8 Parts of a Business-Impact Analysis in an IT Disaster Recovery Plan - dummies

8 Parts of a Business-Impact Analysis in an IT Disaster Recovery Plan

By Peter H. Gregory, Philip Jan Rothstein

Part of IT Disaster Recovery Planning For Dummies Cheat Sheet

Use a business impact analysis to help determine which processes and systems warrant the expense and effort related to developing your IT disaster recovery plan. A business impact analysis (BIA) is a detailed inventory of the primary processes, systems, assets, people, and suppliers that are associated with an organization’s principle business activities.

The core purpose of a Business Impact Analysis is to identify which processes and systems are the most critical to the survival of an organization.

Follow these steps to complete the business impact analysis:

  1. Establish the project team, scope, and budget; name a project manager.

  2. Get executive support.

  3. Inventory your key business elements:

    • Business processes

    • Information systems/applications

    • Assets

    • Personnel

    • Suppliers

    Develop intake forms that you can use to gather consistent information. Interview key experts throughout the business. Get information from inventories.

  4. Tabulate the results in a spreadsheet or document.

  5. For each business process, determine the Maximum Tolerable Downtime (MTD)

    MTD is the longest time the process can remain disabled before it threatens the organization’s survival.

  6. For each business process, determine a reasonable Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

  7. Sort the list of business processes into MTD or RTO order.

    The processes with the shortest MTD or RTO are the most critical business processes. Get agreement from senior management.

  8. Perform a risk analysis on each critical process to identify any vulnerabilities that exist, along with steps to mitigate those vulnerabilities.