Question

Business impact analysis (BIA) is an important exercise when developing a business continuity
plan. The first step in BIA is to identify critical business activities. Describe in your own words
what you think critical activities are and give two (2) examples of such critical activities of a
supercomputing centre which provides services to registered users via the Internet.
Suppose the BIA team of the supercomputing centre is determining the recover time objective
(RTO) of a critical activity that will need to be recovered at an offsite facility due to a natural
disaster. The company has determined how the impact due to ceasing of this activity depends
on recovery time. The centre has also obtain quotes from offsite facility providers which allow
the company to derive the relationship between the cost and recovery time. Suggest how they
should determine the RTO value based on the above information.
Discuss how the RTO value may be revised if additional requirements are also given. Your
answer must contain examples to support your argument.

Answer 1

Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. A BIA is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster.

For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes.

Elements of business impact analysis

1. Executive Sponsorship

The most efficient and effective way to get management support is to ensure there is communication from the top down. Executive backing gives you the clout you need to get cooperation and priority with other departments within the organization.

2. Understand the Organization

Company’s organizational structure, divisions and departments to find key contacts or subject matter experts who can help you identify and learn about the processes that will be impacted by a disaster.it may tell that ,Business Impact Analysis unless you have identified all the critical business functions and processes your company performs.

3. Business Impact Analysis Tools

Business Impact Analysis tools are the core of a successful analysis. These tools come into play after you have completed your review of the business and understand what part each process, function and system plays in the overall day-to-day operations.

4. Business Impact Analysis Process

For the critical functions, gather detailed information about how each is performed, who performs it, and the operational and financial impact of interruption to each on the first day of interruption

5. Business Impact Analysis Findings

The final element of a Business Impact Analysis is to confirm and present the findings. Confirm your findings with department managers or key personnel to ensure that what you have determined is accurate and realistic. Present your BIA findings to the executive management team to gain approval to use the findings to develop business recovery strategies.

                                               RTOs represent the amount of time an application can be down and not result in significant damage to a business and the time that it takes for the system to go from loss to recovery.

RTOs are used to measure how much time it takes after the disaster for the IT department to recover the data. For their assessment basis, RTOs represent the overall needs of your business and determine how long your business can survive without IT infrastructure and services. RTOs first need to be aligned with what’s possible by your IT department. IT administrators need a strong comprehension of the different type of restore speeds to calculate an RTO that meets the needs of the business. For example, an RTO of one hour can’t be met if the minimum possible restore time is two hours.  

Example of an RTO

Granular item recovery is one example of an RTO. For this example, a user at a busy company deletes an important email and empties the trash folder. This company uses Microsoft Exchange as a business-critical application and it’s IT department perpetually backs up delta-level changes in Exchange along with a backup app that features granular backup and recovery. This feature allows the IT department to quickly retrieve the important email in about five minutes instead of restoring a full virtual machine for only one email.

                                    Business impact analysis and risk assessment are two important steps in a business continuity plan. A BIA often takes place prior to a risk assessment. The BIA focuses on the effects or consequences of the interruption to critical business functions and attempts to quantify the financial and non-financial costs associated with a disaster. The business impact assessment looks at the parts of the organization that are most crucial. A BIA can serve as a starting point for a disaster recovery strategy and examine recovery time objectives (RTOs) and recovery point objectives (RPOs), and resources and materials needed for business continuance.

                 A risk assessment identifies potential hazards such as a hurricane, earthquake, fire, supplier failure, utility outage or cyber attack and evaluates areas of vulnerability should the hazard occurs. Assets put at risk include people, property, supply chain, information technology, business reputation and contract obligations. Points of weakness that make an asset more prone to harm are reviewed. A mitigation strategy may be developed to reduce the probability that a hazard will have a significant impact.