The Bedel Security Blog

What Benefit is there in a Business Impact Analysis?

Written by Chris Bedel | Aug 14, 2017

 

So what Benefit is there in a Business Impact Analysis?

We were asked that question by a very savvy bank president.  It's a good question.  They wanted to know if they were just checking off boxes with regulators, or were there actual benefits in performing a business impact analysis (BIA).

It's the type of question we love to hear from our clients because it means that they actually care about the work we are doing and that they want to be smart about the work that's being done.  And asking the question meant that we got to have the conversation on the numerous benefits from the BIA.

We made a blog post out of the response because we know that many bank presidents are asking the same question, even if they're not saying it out loud.

 

What is Business Impact Analysis?

As the name implies, the BIA is an assessment on the impact of the various systems and assets that are important to your financial institution.  Specifically, we want to consider how the loss of each system could affect your business.  The end result is that we have a prioritized list of what is most important to you down to the least.

 

What should a BIA include?

Although this can vary, for simplicity's sake, we like to see the following, at a minimum:

  • Maximum Tolerable Downtime (MTD) - This is longest that a given asset can be down before you experience significant financial impact to the business

  • Recovery Point Objective (RPO) - This is the amount of data you can stand to lose on each system.  An example would be: if you perform nightly backups at 8pm everyday, and your server crashes at 2pm, you will have to manually recover everything back to 8pm of the previous day.  As management, your job is to decide if this is acceptable.

  • Interdependencies - This is a rating of how dependent other systems are on the given asset.  This is important because some systems, while not inherently impactful by themselves, are critical to the business based on the number of other systems that depend on it to function properly.  (a perfect example of this is your internal network)

  • Overall Impact - a prioritized ranking of what is most important to your business

So what are the benefits of a Business Impact Analysis?

At the end of the day, your BIA should be the starting point for your Business Continuity Plan or Disaster Recover Plan (for the purposes of this post we'll just collectively refer to both with 'BCP').  It is beneficial to the BCP in the following ways:

  • Recovery Procedures - The BCP should include recovery procedures for all the systems listed (or at least your highest impact items) in your BIA.  If this isn't the case, start with your highest overall impact assets and work your way down.  Use the prioritization of the BIA to provide clarity on where you can improve the BCP
  • Order of Recovery - The worst scenario in a disaster is where everyone working on their own thing with no real direction, specifically IT staff.  In a true recovery situation, you want a predefined list of what is most important, so everyone is on the same page.  The BIA accomplishes that for you.  Because the BIA is set by management you can use the prioritized Overall Impact ranking to document an "Order of Recovery" list in your BCP.  Communicate this list to IT staff and contractors to be very clear on how important this list is.  Make sure they understand that they shouldn't be working on #17 until 1-16 are complete (or close).
  • Prioritizes your BCP Testing - The BIA should be the starting point for what areas you'll be testing in your BCP.  One idea might be to test critical assets annually, and high assets every 18 months.

  • Helps Measure BCP Testing Effectiveness - The Business Impact Analysis also provides the measuring stick with which to evaluate BCP testing effectiveness.  You can do this by comparing test recovery times to the maximum tolerable downtime established in the BIA.  If your test recovery takes longer than the MTD, then you need to re-evaluate and make improvements to your BCP.
  • A Rational Approach to your Backup Rotation - Do your backups achieve the desired recovery point objective?  The BIA can be the go to for IT staff to set backup schedules and rotations.

Conclusion

Although the Business Impact Analysis can feel like you are just checking boxes, it has a ton of value.  Going through the exercise with your management team can be helpful in aligning the team in what is important to your business.  It also is a great tool for IT staff and anyone involved in business continuity planning.

The biggest thing to remember is to make time for your BIA and BCP process annually. If you find yourself rushing through it, chances are it won't be very effective. Our ISP Tasklist can help you stay on top of projects and deadlines so you can be sure you're making enough time for them. Get your free ISP Tasklist here.

If you found this article helpful, you can get content like this delivered to you weekly via our newsletter. Sign up below!

 

Sign up for our weekly newsletter