As organizations across all industries continue to increase their investment in Information Technology (IT), they’re relying more and more on IT to perform day to day operations. IT is vastly integrated into the backbone of almost every organization by assisting with, or even performing critical processes in an automated fashion. Due to the inherent dependence on information assets, funding related to IT Disaster Recovery and Business Continuity Planning has also increased.

An IT Disaster Recovery Plan (DRP) documents the procedures and processes that an organization will follow in the event that critical technologies experience an outage. The DRP enables the organization to continue performing regular operations without the technology, while getting the technology up and running as quickly as possible. By conducting a Business Impact Analysis (BIA), an organization can improve their current IT Disaster Recovery Plan or efficiently create a new one from scratch.

The 3 Steps of a Business Impact Analysis 

A Business Impact Analysis is a fundamental piece of an effective and comprehensive Disaster Recovery Plan. My recommended approach for developing a BIA is built upon the following three steps:

• Develop a Comprehensive Understanding of the IT Environment

In order for an organization to implement a holistic IT Disaster Recovery Plan, it is essential that the organization have a comprehensive understanding of the various information assets utilized to achieve the organization’s mission.

As part of the BIA, an organization is required to obtain a thorough understanding of the IT environment. This is accomplished by meeting with each individual business unit and determining which technologies are essential for them to perform their day to day responsibilities. By cataloging the entire IT environment, organizations are then able to ensure that their IT Disaster Recovery Plan properly includes every system necessary to maintain operations and achieve its goals.

As an ancillary benefit, during this portion of the exercise, an organization may discover potential cost savings by identifying unnecessary or duplicate technologies. 

• Identify the Critical Technologies and Processes

Once the organization has cataloged the technologies that make up the IT environment, they must then rank the technologies based upon criticality for achieving the organization’s mission and performing day to day operations. There are various ways to assess criticality, but it is important to ensure that the assessment is completed in manner that allows the users of the analysis to consistently compare technologies across the organization.

An organization can achieve this goal by establishing uniform criteria by which a technology is assessed. For example, an organization should determine how technologies affect day to day operations (i.e. operationally, financially, legally, etc.) and then use a qualitative means for measuring how critical the technology is to that part of operations. An example of this would be a simple scale of 1 to 5, with 1 being no effect at all, and 5 being absolutely necessary.

After all of the data from this portion of this exercise has been aggregated, the organization can qualitatively determine which technologies are the most and least critical for sustaining operations and achieving its mission. This allows them to confidently assign which technologies have a recovery priority in the event of a system outage.

• Establish Clear Recovery Time Objectives and Recovery Point Objectives

With critical technologies identified, in conjunction with business unit leads, users of the BIA will be able to easily identify appropriate Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs):

• Recovery Time Objective (RTO) – The targeted duration of time a system can be unavailable and must be restored before unacceptable impact to operations occurs.
• Recovery Point Objective (RPO) – The maximum targeted period in which data might be lost or unrecoverable due to system unavailability.

This can be easily done using the qualitative results of the BIA. The information assets that have a higher criticality score will inherently have smaller RTOs and RPOs and will need to be recovered as soon as possible. Technologies that score low and have larger RTOs and RPOs will not have to be recovered as quickly. Once these have been established, the plan can be updated to clearly establish the order for system recovery and identify how long they have for recovery before a system has negative, drastic impact on operations.

The BIA should also identify technologies and processes that have robust downtime procedures. Downtime procedures are established procedures an organization develops and executes when a technology or system experiences an outage. This allows the underlying process the technology was supporting to continue operating while the organization works to get the system back online (i.e. a fall back paper-based model). Even if a technology is identified as critical, if the organization has already implemented strong downtime procedures, it will allow the system to have a larger RTO and RPO than a similarly ranked system that does not.

Organizations of all sizes and from all industries, can benefit greatly from conducting a Business Impact Analysis. The analysis will ultimately allow the organization to identify all of the critical technologies in use, and determine the priority in which they are recovered. Having these two invaluable pieces of information could ultimately save an organization from going under in the event of an IT disaster.

Our experienced team of Risk consulting and IT consulting professionals can help.

For a complementary review of your situation and an assessment of how to bring a Business Impact Analysis into your IT Disaster Recovery Plan, contact me at Peter.Schnorr@freedmaxick.com or connect with me on LinkedIn.

More Insights and Guidance on Cybersecurity Issues - Click here.