Information Technology Reference
In-Depth Information
Business Impact Analysis (BIA)
A business impact analysis involves the identification of processes that
are critical to organizational operations, as well as identification of the
relative criticality and urgency for the return of each process. A bad joke I
have heard many times is the suggestion that “Everything's important, so
combine it all and do it at once.” In both COO and DR states, prioritiza-
tion of recovery activities is mandatory if chaos is to be avoided. The BIA
identifies organizational processes at a high level, with greater resolution
addressing requirements for recovery (services, servers, equipment, etc.)
later. Many times, conducting a BIA to address technology requirements
for recovery will also involve identification of many nontechnology func-
tions and practices necessary as well, allowing the BIA to return value for
time spent in many ways at once.
Like any project (limited term, specific goal), objectives developed
during the BIA should be specified in terms of time. The 8/80 rule is
a useful tool for breaking up recovery into work periods of between 8
and 80 hours, though recovery objectives might be expressed in work
periods of one hour, one day, one week, or whatever is deemed appro-
priate by the planning committee and senior stakeholders. Priority for
recovery actions should be based on business need, except where the
order of service recovery is mandated by function (for example, the
authentication service must be up before the database server can be
returned to service).
For each identified business process, recovery objectives (targets and
guidelines, not mandates because all plans must be flexible and able to
change to meet emerging conditions) should be established for acceptable
completion term and span of data loss:
•
Recovery point objective (RPO)
—This measure is used to develop
backup strategies for data. It identifies how far back it is acceptable
to lose data from the point of failure or loss. Weekly backups, for
example, fulfill only RPOs of one week or longer.
•
Recovery time objective (RTO)
—This measure identifies how
long the business process can be unavailable. Service-level agree-
ments, contracts, and other factors both tangible and intangible will
influence this determination. For high-utilization e-business sites,
RTOs may be expressed in terms of minutes before unacceptable
losses occur.
