"Are we just checking off boxes with regulators, or were there actual benefits in performing a business impact analysis (BIA)?"
It's the type of question we love to hear from our clients because it means that they genuinely engaged in their Information Security Program and that they care more about the quality of the work and less about just getting it done for regulators.
It also means that we got to have a worthwhile conversation on the numerous benefits from the BIA which we turned into a blog post. Because we know that a multitude of financial institutions are asking themselves the same question, even if they're not saying it out loud.
What is Business Impact Analysis?
As the name implies, the BIA is an assessment on the impact of the various systems and assets that are important to your financial institution. Specifically, we want to consider how the loss of each system could affect your business. The end result is that we have a prioritized list of what is most important to you down to the least.
What should a BIA include?
Although this can vary, for simplicity's sake, we like to see the following, at a minimum:
- Maximum Tolerable Downtime (MTD) - This is longest that a given asset can be down before you experience significant financial impact to the business
- Recovery Point Objective (RPO) - This is the amount of data you can stand to lose on each system. An example would be: if you perform nightly backups at 8pm everyday, and your server crashes at 2pm, you will have to manually recover everything back to 8pm of the previous day. As management, your job is to decide if this is acceptable.
- Interdependencies - This is a rating of how dependent other systems are on the given asset. This is important because some systems, while not inherently impactful by themselves, are critical to the business based on the number of other systems that depend on it to function properly. (a perfect example of this is your internal network)
- Overall Impact - a prioritized ranking of what is most important to your business
So what are the benefits of a Business Impact Analysis?
At the end of the day, your BIA should be the starting point for your Business Continuity or Disaster Recover Plan (for the purposes of this post we'll just collectively refer to both with 'BCP'). It is beneficial to the BCP in the following ways:
- Recovery Procedures - The BCP should include recovery procedures for all the systems listed (or at least your highest impact items) in your BIA. If this isn't the case, start with your highest overall impact assets and work your way down. Use the prioritization of the BIA to provide clarity on where you can improve the BCP
- Order of Recovery - The worst scenario in a disaster is where everyone working on their own thing with no real direction, specifically IT staff. In a true recovery situation, you want a predefined list of what is most important, so everyone is on the same page. The BIA accomplishes that for you. Because the BIA is set by management you can use the prioritized Overal Impact ranking to document an "Order of Recovery" list in your BCP. Communicate this list to IT staff and contractors to be very clear on how important this list is. Make sure they understand that they shouldn't be working on #17 until 1-16 are complete (or close).
- Prioritize your BCP Testing - The BIA should be the starting point for what areas you'll be testing in your BCP. One idea might be to test critical assets annually, and high assets every 18 months.
- The Business Impact Analysis also provides the measuring stick with which to evaluate BCP testing effectiveness. You can do this by comparing test recovery times to the maximum tolerable downtime established in the BIA. If your test recovery takes longer than the MTD, then you need to re-evaluate and make improvements to your BCP.
- Check your Backup Rotation - Do your backups achieve the desired recovery point objective? The BIA can be the go to for IT staff to set backup schedules and rotations.
Conclusion
Although the Business Impact Analysis can feel like you are just checking boxes, it has a ton of value. Going through the exercise with your management team can be helpful in aligning the team in what is important to your business. It also is a great tool for IT staff and anyone involved in business continuity planning.
If your Business Impact Analysis needs updated, we're your resource! We can walk you through the process of updating BIA, using it in your BCP, and even perform table top testing to make sure it's all working together like a well oiled machine.