Business impact
analysis is an essential element of the business continuity planning process.
This step quantifies the data and enters the real world of possible losses that
can harm your business. It is used to understand the most significant impacts
and how best to protect your employees, their processes, their data, their
communications, their assets, and the goodwill and reputation of the
organization.
Why Business Continuity - Organizations often think in terms of
disaster recovery. Business continuity and business impact analysis are more
focused on keeping business in business and less on disaster recovery. The
business impact assessment also focuses not only on potential disasters but
also on all potentially critical discontinuities. The main elements of business
impact analysis are identifying essential business functions, establishing the
maximum acceptable interruption time for each of these functions, and
determining the impact of non-execution of these functions. This can be
measured against regulatory, legal, financial, operational, or customer service
requirements.
Once the
suitability and security controls have been assessed and the critical functions
and downtime defined, the business continuity planner must develop an
understanding of the likelihood of threats based on severity or impact and
start developing an analysis—benefits of more significant impact and higher possibility
of risks.
It is almost
impossible to create absolute value and prioritize threats and impacts. In
general, a relational system is used to suppress absolute priorities.
Typically, each danger is assessed based on its likelihood and receives a score
of 1, 5, or 10. Then each threat is evaluated based on its impact on critical
business functions and business in general. For example, a discontinuity in a
crucial business function of less than one hour may be given a value of 0. A
discontinuity of one to eight hours may be classified as 1. Eight to twenty-four
hours may be classified as two and more from 24 hours can be sorted and rated
3. These ratings should be tailored to the company. The probability of impact
taken into account creates a list of relational priorities.
This risk
assessment and control approach allows management to start quantifying the
risks and possible impacts on the organization judiciously and analytically.
This not only translates into better decisions but also provides an audit trail
that shows that management is paying attention to its risk management
responsibilities. These responsibilities can be established by regulatory or
legal bodies, required as a contractual commitment by customers, or simply
expected by shareholders as prudent and prudent management. The main goals of
the business are to protect people, protect assets, protect data, and protect
the brand and reputation of the organization.