Now comes the time for us to identify which mission critical systems must be made available during a disaster. Lets discuss how business impact analysis can help. The output of business impact analysis is generally a quantifiable measure that will help you prioritize your business continuity efforts. Your business impact analysis should be based on products and services you offer, not necessarily the region's. Generally, the risk management program will identify any risks that the BCP must address, and the BCP should be aligned with that plan, and they should both feed each other. This chart shows the outcome of business impact analysis. Consider the business operations halt due to a natural disaster. The business impact analysis will help you understand how quickly your business operations need to come back online, and it must be before the maximum tolerable downtime, MTD. This is the maximum amount of time your business can stay offline before it goes completely out of business. The impact to the operations will increase as the time they are down increases. The recovery time objective or RTO, is how quickly you expect to come back online and it should be always less than your MTD. There are different ways for us to look at the impact from a threat. The quantifiable measurement will look at the monetary loss from legal fines, loss of revenue, or cost of equipment. Qualitative measurement will identify non-numerical impacts, such as customer confidence, employee morale. It's common for us to use both measurements to develop a comprehensive impact analysis. There are three steps to business impact analysis. The first step, we do the identification and prioritization of business resources that are critical to the continuation. You create a list of your business operations and rank them in the order of importance. This could be you identifying all of your assets and giving them an asset value, are we in monetary terms. We identify the maximum tolerable downtime MTD that we can handle before we are no longer able to recover. What is the amount of time that you can feasibly recover in? This is your recovery time objective. You recovery time objective should always be less than the maximum tolerable downtime, MTD, as discussed earlier. The recovery point objective or RPO, defines at which point that data should be recovered. This measures how much data you're willing to lose. If you find one hour of data loss tolerable, you should back up your files every hour. In the second step, we identify all of our risks. Now there could be different types of risks from different types of threats. Hurricanes, earthquakes, and volcanic eruptions are threats from the natural risks. The human-made threats that pose risks are Taft explosion, power outages, war, law suits, etc. It doesn't have to be an all-inclusive list though. Simply identify common risks that many organizations in your industry face. In the third step, we will list the likely risks at hand. This would be your annualized rate of occurrence. How many times per year can this risk materialize? This is based on advice from experts, governmented resources, industry publications, regional history, or the history of your own business and your competitors. As previously mentioned, the business impact analysis per wise quantifiable data to help with decision-making. This exercise results in identification of how quickly operations can be restored, how much data you can lose, how much downtime you can handle before a significant financial and reputational loss. Each business function will have its own RTO, RPO, and MTD metrics. For example, restoration of electronic medical records system will generally be of higher priority with little to no data loss. The business, on the other hand, may be more willing to lose a larger amount of system logs related to the HVAC system.
