Business Impact Analysis (BIA) is a critical component of organizational functionality. Organizations must not ask themselves if something will go wrong: they must assume that disasters of various kinds will arise and know how to cope with the fallout. This paper outlines various types of contingency and continuity planning.
BIA
Stakeholder Analysis
Business Impact Assessment and disaster management
A business impact assessment (BIA) is designed to evaluate the impact of a disaster upon the functioning of the organization and ideally, determine ways for the organization to remain operational, even during the stressors of a full-blown attack on its informational systems or a widespread catastrophe like a national disaster. "BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance. Where possible, impact is expressed monetarily for purposes of comparison. For example, a business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence" than it did before the catastrophe (BIA, 2013, Search Storage). Another definition of a BIA is "to identify the organization's mandate and critical services or products; rank the order of priority of services or products for continuous delivery or rapid recovery; and identify internal and external impacts of disruptions" (A guide to business continuity planning, 2013, Public Safety). Prioritization is thus another critical component of BIA: not every situation can be planned for nor can every risk be perfectly controlled, but through prioritization and the determination what are mission-critical components of the organization, it can be assured that the organization can continue to function and offer necessary services within the least possible number of disruptions (BIA, 2013, FEMA).
One of the first steps is thus component priority, determining which components are most important for the business to function (Johnson 2010: 278). The second step is component reliance, which means, of these important components, which ones are critical because of the interrelation between those components and others necessary to do business (Johnson 2010: 278). Functions, dependencies, and the human intelligence required to fulfill them are all assessed, and this will better enable the company to prevent and mitigate damage when and if it occurs. A BIA takes into consideration risk exposure (likelihood of risk) and the damage that risk could entail. For example, a tornado might be an extremely impactful risk for a mid-Atlantic state like NJ, but lower in likelihood than a Midwestern state such as Kansas. There must be a prioritization of risks, threats, and vulnerabilities (Johnson 2010: 278-279). All are equally important yet critically different components of the BIA. "Once all relevant information has been collected and assembled, rankings for the critical business services or products can be produced. Ranking is based on the potential loss of revenue, time of recovery and severity of impact a disruption would cause. Minimum service levels and maximum allowable downtimes are then determined" (A guide to business continuity planning, 2013, Public Safety).
Approaches to dealing with risk include risk avoidance, risk management, risk acceptance, and risk transference. Although all strategies are likely to be included, they will vary from organization to organization and scenario to scenario. Yet while a variety of coping strategies are afforded to the organization, the ultimate ideal is prevention. To prevent damage to an organization, continual screening is demanded. For example, to determine the resources needed to cope with a threat to the IT system, a vulnerability assessment might simulate a firewall attack, to see if the system can withstand such an impingement. Then, once the vulnerabilities are determined the system designers attempts to rectify them -- but given that complete prevention is not possible, there must also be contingency plans in place to determine what to do if the system is broached. "The assessment must also address the cost to business and the cost of remediation" (Johnson 2010: 282).
Then, the financial costs to the business of various risks may be determined. For example, a common threat to a business is a power failure. For some businesses, being 'offline' for a few hours might not be catastrophic; for other businesses, major revenue might be irrevocably lost. The BIA asks "if a business function or process is inoperable, how long would it take before additional expenses would start to add up," including the cost of hiring additional employees, government fines or the need to refund customers as well as intangible costs such as the loss of reputation (A guide to business continuity planning, 2013, Public Safety). It also compares the cost of having certain contingency plans, such as using generators, versus the cost of being offline and without power (A guide to business continuity planning, 2013, Public Safety). There is no absolute answer to the question of what constitutes the greatest threats; rather the answer is determined by the exterior factors affecting the business and its internal goals and priorities.
A full assessment will determine which aspects of the operation are mission-critical and which are not, and which components are necessary for certain mission-critical components to perform. For example, "a recent vendor risk assessment has assumed serious control weaknesses" at the facility, leaving data unsecure for extended periods of time (Johnson 2010: 285). The organization can either avoid the risk and find another vendor; find a way to manage the risk by asking the vendor to instate more secure controls at the facility; accept the risk (if it is determined for whatever reason that the consequences of releasing the data are not dire); or transfer the risk (making the vendor responsible if the data is lost (Johnson 2010: 285).
Yet another vital component of risk management is the construction of a business continuity plan. Business continuity plans (BCPs) enable the organization to continue operations even during disruptive events. Quite literally, they ensure that the processes of the business have 'continuity' in difficult times. Continuity plans are always being 'tweaked,' underlying the need for continuous screening once again. "Moderating risk is an ongoing process, and should be performed even when the BCP is not activated" (A guide to business continuity planning, 2013, Public Safety). Because the plan operates in dialogue with exterior circumstances, environmentally scanning is a must. Ultimately, a BCP and a BIA can save an organization heartache as well as money. Only through a BIA can a company be assured that it is appropriately insured, for example. "It is important to use the BIA to help decide both what needs insurance coverage, and the corresponding level of coverage. Some aspects of an operation may be over-insured, or underinsured" (A guide to business continuity planning, 2013, Public Safety). Only through continuity plans can the organization be assured that a single, unforeseen event will not bring it to its knees and that it is taking the correct steps for preventative maintenance.
You’re 88% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.