Business Impact Analysis - Essay Example

?BUSINESS IMPACT ANALYSIS Business Impact Analysis Affiliation Introduction This paper discusses some of the important aspects of business impact analysis. Business impact analysis (BIA) is believed to be most critical element of a company’s business continuity plan for the reason that it consists of a tentative module to make known a wide variety of threats and risks, as well as a planning module to plan and implement policies to deal with these threats and risks. Additionally, at the end of this analysis a report is generated that is known as a business impact analysis report. This report contains the list of possible threats and risks particularly for a specific firm. In this scenario, BIA is based on a critical assumption and that is every area and task of a company depends on the continuous working of every other task; however some tasks are more critical and important than others as well as need a greater investment following a failure. In addition, the BIA also determines the expenditures associated with losses, for instance substitution of equipment or machinery, loss of cash flow, loss of income, funds paid to pull alongside a backlog of work, and so on. Moreover, a BIA report also determines the significance of business tasks and processes as well as recommends suitable financial support for actions to look after them. In this scenario, BIA determines the possibilities of breakdowns or losses in terms of their influence on business revenue, safety and security, marketing and advertising, compliance, legal aspects and quality assurance. Hence, BIA can be considered as the backbone of the whole business continuity plan or, as a minimum, it should be managed and controlled in the approved manner. In fact, a well-planned and well-executed BIA can formulate the differentiation between a strong, completely developed business continuity plan, and an ordinary one (Rouse, 2005; FEMA, 2012; SORM, 2012). Methods for Establishing Component Priorities A company can prioritize its functions and components on the basis of their criticality. In this scenario, critical applications and systems are used in the processing of sensitive information. In addition, the applications and systems that an organization uses to process sensitive information can be prioritized as: Critical: Critical business applications and systems are believed to be the highest priority functions for the reason that they have highest impact on an organization’s potential and processes for recovery. Additionally, human resources of an organization are fully aware of these critical processes within their department. In addition, the solution is to collect all necessary information and build up a complete look at their critical applications and process from the company’s point of view. For instance, they should determine that what applications and processes must be present for their organization to run a business? Hence, these processes must be recovered to sustain as close to regular operation as possible. In this scenario, the highest permissible time limit is determined in hours (Pabrai, 2013; ttgtMedia, 2007). Essential: Every organization has some functions which lie between critical and important, hence for these business functions organizations can decide to make use of a central kind that can be acknowledged as “vital” or “essential.” Though, it is difficult to distinguish between critical and vital functions but an organization can choose that certain processes are completely critical and others are very significant and they should be handled soon after the critical processes. In this scenario, vital business processes can comprise several business aspects such as payroll, which is not a critical business function in terms of being capable of getting the business support and operating right away however these functions can be significant to the organization’s capability to work further than the disaster recovery phase. These business processes should be recovered immediately when resources turned out to be available. In this scenario, the highest permissible time limit is determined in days (Pabrai, 2013; ttgtMedia, 2007). Necessary: Necessary functions are those which might not affect the company in the short term however they can have a long-term effect on the business performance if they are absent or eliminated. In fact, in the absence of these business functions an organization can face serious disturbance. Additionally, they can be related to some economic or legal consequences as well as they can also be related to access across business systems and functional areas. These processes should be recovered immediately after business resumes to a normal processing environment. In addition, data must be gathered and stored for later processing. Desirable: Desirable functions include those processes that have been created and maintained over time with the purpose of addressing minor, chronic problems or issues. An organization can recover these business processes after all the other processes. The majority of business organizations build a large number of business processes that should at some stage be analyzed, updated, and sometimes eliminated, however that hardly ever takes place all the way through normal business functions because of more demanding work. In addition, these functions can be stopped throughout the emergency (Pabrai, 2013; ttgtMedia, 2007). Recovery Time Frameworks There are various recovery time frameworks for instance Maximum Tolerable Downtime (MTD), which is the utmost time an organization can bear the unavailability or failure of a specific business process. Additionally, the maximum tolerable downtime caries from function to function and it depends on the criticality of the business functions. For instance, the MTD for critical functions should be less however it can be greater for desirable functions. There is another timeline framework that is known as Recovery Time Objective (RTO), which is the time that a company has to recover from failure. However, it is believed to be an element of the MTD. There is another timeline framework and that is known as Recovery Point Objective (RPO). It is the amount of data loss that can be tolerated by a critical business systems (ttgtMedia, 2007). Methods for Determining Component Reliance and Dependencies It is essential for the organizations that they keep in mind to obey rules and regulations for instance the Sarbanes-Oxley or Health Information Portability and Accountability Act (HIPAA) and pass these requirements to evidently recognize all the components and processes. Without a doubt, business continuity plan for an organization completely takes into consideration the time and resources required to determine the critical processes first, essential function's second. In this scenario, an organization can postpone addressing desirable and necessary business