendations section (“Business Impact Analysis,” n.d.). This report provides the contingency plan’s foundation as well as the evidence for why the steps are taken. As a security professional they would also be able to state whether or not the recommendations are feasible for the company and its personnel. By involving themselves in the process, security professionals can be more in tune with assets of a business-critical nature and information flow on the enterprise infrastructures.
Business Impact Analysis. (n.d.). Retrieved from http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/business-impact-analysis.aspx
Business Impact Analysis-A technique for recovering from a loss incident. (2010). Retrieved from <http://www.riskmanagementguide.com/business-impact-analysis-a-technique-for-recovering-from-a-loss-incident/
Business impact and risk assessment. (2013). Retrieved from http://www.infotech.com/optimizeit/business-impact-and-risk-assessment
Disaster Recovery: The How to and Prioritization Practices. (2013). Retrieved from http://www.evolutioncp.com/blog/risk-management/disaster-recovery-the-how-to-and-prioritization-practices/
Koustic, D. (2013). Backup policy. Retrieved from <http://blog.iso27001standard.com/tag/business-impact-analysis/>