When running a business or organization is it very important to perform periodic risk assessments. In this blog post I will introduce you to the concept of a Business Impact Analysis or (BIA). A BIA is a process that can help determine the potential effects that interruptions can cause to the daily operations of your business or organization.
While the method used to conduct a BIA varies among organizations, gathering information is almost always the first step. It is important to identify “mission-essential functions” as well as “critical systems”. Once you have identified these you can prioritize their importance. The interruption of any of these systems will lead to lost revenue. How much revenue is dependant on multiple factors that you will have to take into consideration.
A BIA takes into consideration the following categories:
I want to put a strong emphasis on “Life”. You cannot put a price on someone’s life. It is the most precious resource in any organization and that is why I have placed it at the top of the list.
Along with a BIA, it is typical to conduct a risk assessment. I will elaborate on risk assessments in another post but keep in mind that the two go hand-in-hand. There are formulas that can be used that take into consideration the threat potential in combination with the categories listed above.
Interruptions to mission-essential functions and critical systems can be costly. Below I will be introducing you to some terms, defining them and identifying why they are important for you to know.
Recovery Point Objective (RPO) and Recovery Time Objective (RTO)
These two terms are very essential when determining how you conduct backups of your systems.
When demonstrating RPO, I often ask people to envision an employee at your office performing data entry. For simplicity, let us pretend that this employee starts at 9:00AM and enters 10 records into the system every hour. Let us also assume that the last backup you performed was at 9:00AM, right before the employee started working. At 12:00PM the system crashes and all of the data from 9:00AM to 12:00PM is lost. This equates to 30 records that need to be entered back into the system. How much will this cost your organization?
RPO is used to determine how frequently your system is backed up. If you can afford to lose 3 hours of data entry then you would adjust your backups to take place every three hours.
RTO refers to how long you can afford to be down while the system is being restored. There are a plethora of backup methods that can be used but the faster the recovery time, the more expensive that method of backup typically is. Typically, you would not invest more into your backup system then you would lose during an interruption.
Mean Time Between Failures (MTBF) and Mean Time to Repair (MTTR)
MTBF is a measurement of the reliability of a piece of hardware. Another way to think about this is the average time between the failure of these components. This is important to know when it comes to planning out the replacement of hardware.
MTTR is the average time it would take to repair a damaged component. This can be important when deciding on how quickly you need someone to respond and repair a component. The faster you need something repaired, the more money you will spend for that service.
Single Point of Failure
Single Point of Failure is a rather self explanatory term. When looking at your organization as a whole it is important to have redundancy. Is there a place in your business that if one component were to fail you would be completely down? For many organizations a few big single points of failure are internet connectivity and power failures.
I hope you learned a little bit about what a business impact analysis is and why it is so important for every organization to conduct one.