The reason that every business should include a business impact analysis is that it’s a part of any thorough plan to minimize risk. All businesses can be disrupted by accidents and emergencies. These can include a failure of suppliers, labor disputes, utility failures, cyber-attacks, not to mention natural or man-made disasters.
It is not ideal to produce a response when one is in the midst of a crisis; a smart business has already prepared for these risks. A response created in dire straits will likely be arbitrary or random, and it will almost certainly be less effective.
With the due diligence of a business impact analysis in hand, a business has a well-thought-out plan of action to recover from adversity. It gives management more confidence in their decisions and judgments when responding to these events.
The business impact analysis with allocation instructions will prioritize which operations need immediate recovery and which can wait. It also provides a set of criteria to test the recovery plans. Furthermore, it should identify lost income from the disruption, higher costs the business is likely accrue if there will be any expenditure on fines and penalties, and the erosion of the business’ reputation and customer base.
All this information is critical to a business’ success. Problems are part of the business landscape, and ignoring the possibility of some disruption to process threatens solvency and long-term survival.
While there is no set way to conduct a business impact analysis, in general the process follows the path outlined below.
The first step is to initiate the process by getting approval from senior management for the project. To begin, define the objectives, goals and scope of the business impact analysis. It should be clear about what the business is seeking to achieve.
Then it’s important to form a project team to execute the business impact analysis. This can be existing staff, as long as they know how to conduct a business impact analysis. But this team can be outsourced to a team that is skilled in this process if the business doesn’t have people for this task.
The next step is getting the information collected that you need to make the analysis. This data can be gathered in a number of ways, from interviews to a business impact analysis questionnaire, which is the most common tool.
The questionnaire is a detailed survey that has been developed by the business impact analysis team and has targeted questions that have been designed to get answers that will assess the potential effect of a disruption to the business.
People that should be interviewed or given the questionnaire include managers, team members, supervisors and others knowledgeable about the processes of the business. It can also include business partners and those working outside the organization but in close enough to have possible insight. In otherwords, consider who your stakeholders are.
The information you collect for your BIA report should include the following:
· The name of the process
· A detailed description of where the process is performed
· All the inputs and outputs in the process
· Resources and tools that are used in the process
· The users of the process
· The timing
· The financial and operational impacts
· Any regulatory, legal or compliance impacts
· Historical data
All this collected data must be documented and reviewed. Then comes the analysis of the information. This can be automated by computer or done manually, depending on which is easier for the business and more reliable and practical in terms of formulating a conclusion.
This review will accomplish multiple objectives: it will create a prioritized list of business functions or processes; it will identify the human and technology resources needed to maintain an optimal level of operations; it will establish a recovery timeframe in which to recover the process or function and return it to normal.
After this, you’ll want to document the findings. This is when the business impact analysis report is prepared. While the format is not regulated it often follows the following structure:
· Executive summary
· Objectives and scope
· Methodologies used to gather data and evaluation
· Summary of findings
· A detailed finding on each department of the business (including their most crucial processes, impact of disruption, acceptable duration of disruption, tolerable level of losses, cost of recovery, etc.)
· Supporting documents and
· Recommendations for recovery.
This document will then be presented to management. The decision on how to proceed is in the hands of senior management, so they’re the ones who will get the report. Note that the business impact analysis is not set in stone. Technology, tools and processes change, and the business impact analysis must evolve with them.