Impact Analysis

How much does your organisation stand to lose in the event of a disaster or other disruption?

The purpose of a Business Impact Analysis (Stage 2 of the business continuity management process) is to assess the risk by identifying:

  • Critical business processes
  • The potential damage or loss that may be caused to the organisation as a result of a disruption to critical business processes

This analysis determines what recovery facilities are provided and ensures that the organisation can allocate business continuity management resources in the most appropriate way.

If a Business Impact Analysis is not undertaken, or is not done correctly, resources may be wasted on unnecessary services that do not fully support a recovery.

What should be included?

Specifically the Business Impact Analysis will identify impacts resulting from an inability to undertake normal business processes. Impacts are measured against particular scenarios - for example, the inability to provide call centre services for a period of time.

The impact analysis should concentrate on those scenarios where the impact on critical business processes is likely to be greatest. It will include:

  • 'Hard' impacts - financial loss, breach of law, regulations, or standards, failure to achieve agreed service levels, increased costs of working
  • 'Soft' impacts - political, corporate or personal embarrassment, loss of competitive advantage, loss of credibility

Consideration will also be given to how the degree of damage or loss is likely to escalate after a service disruption. This will enable identification of the minimum critical requirements for the continued operation of the business process, and the timescale within which such requirements should be provided. These requirements include:

  • The staffing, skills, facilities and services (including the IT applications and data recovery requirements) necessary to enable critical and essential business processes to continue operating at a minimum acceptable level
  • The time within which minimum levels of staffing, facilities and services should be recovered
  • The time within which all required business processes and supporting staff, facilities and services should be fully recovered

This information can be collected through interviews or workshops with senior members of the business areas. It is important that respondents have a good understanding of their business including an appreciation of dependencies on other departments.

The Business Impact Analysis enables each business area to understand at what point the unavailability of their business process would become untenable within the organisation - immediately, after a day, week, month or so on. This in turn allows the most appropriate continuity mechanisms to be determined to meet these business requirements.

Other Considerations

The Business Impact Analysis should also consider any implications associated with loss of integrity of information, and for IT systems the impact of the loss of data.

With the move to direct data entry and online transaction processing, consideration of how data will be reconciled is an essential part of the recovery process.

In most cases, business processes can be re-established without a full complement of staff, systems and other facilities, while still maintaining an acceptable level of service to clients and customers.The business recovery objectives should therefore be stated in terms of:

  • The time within which a predefined team of core staff and stated minimum facilities must be recovered
  • The timetable for recovery of remaining staff and facilities
  • The point to which data must be recovered

 

© Crown copyright2008