Project Part 2 Task 1: Introduction and Business Impact Analysis Plan Ronald Horne
The Business Impact Analysis (BIA) is the key concept used by the organization as a tool when developing Business Continuity Plans (BCP). The purpose of the BIA is to gather business information in an effort to understand the importance of the different functions of the organization (Johnson, R. (2011). It serves as the foundation for which an effective BCP can be developed and implemented. The BIA will identify and quantify business related impacts during a loss, disruption, or interruption of processes or functions within the organization. With effective implementation, the organization will be able to recover its operations under any circumstance or condition. Component Priority
In conducting you BIA some limitations should be made. In order to gather required information you should be able to schedule interviews with each department to assess critical functions within that department. It is important to interview people that know functions and processes of that department. There are two methods that can be utilized to gather information on critical processes and functions. One method would be to conduct surveys among people within each business unit. Caution should be used here as random people selected for the survey may not understand the critical functions of the business. It will, on the other hand give some insight as to what employees think are important to operations. Another method available would be to conduct interviews among people in each department. Here again, careful selection of personnel is mandatory to get an accurate depiction of those process. Selected people must know the process and functions that are critical for operations. If the decision is made to conduct interviews, the BIA team lead should generate a list of common question such as: (Fisher, P. (n.d.) * What does your department do? What tools do you need to manage your department? If tools removed could you perform your functions? Do you have an alternative solution? * What is considered a disaster in your area of responsibility? * Can you survive without IT infrastructure such as computers, databases, software, or phone service? * Do you rely on other departments for information or tools for your job function? In my opinion the best method would be establishing a BIA team and conduct a meeting to discuss critical processes and functions. Meeting this way will help leverage the processes across all departments and how they rely on each other. Once information is gathered, the BIA team should analyze results and begin ranking the criticality of those processes. It is important to remember that ranking and prioritizing should come from a business standpoint. It should not be derived from individuals from what they believe is important to their department. Once critical functions and processes have been determined the BIA team it is then charged with assigning Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) to each function. RTO’s are generally tiered by their level of criticality. It is important to assign appropriate RTO’s and RPO’s that meet business practices (Linking Disaster Recovery Time Objectives to Business and Compliance Requirements. (n.d.). As an example, the RTO’s could be classified as: Tier 1 – Fault tolerant with no impact on the users. If the system goes down, a built in recovery plan gets implemented with no data loss. Tier 2 – RTO is set to meet a 24 hour time window. At this level organizations will need to have alternative solutions and equipment required to bring systems back online. Tier 3 – RTO is set to meet a 48 hour time window. This level generally applies to companies with off site locations such as data center where operations can be shifted to the alternate site. Tier 4 – RTO of 2 to 7 days to recover. At this level, hardware and software application may be...
References: Fisher, P. (n.d.). How to Conduct a Business Impact Analysis. Disaster RecoveryJournal. Retrieved May 23, 2015, from www.drj.com/article-archives/risk-analysis/how-to-conduct-a-business-impact-analysis.html
Johnson, R. (2011). Data Classification/Handling and Risk Management. Security policies and implementation issues (p. 278). Sudbury, Mass.: Jones & Bartlett Learning.
Linking Disaster Recovery Time Objectives to Business and Compliance Requirements. (n.d.). Sun Microsystems. Retrieved May 24 2015, from www.dewpoint.com/files/linking_Desaster_Recovery_Time_
Please join StudyMode to read the full document