Have you heard of The Worst-Case Scenario Survival Handbook? When we talk about a business impact analysis, that is basically what it is: a guide of everything that can bring down your business, along with steps for restoration.
- Business impact analysis: exploration and planning
- Why the BIA is important
- 7 types of impact you’ll frequently see
- 7 common ways businesses are disrupted
- When and how long is the business disruption?
- Tapping internal intelligence: the BIA questionnaire
- Putting it in writing: the BIA report
- Smart hosting protections: SSAE 16 compliance
Business impact analysis: exploration and planning
Business impact analysis (BIA) is one of those business buzzwords that sounds quite a bit like the TPS reports that were ridiculed (sort of) in Office Space. However, the concept is actually very straightforward; it means just what you would think. A BIA is simply a process to look at the possible results of natural disasters, human errors, and malicious activities on operational elements ranging from credibility to liability, compliance, safety, and finances.
A well-strategized business impact analysis doesn’t just pessimistically describe worst-case scenarios, of course. It foretells the effects of an interruption to business continuity and collects knowledge to help create a disaster recovery plan. These two aspects of the BIA are called the exploratory and planning components.
During the risk assessment component of the BIA, you should delineate possible forms of loss that can occur internally. Additionally, the analysis should evaluate what the consequences would be if a vendor weren’t timely or otherwise didn’t meet expectations.
Why the BIA is important
Boy Scouts will understand right away why you need to conduct a BIA since it’s written right into their motto: “Be prepared.” Why specifically is this preparation wise? There are three primary reasons it makes sense to invest your time and resources in a business impact analysis:
#1 – You aren’t improvising when a disaster occurs. During the stress of a business continuity disruption, it isn’t easy to make the most logical, practical and sound decisions. The business impact analysis gives you a rational and straightforward process with which to recover, not just broadly but in the specific scenario the business is experiencing.
#2 – You use your recovery funds meaningfully and systematically. Part of a BIA is determining restoration priorities so you can allocate funds and apply effort correctly during a crisis. You also have an estimate of how long each step of the recovery process should take.
#3 – You are able to evaluate your vendors appropriately. You want to look deeply at your own system but also the aspects that are handled externally (as with your hosting provider – see below).
This type of analysis is essentially a framework that helps you more wisely determine how to spend money and time. “Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies,” explained the U.S. Department of Homeland Security.
Specific to the provider you choose for hosting infrastructure and other IT services, this process helps you better understand the extent to which a secure, stable, high-performance infrastructure should be a priority. You can assign an appropriate value to a datacenter that is audited to meet the standards of the American Institute of CPAs (AICPA) – via Statement on Standards for Attestation Engagements No. 16 (SSAE 16).
7 types of impact you’ll frequently see
A BIA should give you a better sense of how your business could potentially malfunction and how money could be lost if a business system goes down or anything else isn’t fully operational. To look at it a bit more broadly, here are seven ways in which companies suffer when infrastructure or other elements become unavailable:
- Revenue is lost.
- Revenue comes in later than expected.
- Your operational costs rise (such as having to pay overtime or expedite).
- You incur fines for regulatory violations.
- You fail to meet bonuses or get penalized for not meeting contractual parameters.
- You lose or irritate customers.
- Projects you were planning to start don’t get launched on time.
To look specifically at the money, expenses related to disasters can be more extensive than you might initially think. One cost for which many companies fail to account properly is reputation management. For instance, your business could reasonably spend four times as much for marketing simply to retain your customers’ trust when your services aren’t working as your users expect.
7 common ways businesses are disrupted
How might your business be blocked from continuing to operate normally?
- Your facilities are damaged.
- Equipment becomes broken.
- You are unable to access facilities.
- Supply chain problems occur, either at the vendor or in transit.
- Power or other utilities go down.
- Software or hardware malfunctions.
- Key staff members are either out or make errors.
When and how long is the business disruption?
In terms of negative impact, there’s clearly a vast gulf between a split-second blip in your services and an outage of multiple days. It’s not just about duration, though, but timing as well. For instance, a B2C ecommerce site could miss out on a much larger chunk of annual sales if it were derailed by a distributed denial of service (DDoS) attack on Black Friday than if it had unscheduled downtime at a less pivotal time of year.
The business impact analysis covers all possible scenarios – not just the scariest and most far-reaching ones. Certainly it is a top priority to think in terms of those most devastating disruptions, such as your site going down for a full day or a product becoming unavailable for 48 hours when everyone is making their holiday purchases.
However, you also want to look at the situations that seem to just be momentary inconveniences – such as an electrical outage of just 5 or 10 minutes. After all, Gartner reports that the average cost of a minute of downtime is $5600 – or more than $300,000 per hour. Your own BIA should reveal how much your costs for downtime and other elements are over certain timeframes.
Tapping internal intelligence: the BIA questionnaire
The business impact analysis is, to a large degree, a fact-finding mission. You want to organize the effort by distributing a standard form, a BIA questionnaire, to leadership and other personnel.
You want to get ideas from those who are knowledgeable about each type of business process. “Ask [these individuals] to identify the potential impacts if the business function or process that they are responsible for is interrupted,” said the DHS. Plus, the analysis should detail the key systems that will allow the organization to maintain varying degrees of operation.
Putting it in writing: the BIA report
You obviously want to have documentation of this process, and that’s all detailed in the business impact analysis report. It’s especially important (although certainly an imperfect science) to put an estimated dollar figure on every potential situation you can. These numbers are helpful because they give you a better sense how to evaluate the costs of preventive and mitigation services. Plus, you want to list out step-by-step recovery that should occur in the event of disruption, moving from the most to least mission-critical systems.
Smart hosting protections: SSAE 16 compliance
As stated in the title of this piece, your BIA should show you how to make the best hosting decisions – meaning that it helps you place a value on stable and secure infrastructure. The SSAE-16 Type II audit is your assurance that Total Server Solutions follows the best practices for keeping your systems running strong. Learn more.