What is the purpose of a BIA?

The Business Impact Analysis (BIA) identifies and prioritizes the business units, departments, operations, and processes that are essential for the continuous delivery of technologies and services to the organization. The BIA document outlines and defines the critical business systems in use at your organization, enabling you to prioritize critical systems to ensure the continued delivery of technology services and critical business functions in the event of a disruption.

To build high availability production systems for the fastest recovery from multiple possible disruption scenarios, careful planning, preparation, and creation of robust recovery processes and procedures are required. VCSR analyzes systems, documents findings, and provides design recommendations based on the current state of IT infrastructure and required Recovery Time Objectives.

Conducting a BIA enables a company to develop systematic and logical recovery plans that allow them to respond rapidly and decisively to a crisis, reducing financial costs, downtime, harm to reputation, and other damage from a disaster. The BIA process prepares your team for negative events and equips an organization to react in the most effective way, allowing companies to allocate scarce resources where they will be most beneficial and make well-informed decisions during a crisis.

How we perform a BIA

VCSR distributes a set of Business Impact Analysis questionnaires to key leaders across your company’s departmental and technical functions. We then follow up with interview sessions to learn about the current state of your company’s capabilities for recognizing and responding to risks which would negatively impact all identified departments. These interviews with business leaders focus on identifying critical applications and other systems that require solutions resulting in system high availability. Additionally, each leader identifies critical processes and system dependencies for their departments.

The goal is to determine the systems and applications’ maximum outage and recovery timelines that would cause significant financial (resulting from operational outage) or reputational, loss of life, public health, and over-all risk to your company and its organization if exceeded. To determine these requirements, VCSR and your company perform the following actions:

  • Interviews: VCSR in collaboration with your company’s point of contact, interview staff to determine the critical business processes, services, applications, and systems used to conduct business.

  • Disaster Preparedness Artifacts Review: your company supplies current-state Disaster Recovery (DR) and Business Continuity (BC) artifacts including departmental BIA questionnaires, Access Control Plan, Risk Assessment Plan, Recovery Policies, Incident Response Plan and Policies and procedures. VCSR analyzes these as part of the Business Impact Analysis.

  • Infrastructure Artifacts Analysis: your company supplies a current-state overview of technical infrastructure Recovery Time Objective (RTO) and Recovery Point Objective (RPO) specifications. VCSR analyzes these against questionnaire/interview responses as part of this risk preparedness review.
What are RTO and RPO?

RTO & RPO

RTO stands for Recovery Time Objective, which is the maximum amount of time that a system, resource, or facility can be unavailable before causing serious disruption to the business. In other words, RTO is the amount of time that an organization can tolerate being without a particular system or process before it starts to impact the business. For example, if a company's RTO for its email system is four hours, it means that the email system must be restored within four hours of a disruption to avoid significant disruption to the business.

 

RPO stands for Recovery Point Objective, which is the maximum amount of data that an organization can afford to lose before causing serious damage to the business. In other words, RPO is the amount of data that an organization can afford to lose without causing significant harm to the business. For example, if a company's RPO for its customer database is one hour, it means that the organization can afford to lose up to one hour's worth of data before it starts to impact the business.

 

Both RTO and RPO help organizations identify the critical systems and processes that need the most urgent attention in the event of a disruption. By understanding the RTOs and RPOs, organizations can prioritize recovery efforts and ensure they are focusing resources on the most critical areas of the business.

What we identify

We organize resources according to the following categories:

  • Foundational. If these are offline for more than eight (8) hours, it will significantly impact safety, revenue generating processes, or company reputation/operations.
  • Critical. If these are offline for more than 24 hours, it will significantly impact animal welfare, revenue generating processes, or company reputation/operations.
  • Essential. If these are offline for up to 48 hours (about 2 days), it will begin to impact revenue generating processes, or company reputation/operations.

  • Important. If these are offline for more than 72+ hours, it will begin to impact the ability of employees responsible for safety or other critical infrastructure.