Step 1. Business Impact Analysis
A BIA is performed at the beginning of business continuity planning to identify the areas that would suffer the greatest financial or operational loss in the event of a disaster or disruption.
It identifies the company’s critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of a disaster or disruption.
A BIA (business impact analysis) is considered a functional analysis, In which the team does the following:
- Collects data through interviews and documentary sources.
- Documents business functions, activities, and transactions
- Develops a hierarchy of business functions
- Applies a classification scheme to indicate each individual function’s criticality level
Determining a classification scheme based on criticality levels where the Business Continuity committee must identify the threats to the company and map them to the following characteristics:
- Maximum tolerable downtime and disruption for activities
- Operational disruption and productivity
- Financial considerations
- Regulatory responsibilities
As it is unlikely that the Business Continuity committee can truly understand all business processes, therefore the committee must gather this information from the people who are in the know such as department managers and specific employees throughout the business. The identification of people who will be part of the BIA data-gathering sessions as well as how the data will be collected from the selected employees, a common method is to use surveys, interviews, or workshops.
It is important that the team members ask about how different tasks—whether processes, transactions, or services, along with any relevant dependencies—get accomplished within the organization. From this information process flow diagrams should be built, which will be used throughout the BIA and plan development stages.
Upon completion of the data collection phase, the BCP committee needs to conduct an analysis using a standard risk assessment to establish:
- Critical processes, devices, or operational activities
- Systems that stand on its own, not affecting other systems
- Processes that are deemed critically low
The more detailed and granular steps of a BIA are outlined below
- Select individuals to interview for data gathering.
- Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
- Identify the company’s critical business functions.
- Identify the resources these functions depend upon.
- Calculate how long these functions can survive without these resources.
- Identify vulnerabilities and threats to these functions.
- Calculate the risk for each different business function.
- Document findings and report them to management.
Step 2 Assessment - Threat/vulnerability assessment
Step 3 Planning - Emergency response plan
Step 4 Planning - Crisis management plan
Step 5 Planning - Business continuity plan:
Step 6 Planning - Information technology disaster recovery plan
Step 7 Planning - Business resumption plan
Step 8 Training - Personal preparedness and awareness
Step 9 Execution - Command Center
Step 10 Education - Automated notifications