4 Steps to Conducting a Business Impact Analysis for Disaster Recovery
Business continuity planning starts with establishing a set of risk management processes and procedures to prevent the disruption or downtime of mission-critical services. However, organizations can sometimes overlook the essential objective of their continuityplan. It must always include developing a plan to re-establish full function quickly and smoothing during an outage. The natural disasters, cyber-attacks, or human error that can cause downtime events are unpredictable, but a disaster recovery plan can provide confidence and control in the face of uncertainty.+
It takes businesses decades to build a reputation and minutes to ruin it — the costs of downtime are tremendous, ranging from around $10,000-$50,000 an hour for small businesses and up to over $1 million an hour for large corporations. Both rapid recovery and disruption prevention start with having a well-thought-out business impact analysis and a thorough understanding of two industry terms, RPO and RTO. It may not be practical for businesses to recover all business functions immediately following a disaster event. So these tools help organizations prioritize the most critical functions and establish recovery objectives to build an effective disaster recovery plan.
How Does Business Impact Analysis Support Your Business Continuity Planning?
The purpose of a business impact analysis is to identify business processes and their criticality to an organization’s objectives and match them to the systems and components they depend on to function. A complete business impact analysis will give your organization a clear understanding of the systems, components, and applications your business relies on upon its day-to-day operations.
RPO and RTO Objectives Are Key Elements Of Your Disaster Recovery Plan
Determining your company’s RPO (recovery point objective) and RTO (recovery time objective) is an essential step in developing your business impact analysis and planning for backup and disaster recovery. To put it simply, RPO is the determined maximum time that can pass during which data is lost. For example, if your RPO is five hours, you will need to back up or employ retrieval solutions that can be met in no more than five-hour increments. RTO is the maximum time after a disruption in which a business process must be restored.
These objectives can vary based upon the critical nature of different applications. For example, an organization may find it acceptable to restore specific processes based upon the business impact analysis that may not be considered a top priority for restoration initially, yet they are customer-facing and would result in reputational damage that requires their accessibility in under an hour.
Recovery objectives will largely depend on your industry and the SLAs (service-level agreements) you might have with your customers. For example, SaaS companies may have contracts that stipulate they must pay customers thousands of dollars per hour of downtime. A retail company may not have SLAs, but it could miss out on thousands of dollars in sales if it cannot process transactions for an hour. Another consideration is that some systems and applications are more critical than others. For example, losing the ability to process transactions for an hour or recover lost data is much more vital to a credit card company than losing access to its payroll system for an hour.
How to Conduct a Business Impact Analysis
To get started determining the RPO and RTO for each of your business processes, here is an example method to conduct a business impact analysis. Use this table as a guide and follow the steps below to complete your investigation.
| Business Process | Description | Impact | Maximum Tolerable Downtime (MTD) | Notes |
| Lead generation | Marketing uses a web form generated by Wufoo that lives on our WordPress site. This data is saved and stored in Marketo | Moderate | 8 hours | We collect approximately 9 leads in an 8-hour period, which could result in a revenue loss of X. |
- Meet with business process stakeholders
Meet with stakeholders from each department or business unit to review their processes and inventory all IT systems and applications they rely on to do their jobs. It’s essential to thoroughly understand these processes and trace them to the IT resources needed. Without a thorough understanding of a process, it can be easy to miss vital continuity components. Remember that interconnection points are essential for researching digitally dependent systems – proactively identify and record each point of contact for connected business processes. - Identify downtime impacts
When meeting with business process stakeholders, guide the conversation around downtime and impact by discussing the quantity of data input, saving, and utilization within a single working hour. If there is little or no impact in an hour, ask about larger increments like 3 hours or 6 hours until you understand the criticality of the process. What would happen if your business could not complete a process or save data within one hour?Assign each process an impact rating of minor, moderate, or severe. Every organization will define these impact ratings differently, but risks to consider for every business process include revenue loss, productivity loss, legal implications, brand reputation, and customer churn due to the inability to access services. With these in mind, your organization can start to define minor, moderate, and severe and identify the maximum tolerable downtime, or MTD, for each process.
- Meet with business leaders to help with disaster recovery prioritization
Multiple business process stakeholders will likely say that their process is mission-critical and that downtime impacts would be severe. For this reason, it’s worth meeting with upper management to review your findings from stakeholder meetings to ensure that the assessment is in line with what leadership determines to be the business’s key strategic objectives. - Identify RPO and RTO for each business continuity resource.
Once these meetings with stakeholders are complete and MTD and severity ratings are identified for each process, it’s time to get into the weeds. Meet with IT stakeholders to determine the exact servers, platforms, and/or applications necessary to complete each business process and compile them in a spreadsheet. Convert the severity ratings and MTDs you established with stakeholders into official RPOs and RTOs for each resource.
The larger your organization is, the more difficult it can be to determine what business processes and systems are the most critical assets. The National Institute of Standards and Technology (NIST) provides a helpful document for analyzing your business processes to prioritize systems and components based on the importance of their role in carrying out your organization’s mission and objectives.
Begin Planning Your Disaster Recovery Solution
Determining the criticality of each business process can be tedious. Still, when your business impact analysis is done, you will have completed a giant step in the right direction for developing an effective and holistic disaster recovery plan. This analysis will help your organization determine not only where to implement disaster recovery solutions but how much budget and resources are required to meet your RPO and RTO objectives.
Your disaster recovery plan will likely involve a combination of backup solutions and disaster recovery deployments. A strategically located deployment in a purpose-built colocation data center can provide the level of redundancy and protection you need to ensure the continuity of mission-critical operations.
—
Element Critical provides data center colocation services in purpose-built facilities with redundant power and network connectivity across the U.S. Download our IT Leader’s Disaster Recovery Guide to learn more about IT disaster recovery and start building your Disaster Recovery solution today.