processes until subsequent stages of its business recover. However, the majority of business organizations classifies these four categories and determines the duration for when each of these classes of business processes will be resumed following a business disturbance (Pabrai, 2013; ttgtMedia, 2007). A corporate-wide business continuity plan should be established to stop the disturbance of standard processes and ensure continuation of company procedures in a timely way. In addition, the organization should implement a strategy for responding against disaster, comprehensive back-up processes, and post-disaster improvement. In fact, all the organizations should set up a wide-ranging business continuity plan in spite of whether they carry out their business activities within or outsource their management to a service supplier (FEMA2, 2012; honor, 2006). Given below are some of the common business processes that should be considered in the BIA: 1. Facilities and security related functions 2. Financial aspects 3. Human resources 4. Information Technology functions and systems 5. Legal/Compliance/Standards/Rules and Regulations 6. Production (assembly and delivery) 7. Sales, Advertisement and Marketing 8. Operations Management 9. Research and Development 10. Warehouse (Inventory, Shipping, Order processing, Receiving) These functions can depend on each other. An organization must think about the inputs and outputs of a specific function. For instance, in case of information technology functions the organization must think what other functions are dependent on information technology departments. The majority of organizations depends on information technology to control their business processes. However, this dependence can be determined from the criticality of a business function. An organization can easily decide whether a function is critical or desirable. For instance, if a business function is critical so other functions of an organization can be dependent on this critical function (ttgtMedia, 2007). In this scenario, an organization must keep in mind major business functions that take place in each functional area. Once these functions are successfully documented then they should be assigned a criticality rating. In addition, the company should also need to document reliance and dependence of each function along with key positions, skills, and knowledge in these functional areas. For instance, what business areas and processes will be affected any of the data servers or information system fails? What alternative would be taken in order to keep the company going? The solution is to document all the business functions and inputs and outputs of the functions. What other functions are associated with certain function (ttgtMedia, 2007). Human Resource related Aspects Various human related aspects should also be considered by the organization. For instance, who will lead the organization if the head of the organization injures. In addition, what skills or knowledge would be required for provisionally (or permanently) replacing the head or manager in the aftermath of a business disruption? In fact, these human factors should also be considered along with the important business areas and processes. In addition, when an organization undergoes some kind of natural disaster, its human resources will be full of activity trying to accomplish a wide variety of tasks (ttgtMedia, 2007). Financial Functions Financial aspects of an organization are believed to critical business processes. It is essential for the firm that finance, accounting and reporting related processes should be effectively analyzed and reviewed. In fact, there are a number of interdependencies in financial processes that cross over into other functions such as marketing, human resources, IT, sales and operations. As discussed above, it should be documented that if some of the central information systems fail, which business functions would be affected? In addition, which other functions and processes should get support and executing first with the intention of keeping the business going? (ttgtMedia, 2007) Recommendations for the Development of the BIA The business impact analysis should recognize the financial and operational influences outcomes from the interference of company processes and procedures. Influences to consider comprise (FEMA, 2012; FEMA2, 2012): Authoritarian fines Loss of sales and income Increase in operating costs Delay in new company plans Contractual consequences or loss of contractual extras Clients defection and dissatisfaction In addition, once business processes and practices have been appraised and prioritized, the BIA should recognize the possible influences uncontrolled, non-specific proceedings on these business processes and procedures. In addition, non-specific actions and processes should be recognized with the intention that the administration could concentrate on the influence of a variety of interruptions instead of specific dangers that can never influence processes. Simultaneously, administration should never disregard possible issues that are evident in the institution's particular region. For instance, financial companies can be located in flood-prone regions, close to earth fault lines, or by regions subject to cyclones or hurricanes (FFIEC, 2013; Moisoff, 2006). References FEMA. (2012, June 19). Business Impact Analysis. Retrieved February 23, 2013, from http://www.ready.gov/business-impact-analysis FEMA2. (2012, December 19). Business Continuity Plan. Retrieved February 25, 2013, from http://www.ready.gov/business/implementation/continuity FFIEC. (2013). Business Impact Analysis. Retrieved February 26, 2013, from http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/business-impact-analysis.aspx Honour, D. (2006, September 29). Defining business continuity. Retrieved February 25, 2013, from http://www.continuitycentral.com/feature0398.htm Moisoff, R. L. (2006, December 01). BUSINESS IMPACT ANALYSIS. Retrieved February 24, 2013, from http://www.cpaccarolinas.org/docs/Symposium06/moisoff-BIAlessons.pdf Pabrai, U. O. (2013). Contingency Planning: Business Impact Analysis. Retrieved February 24, 2013, from http://www.certmag.com/read.php?in=1175 Public Safety Canada. (2013, February 08). A guide to business continuity planning. Retrieved February 22, 2013, from http://www.publicsafety.gc.ca/prg/em/gds/bcp-eng.aspx Rouse, M. (2005, September). business impact analysis (BIA). Retrieved February 22, 2013, from TechTarget.com: http://searchstorage.techtarget.com/definition/business-impact-analysis SORM. (2012, May 19). Business Continuity Impact Analysis. Retrieved February 23, 2013, from http://www.sorm.state.tx.us/risk_management/business_continuity/bus_impact.php ttgtMedia. (2007, May 25). Business Impact Analysis. Retrieved February 22, 2013, from http://cdn.ttgtmedia.com/searchSecurityChannel/downloads/443_Disaster_04_(2).pdf Read More