As organizations across all industries continue to increase their investment in Information Technology (IT), they’re relying more and more on IT to perform day to day operations. IT is vastly integrated into the backbone of almost every organization by assisting with, or even performing critical processes in an automated fashion. Due to the inherent dependence on information assets, funding related to IT Disaster Recovery and Business Continuity Planning has also increased.
An IT Disaster Recovery Plan (DRP) documents the procedures and processes that an organization will follow in the event that critical technologies experience an outage. The DRP enables the organization to continue performing regular operations without the technology, while getting the technology up and running as quickly as possible. By conducting a Business Impact Analysis (BIA), an organization can improve their current IT Disaster Recovery Plan or efficiently create a new one from scratch.
The 3 Steps of a Business Impact Analysis
A Business Impact Analysis is a fundamental piece of an effective and comprehensive Disaster Recovery Plan. My recommended approach for developing a BIA is built upon the following three steps:
Develop a Comprehensive Understanding of the IT Environment
In order for an organization to implement a holistic IT Disaster Recovery Plan, it is essential that the organization have a comprehensive understanding of the various information assets utilized to achieve the organization’s mission.
As part of the BIA, an organization is required to obtain a thorough understanding of the IT environment. This is accomplished by meeting with each individual business unit and determining which technologies are essential for them to perform their day to day responsibilities. By cataloging the entire IT environment, organizations are then able to ensure that their IT Disaster Recovery Plan properly includes every system necessary to maintain operations and achieve its goals.
As an ancillary benefit, during this portion of the exercise, an organization may discover potential cost savings by identifying unnecessary or duplicate technologies.
Identify the Critical Technologies and Processes
Once the organization has cataloged the technologies that make up the IT environment, they must then rank the technologies based upon criticality for achieving the organization’s mission and performing day to day operations. There are various ways to assess criticality, but it is important to ensure that the assessment is completed in manner that allows the users of the analysis to consistently compare technologies across the organization.
An organization can achieve this goal by establishing uniform criteria by which a technology is assessed. For example, an organization should determine how technologies affect day to day operations (i.e. operationally, financially, legally, etc.) and then use a qualitative means for measuring how critical the technology is to that part of operations. An example of this would be a simple scale of 1 to 5, with 1 being no effect at all, and 5 being absolutely necessary.
After all of the data from this portion of this exercise has been aggregated, the organization can qualitatively determine which technologies are the most and least critical for sustaining operations and achieving its mission. This allows them to confidently assign which technologies have a recovery priority in the event of a system outage.
Establish Clear Recovery Time Objectives and Recovery Point Objectives
With critical technologies identified, in conjunction with business unit leads, users of the BIA will be able to easily identify appropriate Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs):
- Recovery Time Objective (RTO) – The targeted duration of time a system can be unavailable and must be restored before unacceptable impact to operations occurs.
- Recovery Point Objective (RPO) – The maximum targeted period in which data might be lost or unrecoverable due to system unavailability.
This can be easily done using the qualitative results of the BIA. The information assets that have a higher criticality score will inherently have smaller RTOs and RPOs and will need to be recovered as soon as possible. Technologies that score low and have larger RTOs and RPOs will not have to be recovered as quickly. Once these have been established, the plan can be updated to clearly establish the order for system recovery and identify how long they have for recovery before a system has negative, drastic impact on operations.
The BIA should also identify technologies and processes that have robust downtime procedures. Downtime procedures are established procedures an organization develops and executes when a technology or system experiences an outage. This allows the underlying process the technology was supporting to continue operating while the organization works to get the system back online (i.e. a fall back paper-based model). Even if a technology is identified as critical, if the organization has already implemented strong downtime procedures, it will allow the system to have a larger RTO and RPO than a similarly ranked system that does not.Talk to Freed Maxick About Disaster Recovery Plans and Business Impact Analysis
Organizations of all sizes and from all industries, can benefit greatly from conducting a Business Impact Analysis. The analysis will ultimately allow the organization to identify all of the critical technologies in use, and determine the priority in which they are recovered. Having these two invaluable pieces of information could ultimately save an organization from going under in the event of an IT disaster.
