“Give me six hours to chop down a tree, and I will spend the first four sharpening the axe.” – Abraham Lincoln
As 2021 draws to a close and we prepare to welcome the new year, it is important to evaluate how your business and its needs have changed over the past year. Our reliance on technology and IT services to run our businesses and our day-to-day lives has reached a new summit. Disasters that impact business operations can come in many forms, including: natural weather events, loss of power and other utility services, cyber-attack, fire/water damage, failure of facility/IT equipment, human error, trains and more. (Yes, I said trains! I once participated in a Disaster Recovery scenario where the threat was a train derailment that impacted facilities along a train rail.) It is important to review and rank the probability and impact of each of the unique risks to your business.
Disaster Recovery and Business Continuity plans are never complete but serve as living documents that must be reviewed and updated on a frequent basis as your infrastructure, technology and business needs change. One of the first steps in the planning, either updating a current DR/BC plan or creating one for your organization for the first time, is the Business Impact Analysis (BIA). The BIA evaluates your services, the impact on the business if those services are not available and assists to develop recovery plans as you move into building solutions.
Example BIA questionnaire:
One common mistake that an organization can make in the early stages of the process is assuming that DR/BC planning and the BIA are strictly an IT project. A BIA may be facilitated by IT but it should be a company wide effort. IT may not always have the full picture of how a tool is used, the workflows used by other departments, what workarounds exist during downtime and the financial impact when those services are not available. An interesting side effect after a BIA report is completed, while the report is crucial for DR planning, is it can actually be a valuable tool for IT and other business units to understand how services are consumed, the criticality and how other business units connect. This knowledge can be useful in day-to-day operations and provide for a better level of service. Buy in from executive leadership and stakeholders is an important first step as you embark on creating or updating your current BIA.
The information collected during your BIA interviews will be critical to assist you in assigning priority and tiering your applications/services for a recovery order. Your DR/BC program should also include a cadence for reviewing and updating your BIA and DR/BC plans as your environment changes. With our ever-increasing reliance on technology services, the US government has published a site with numerous emergency and disaster planning resources, including an outline of a Business Impact Analysis and a BIA questionnaire to assist you with your interviews. You can check out some of these resources below:
- Plan Ahead for Disasters | Ready.gov
- Business Impact Analysis | Ready.gov
- Business Impact Analysis Worksheet (ready.gov)
Once you have completed your BIA interviews, assessed the unique risk to your business and developed a recovery order, you can now begin the solutioning process. The solutioning process is where you will review and select the proper technologies that will allow you to reduce impact and meet your companies defined Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).