Previous | Table of Contents | Next |
Carl B. Jackson
Business continuity planning (BCP) is a business issue, not a technical one. While each component of the business participates to a greater or lesser degree during the evolution, testing, and maintenance of BCPs, it is in the business impact assessment (BIA) process where the initial widespread interaction with staff and management takes place. The successful outcome of the BCP process really begins with the BIA.
Why business impact assessment? The reason that the business impact assessment element of the BCP methodology takes on such significance is that it sets the stage for shaping a business-oriented judgment concerning the appropriation of resources for recovery planning efforts.
Our experiences in this area have shown that, all too often, recovery alternative decisions such as hot sites, duplicate facilities, materials stockpiling, etc. are based on emotional motivations, and not on the results of a thorough business impact assessment. The bottomline in performing BIAs is the requirement to obtain a firm and formal agreement from the management group as to precise maximum tolerable downtimes (MTD). The formalized MTDs must be communicated to each business unit and support service organization (i.e., IT, Network Management, Facilities, etc.) that support the business units, so that realistic recovery alternatives can be acquired and recovery measures developed.
The objective of the chapter is to examine the BIA process in detail, and to focus on the fundamentals of undertaking a positive and successful business impact assessment.
THE FIVE-PHASED APPROACH TO BCP
The BIA process is one phase of an overall approach to the evolution of BCPs. The following is a brief description of a five-phase BCP methodological approach. This approach is commonly used for development of the business unit (resumption) plans, technological platform, and communications network recovery plans.
BIA PROCESS DESCRIPTION
As mentioned above, the intent of the BIA process is to assist the organizations management in understanding the impacts associated with possible threats, and to employ that intelligence to calculate the maximum tolerable downtime for reliance upon time-critical support services and resources. For most organizations, time-critical support services and resources include:
IMPORTANCE OF DOCUMENTING A FORMAL MTD DECISION
The BIA process comes to a conclusion when the organizations senior management group has considered the impacts to the business processes due to outages of vital support services and then makes a formalized decision on the MTD they are willing to live with. This includes a decision to communicate that MTD decision(s) to each business unit and support service manager involved. Why is it so important that a formalized decision be made? Because the failure to document and communicate precise MTD information leaves each manager with imprecise direction on (1) selection of an appropriate recovery alternative method; and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content.
We have seen many a well-executed BIA with excellent results be wasted because the senior management group failed to articulate their acceptance of the results and to communicate to each affected manager that the time requirements for recovery processes had been defined.
Previous | Table of Contents | Next |