Business Impact Analysis

6 Minute Read

DRI International (DRII) has developed an overview of professional practices designed to “assist the entity in the development and implementation of a BCM program.” In addition to being sound resiliency methods, these practices serve as a foundation for various DRII business continuity professional certifications.

With this resource as a guide, we at Send Word Now are briefly examining each professional practice, tying in relevant concepts surrounding emergency communications. Our third article in a series highlights DRII’s Professional Practice Three: Business Impact Analysis.

Business Impact Analysis
Bad things happen to good organizations. So how does one know where to invest limited resources to ensure the business continues to operate? Where is risk present, and what are the objectives for recovery? Enter the Business Impact Analysis (BIA), a focus of DRII’s professional practice three.

The ultimate goal of practice three is to identify the adverse effects events would have on an organization. Underlying this analysis is an agreed-upon set of criteria used to quantify and qualify these various impacts. According to DRI International, the business continuity professional’s roles in this phase include:

1. Identifying the criteria to be used to quantify and qualify the impact from events

2. Establishing the Business Impact Analysis (BIA) process and methodology

3. Planning and coordinating data gathering and analysis

4. Gaining leadership agreement on BIA methodology and the criteria to be used

5. Analyzing the data collected to establish Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each operational area (and the technology that supports them)

6. Documenting minimum resource requirements for resumption and recovery of business functions

7. Presenting BIA results to the organization’s leadership, and gaining acceptance of the RTO and RPO for each process

A DRII caveat here is, while the business continuity professional may be given the responsibility to manage the BIA, the real “ownership” of the BIA lies with the organization’s leadership, and the managers of the specific process being examined.

Business Impact Assessment and Emergency Communications
Emergency communications is one of the processes that should be evaluated when conducting a broader Business Impact Analysis. While it is critical the organization’s core functions are assessed, supporting processes and technologies, such as emergency notification, must be examined as well.

Specifically, business continuity managers should:
• Identify criteria for evaluating the impact of a loss (or lack of) rapid organizational communication and feedback

• Establish internal RTOs and RPOs surrounding the emergency notification process

• Choose an emergency notification vendor with a strong uptime guarantee, and fully understand the scope of their service level agreement

• Ensure organization leaders understand emergency notification and accept the internal RTO and RPO for this particular process

Business Impact Analysis receives a significant amount of attention from business continuity professionals these days. It is a critical component of building organizational resiliency. Including emergency notification processes within this assessment will help ensure the impact of communications is adequately considered and expectations are clearly defined.

If you’re interested in learning more about DRI International’s BCM certifications, you can find additional information here. Watch for future installments in this series.

It should also be noted DRI International is not listing these professional practices in order of importance, and suggests some of these may be undertaken in parallel with one another._