BIA is a fancy term for a process for determining what is important for your business, and what the consequences to your business would be if it is lost/destroyed. This need not be solely electronic resources. If a retail store loses its storefront to fire, the business impact of that would be huge and it might need to look at upgrading its fire alerting and suppression system. For our purposes in IT, we need to understand what resources a business needs to function day-to-day, how current its data needs to be, and what the approximate cost of downtime would be.
How to get started with a BIA
Make a list of your critical business functions—services you provide, merchandise you sell, whatever. Try to estimate how much it would cost you every day each business function would be interrupted. Then under each item make a list of what is required to be able to deliver that item. You’d need to prevent or dramatically reduce the likelihood of each link in the chain to ensure full business continuity.
It can be difficult to know how much you should spend on this, though. Poets can do a back-of-the-napkin guesstimate, but non-poets may want to engage in some math here. You can take the cost to ensure redundancy for each item in the list, compare that with the cost of the outage multiplied by the percentage chance that an outage would occur, and generate a “scientific” DR return on investment number. In other words, you theoretically should not spend more to prevent the outage annually than you’re likely to lose.
Of course this equation doesn’t take into account loss of reputation or other intangibles, but it’s a good start. Let's use two examples:
Small non-profit day school in Rockville, 60 students, grades K-3.
A place like this can continue to deliver its key services to its students with its IT systems down, even for a number of days. Accounting information would need to be backed up daily, of course, but this organization could accept a relatively extended outage of its IT infrastructure in case of a disaster. What would be harder for it to accept is an outage of its land-line phones or loss of HVAC during the wintertime. IT business continuity planning would take that into account and perhaps recommend a relatively simple backup solution, but a secondary path for voice traffic in case the main PRI fails.
Consulting firm in McLean, Virginia, 80 employees.
This firm’s employees are billed at high hourly rates and have tight deadlines in a highly competitive market. They need access to databases, file shares, and email to perform their work. We determine that this firm will lose $55,000 each day in billable work if it cannot access its electronic resources. Even 99 percent uptime throughout the year could mean several business days of lost revenue. With the cost of down-time so high, it’s not enough to think purely in terms of backups--we may need to look at a warm DR site, hosted email, and/or a full terminal server implementation in a data center to provide the level of continuity required. These systems could be costly, both on an initial and ongoing basis, but the impact on the business is such that the cost of the business continuity investment is warranted by the risk.
As always, we are here to help you work through your business issues, so don't hesitate to reach out to us and ask for assistance.