Many times, organizations have a business continuity and disaster recovery plan, (BCP/DR) however when they need to enact them and use them, they find that they fail. The reason failures occur is that the organization misses a key component of any BCP/DR plan- a Business Impact Analysis (BIA).
What Is Business Impact Analysis?
A business analysis is a structured process your organization uses to determine and evaluate the potential impacts of an interruption to critical business operations due to disasters, accidents, or emergencies. Missing or performing this analysis improperly can result in a failure to have the correct plan and resources in place to meet recovery objectives in the event of a business process interruption.
IT departments often work in a vacuum to create a DR plan, and they do a good job in general with a blanket and generic recovery. However, they do not have the whole picture and often view systems, processes, and services as equal. They do not always understand the business interdependencies between these disparate resources. Does IT run the business or does the business run IT? In some cases, the business relinquishes its responsibility to the IT.
Who Should Perform a Business Impact Analysis?
A BIA should be performed by the business and led by senior management working with a business continuity (BC) professional. Three critical components are needed by the BC professional.
- Why the organization is performing the BIA and BCP. This could be a requirement or a contractual agreement, or just the increase of ransomware and other threats that may disrupt business.
- Know the business. Understanding the criticality of business operations and business functions is important to BC. Which processes have the greatest impact on the survival of the company? Which functions are most susceptible to potential threats and how vital they are to the business?
- Understand the threats. Know what could happen to your organization that could impact its critical operations.
From this information, scenarios can be built to walk through the “what ifs” that may occur. Only then IT can be engaged to understand the technical aspects of the recovery effort. This is where we determine the recovery point objective and the recovery time objective (RPO and RTO) and if we have the technical ability to meet the objectives. Notice how far into the process IT comes in?
This analysis leads to the discovery and plan to put together or update the BCP in a way that the business can have confidence and really be prepared for a potential business process failure.
As a top MSSP, we align you with the right people, skills and response solutions that help you maintain business continuity. Contact us today for more information on how to develop, implement an manage your BC/DR plan.
Marcela Denniston is a Cybersecurity Expert who has been building military-grade security operations teams since 2002. Today, she is the SVP of Marketing for Foresite Cybersecurity, where she uses her subject matter expertise to drive meaningful content and messaging that speaks to true cyber practitioners.