This article outlines the Business Impact Analysis for a BCP.
Business Impact Analysis involves identifying the company’s critical and important business systems and processes that could be affected by any of the threats outlined. This includes any system/process whose defect or failure in its performance (as a result of what has caused BCP to be invoked) would materially impair the Company’s:
● Compliance with its contractual or legal obligations
● Financial performance
● Soundness or the continuity of our main services and activities
Examples include:
-
A critical system running on AWS. Dependencies would include AWS and internet access. Mitigants would include AWS backup and failover across data centres to minimise data loss and ensure availability in the event that anything should happen. Regular testing of failover and backup restores.
-
A critical system running on servers locally in the office. Dependencies would include a local area network (plus any other complexities of the system). Mitigants would include backups (at a minimum held offsite), ability to failover servers at a BCP site. Regular testing of failover and backup restores.
The BIA is used to determine the priority of recovering each of the affected critical business processes/services based on the following:
-
Maximum Acceptable Outage (MAO): This reflects how long the Company can survive without those processes and/or systems before the disruption becomes intolerable.
-
Criticality - how critical they are (based on cost to the business).
-
Mitigants - any mitigants in place to minimise any impact of the disruption such as backups, failover. Or does the company insure against the risk? or just accept the risk as the cost to mitigate would be higher than the damage itself?).
-
Recovery Time Objectives (RTO): estimated time it will take to recover the service.
-
Recovery Point Objectives (RPO): the maximum acceptable amount of data loss (to the Company and its clients) after an unplanned data-loss incident, expressed as an amount of time. An RPO determines the maximum age of the data or files in backup storage required should eg a system failure occur/ the amount of time that can pass during an event before data loss exceeds that tolerance. It helps us to determine our backup and recovery procedures.