Risk Assessment and Business Impact Analysis are both important components of BC/DR Plans. However, Risk Assessment should be carried out before attempting Business Impact Analysis. Once both these components are in place, it is easier to formulate a sound strategy for BC/DR.
The four most important risk scenarios that affect business operations of an organization are:
- Production site is partly or fully destroyed or cannot be accessed
- Loss of data and other critical records
- Loss of IT functions due to glitches, viruses, power outages etc
- Loss of skills due to incapacitation, death or mission-critical staff leaving for greener pastures
The answers to the above questions give an insight into the risks the organization faces during a disaster. There are other risks too, but the above are the major risks. Once the risks have been identified, its impact on different aspects of production and services can be gauged. Those risks which affect mission-critical operations should be handled first. The following strategy is used to handle risks:
- Prevent – those risks which are of high probability with high impact. These risks must be attended first by using mitigation, prevention or any other strategy to lessen or avoid its impact
- Accept – risks which have low probability and low impact. Nothing specific needs to be done for such risks, but the organization should be vigilant. If a back-up strategy is put in place for such a risk, all the better
- Contain – risks which have a high probability of occurring but having low impact on operations. Use mitigation strategies to minimize impact of the risk on business operations
- Plan – Low probability but high impact events. Though this may be once in a lifetime event, its impact could be disastrous. The business should plan the steps to be taken if such a risk occurs. Once the steps to be taken are in place, production can be resumed in the shortest possible time with least loss of data
Once all the risks have been identified, it is time to do the Business Impact Analysis. The Business Impact Analysis will gauge the impact of a specific risk on business operations from the standpoint of restarting production as well as its financial impact.
Business Impact Analysis
Once all the risk factors are known, then each risk should be assessed for the impact on business operations, financial implications, staff, supply chain and goodwill. Depending on the type of risk, it can affect the entire gamut of business operations or only a part. At times, a risk may impact only a part of an operation, but if it impacts mission-critical aspects, then it is a major disaster. Therefore, it can be seen that Business Impact Analysis is a very important aspect of BC/DR.
The best way to make an assessment of Business Impact Analysis is to pose a series of questions to heads of each business operation. They will be the best judge of what will happen if that operation is affected. The basic questionnaire for Business Impact Analysis should elicit the answers to the following:
- Get an overall understanding of how the entire business operates
- What are the mission-critical operations of the business
- Financial implications of downtime in critical operations
- Role of external and internal agencies on business operations
- Data requirements for the entire organization as well as mission-critical aspects of business
- RTO for data so that operations can be restored to original state
- System requirements
- Minimum time lapse to restore status quo ante
- Minimum staff required to carry out business in disaster mode
- Minimum technology and equipment needed to restart operations
The details determined by Business Impact Analysis will indicate how different risks will impact the business. Based on this, Management can take a call on what level of protection/mitigation different business operations require so as to come out of the disaster relatively unscathed. The Business Impact Analysis forms a vital part of an organization’s Business Continuity and Disaster Recovery (BC/DR) Plans.