-
The Business Impact Analysis polixy is to analyze the business impact of a business process after a disaster occurs and to formulate a plan for disaster recovery activities, including defining the recovery point (RPO) and recovery time (RTO). [[FII-SCF-020-RSK-08]]
-
Netspective Communications LLC includes conducting a Business Impact Analysis (BIA) as one of the activities in its business continuity planning. The purpose of the BIA is to clearly highlight the impact that may occur after a disruption or disaster.
Define MTD
- MTD stands for Maximum Tolerable Disruption. This is the maximum time a business process outage can tolerate anything beyond that is unacceptable.
Define RTO/RPO
- Recovery Time Objective
| 1 | Up to 4 hours |
| 2 | 4 - 12 hours |
| 3 | 12 - 24 hours |
| 4 | 24 - 48 hours |
| 5 | > 48 hours |
Definition: The Recovery Time Objective is the maximum amount of time that a business unit can tolerate being without a specific computerized system or service; it is the period of time within which systems, applications, or functions must be recovered to a predetermined acceptable level, following an outage. The RTO should be lesser than MTD. For example, if MTD is 8 hours than RTO should be max 6 hours, also RTO cannot equal to MTD.
Recovery Point Objective
| 1 | Time of Disaster (zero data loss) |
| 2 | 0 - 4 hours prior to time of disaster (data can be rekeyed into systems when system becomes available) |
| 3 | 4 -24 hours prior to time of disaster (data can be rekeyed into systems when system becomes available) |
| 4 | 24 - 48 hours prior of time of disaster (data can be rekeyed into system when system becomes available) |
| 5 | 48 hours - 1 week prior of time of disaster (data can be rekeyed into system when system becomes available) |
- The Recovery Point Objective (RPO) specifies the point in time to which systems and/or data must be restored following a disaster. It determines the maximum allowable data loss that a business unit can tolerate during or as a result of an event. The RPO can either be “Time of Disaster” or a specific time prior to the occurrence of the disaster.
- The development of backup strategies is based on the RPO.
Backup Restoration →
Backup Restoration →
Business Impact
The business process would have the following typical impacts:
- These impacts encompass both financial and non-financial aspects. To simplify, the actual financial amount is not quantified and is referred to as a high impact, indicating that any monetary loss would be considered an impact.
| BI01 | Lost Revenue: | Billing loss or revenue loss due to customer not placing orders |
| BI02 | Warnings and Penalties by customers and regulatory body | Penalties and notices by govt authorities or customers |
| BI03 | Onetime expense | Added maintenance costs and onetime expenses, un planned, non-budgeted expenses |
| BI04 | Backlog Business transaction clearance | Overtime working to restore, |
| Lost morale of team. | ||
| BI05 | Customer dissatisfaction | SLA miss, Leads to customer dissatisfaction and eventual warnings and termination of contract or reduced fees or no repeat orders |
| BI06 | Media Headline | Media headlines leading to reputational issues |
| BI07 | Lost stocks | Shareholders dissatisfaction and lost stock |
| BI08 | Threat to life | Injuries, fatal loss of lives |
List the business processes and information
| Sr.No. | Business Department | Business Processes | Supported IT system | Importance | Disruption event | No impact | Low impact time | Medium impact time | High | Maximum Allowed Downtime | RTO | RPO |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Impact time | ||||||||||||
| BP_01 | Operations | Critical | 8 | 5 | Zero loss | |||||||
| BP_02 | HR | Personnel management | Medium | |||||||||
| Onboarding/deboarding | Medium | |||||||||||
| Attendance | Low | |||||||||||
| Performance Management | Low | |||||||||||
| Benefits | Medium | |||||||||||
| Leave | Medium | |||||||||||
| BP_03 | Finance | AR | ||||||||||
| AP | ||||||||||||
| Taxation | ||||||||||||
| Payroll | ||||||||||||
| BP_04 | Sales/ | Campaign | ||||||||||
| Marketing | ||||||||||||
| Leads | ||||||||||||
| Customer Relationship | ||||||||||||
| BP_05 | Purchase | Bids/Tenders | ||||||||||
| Supplier on boarding/deboarding | ||||||||||||
| BP_06 | Legal | Legal business activities | ||||||||||
| BP_07 | IT | Software Development | ||||||||||
| Project Management | ||||||||||||
| Timesheets | ||||||||||||
| Build | ||||||||||||
| IT | Change management | |||||||||||
| IT | Asset/CMDB | |||||||||||
| BP_08 | IT Service Desk/Call center | Tickets - requests/ incidents/issues | ||||||||||
| BP_09 | IT Email | |||||||||||
| BP_10 | IT Network | Network management | ||||||||||
| BP_11 | Facility Management | Maintenance of Facilities |
Threats and Disasters
- The following risks can typically impact business processes and their likelihood. Please refer to the Risk assessment sheet for detailed information. This document provides a high-level view of the risks.
| Sr.No. | Threat | Possibility of happening in location |
|---|---|---|
| 1 | Fire | Low |
| 2 | Heavy rains and floods | Medium |
| 3 | Earthquake | Medium |
| 4 | Power outage | Medium |
| 5 | Riots and Civil disobedience | Low |
| 6 | Theft | Low |
| 7 | Virus -Heath | High |
| 8 | Cloud provider unavailability | Low |
| 9 | Network failure | Low |
| 10 | Hacking | Medium |