In the world of enterprise storage, data must be accessible at all times. It’s critical for business survival. Yet the challenge is that storage – like other areas of information technology – can suffer downtime, which will negatively impact operations.
The discipline of business impact analysis is an effort to limit this downtime. It’s an important component of every company’s risk management strategy. Understanding how an outage, data security incident or other forms of unplanned downtime impacts an IT organization is a must. It’s an essential part of having the right business continuity and disaster recovery solutions in place.
What is Business Impact Analysis (BIA)?
Business Impact Analysis is the right first step as part of disaster recovery and business continuity planning. Rather than just guessing what might happen to IT operations if something fails or is disrupted, Business Impact Analysis is a formal process that looks to quantify the potential impact of a service disruption.
Business Impact Analysis is different than just a risk assessment, which looks to determine, with various metrics, what the risks are that face an organization. With a risk assessment an organization, for example, might understand that a given application is at risk of being attacked and that it could negatively impact operations. In contrast, with business impact analysis an organization will look beyond just the risk to quantify what actually would happen to the business from a failure or disruption in operational terms.
Business Impact Analysis can also provide an organization with an opportunity to determine what the maximum tolerable downtime is, as a function of the operational and functional potential impact is for a service disruption.
How to Conduct a Business Impact Assessment Analysis
Conducting a business impact analysis involves multiple steps and different people within the organization. The results of this analysis must be built into your disaster recovery planning:
- Engage the right stakeholders. It’s important that the relevant stakeholders for different lines of business or IT competency are part of the process.
- Identify critical assets. Take inventory of the IT assets within a business, identify what they do and define the assets that are critical to the operation of the business.
- Assess impact. Consider the impact of a disruption to the asset or service. Impact can including lost sales, increased expenses, customer dissatisfaction or even regulatory fines.
Business Impact Analysis Steps
With an understanding of what assets are critical and what potential impact a disruption might incur, the next step is to build out an impact analysis matrix, which can be built with a tool or even at a preliminary stage just with a basic spreadsheet.
The matrix or worksheet for each IT process identifies:
- Timing or duration of an disruption (in different time increments).
- What the operation impact of the disruption would be.
- What the financial impact of the disruption would be.
Business Disruption Scenarios
There are any number of different situations that could disrupt IT operations at a business.
Environmental issues. For example a hurricane, fire or other weather event can have impact.
Power failure. A power failure, can lead to an outage or other service disruption. (This is one reason companies use cloud storage.)
Cyberattack. Malicious hackers can take aim at IT operation with the express intent of disrupting everyday business operations.
Unintended data corruption. Mistakes happen, and employees or applications on their own can sometimes corrupt data and cause service interruptions.
Next Steps: Business Continuity Planning and Disaster Recovery
At the end of a business impact analysis, an organization will end up with some form of business impact analysis report. While the report can be useful in considering risk management and understanding the potential impact of different business disruption scenarios, a business impact analysis report on its own doesn’t actually help to mitigate risks.
To mitigate risks, organizations need to consider business continuing planning and disaster recovery. Business continuity is a process that involves figuring out what needs to be done in case of a failure or business disruption event and how the business would continue to operate.
Disaster recovery is all about planning for and having the right solution to recover from a an incident in which data is lost. There are several leading disaster recovery vendors that can help organizations with different approaches and capabilities.
Whatever choices an organization makes, the most important thing to remember is there is a need to plan, starting out with the Business Impact Analysis. After all, as the saying goes, if you fail to plan you are planning to fail.