For a complementary review of your situation and an assessment of how to bring a Business Impact Analysis into your IT Disaster Recovery Plan, contact me at Peter.Schnorr@freedmaxick.com or connect with me on LinkedIn.
More Insights and Guidance on Cybersecurity Issues - Click here.View full article
SWOT Analysis Looks at Borrowers’ Strengths and Weaknesses
Author: Paul R. P. Valera, CPA, MBA, Senior Field Examiner
The best lenders understand the strengths, weaknesses, opportunities and threats (also known as “SWOT”) of their clients and prospects. The analysis can also play a critical role in due diligence, in addition to assisting borrowers identify opportunities to make improvements or better respond to external threats.
Here’s how a client’s SWOT analysis can asset based lenders make better lending decisions.
Unearthing the source of each strength
A SWOT analysis begins with identifying strengths and weaknesses from your customers’ perspective. Strengths typically represent potential areas for building value and boosting revenues. These may be competitive advantages or core competencies. Examples might include a loyal customer base, a strong brand image, or an established customer list.
It’s critical to unearth the source of each strength. Some are tied to the company’s owners or key employees, such as an older partner with influential standing in the business community and an impressive client list. This is especially common among professional practices, such as accounting, advertising or law firms. But retailers and manufacturers may rely on key people, too.
When strengths are tied to people, rather than the business itself, you need to consider what might happen if a key person were to suddenly leave the business. Ask whether the borrower has non-complete contracts, key person life insurance, a buy-sell agreement, or a formal succession plan to transition management to the next generation.
Weaknesses represent potential risks and should be eliminated or minimized. Often they are evaluated in relation to the company’s competitors. Weaknesses might include weak internal controls, high employee turnover, unreliable quality or a location with poor accessibility.
Of course, all businesses have an Achilles’ heel. But when a borrower reports the same weaknesses every year, it’s cause for concern. It’s not enough to simply recognize a weakness — the borrower needs to take corrective action.
For example, one borrower decided to boost its weak sales force with a headhunter to acquire new talent, Dale Carnegie sales training classes to inspire the staff, and a new-and-improved commission structure. Within just a few months, the business’s year-to-date sales were up 35%. And the borrower now lists its salesforce as a strength, not a weakness.
The second part of a SWOT analysis looks externally not only at what’s happening in the industry, but also with the economy and regulatory environment. An opportunity could be favorable external conditions that might increase revenues and value if the company acts on them quickly.
For example, a pharmaceutical company responded to emerging health care legislation and the aging baby boomer demographics by purchasing smaller medical device and generic drug manufacturers. Both the acquirer and its targets have acted on favorable external opportunities with a roll-up to improve their financial positions.
As you can imagine, threats are unfavorable conditions that can prevent an unwary borrower from achieving certain goals. Threats arise from the economy, competition, technological changes and increased regulation. It’s critical to watch for and minimize any existing and potential threats.
Hospitals and doctors, for example, are keeping a close eye on health care reform legislation, because it threatens to lower their billing and collection rates from private and public sources. Many physicians are banding together to improve bargaining power and achieve economies of scale.
How about your customers?
If your customers haven’t completed an in-house SWOT analysis, it’s time to do it. SWOT is a proven management tool that’s been taught at business schools around the world. Strong borrowers will say “yes!” immediately and discuss the results. But you may need to encourage your weaker, less experienced borrowers to tackle the analysis. The end result, however, will enlighten them.
A SWOT analysis is typically presented as a matrix (see the chart), and provides a logical framework for understanding how a business operates. It can not only tell what a borrower is doing right (and wrong), but it can predict how outside forces can impact cash flow in a positive (or negative) manner.
Business owners love their work and typically don’t want to hear that their businesses aren’t operating at peak performance. So, if you have concerns about a risky borrower, suggest they do a SWOT analysis. It can be an objective forum for discussing sensitive or negative issues.
Don’t put it off
As you know, due diligence can be a daunting task. And no single approach works for every customer. But a well-executed SWOT analysis can provide a method to the madness.
If you have any questions about SWOT analysis or any other asset based lending issue, give us a call at 716.847.2651, or you may contact us here.