Embed Size (px)
Citation preview
Three Steps to Creating a Knockout Backup and Recovery Business Impact AnalysisGet what you need to start your Business Impact Analysis, including downloadable templates.Version 1.0 | August 2015
2 © 2015 Dell, Inc. All rights reserved
Table of Contents
Introduction 3
An Important Element of a Disaster Recovery Plan 4
A BIA is One Element of a Disaster Recovery Plan 5
How to Develop Your Business Impact Analysis 6
Analysis Stage 7
BIA Instructions 8
Downloadable Tools 9
3 © 2015 Dell, Inc. All rights reserved
IntroductionDeveloping a business impact analysis (BIA) – a critical component of a comprehensive disaster recovery plan – is easier when you have the right tools to get you started. This document helps you get started.
A business impact analysis report identifies the possible consequences of a catastrophic data loss related to vital business systems.
Three Steps to Start your Business Impact Analysis
Get started on creating a business impact analysis for your organization by following these three steps:
1. Read this document illustrating the importance of a BIA, what information it should contain, and instructions on how to use the tools.
2. Use the Business Impact Analysis Assessment Tool, an Excel template you can use to collect critical information for the BIA. Download the templates here.
3. Use the Business Impact Analysis Executive Summary Template, a Word doc template you can use to build your BIA report. Download the templates here.
4 © 2015 Dell, Inc. All rights reserved
An Important Element of a Disaster Recovery PlanA BIA identifies the possible consequences of a catastrophic data loss related to vital business systems — regardless of whether the data disaster is caused by human error, natural disaster, denial of service attacks or any other cause. An indispensible part of a company’s business continuity plan, the BIA report not only identifies weaknesses in IT systems, it must also offer a plan to diminish those risks.
It’s well understood that every business function is dependent on the continual operation of other business functions. But in the event of a catastrophe, clearly some rise above all others in priority. For instance, the organization can likely function normally when some limited internal systems shut down (in fact, this probably happens all the time). But we all know that not all systems failures are that benign. In fact, some information systems are so critical to everyday business, that if they fail, they may shut down operations completely.
While potential system crashes are likely to impact a multitude of areas, including reputation in the market, compliance, legal, QA and many more, it’s important to state the impact in financial terms for easy evaluation. Whether the BIA is developed internally, or outsourced to a specialist, ultimately, it must be presented in an easy-to-digest report specific to your organization.
A BIA report should look at the impact of the data catastrophe over time, prioritize resources and define approaches to recover. One of the key roles of a BIA report is to rank the criticality of business functions and recommend proper monetary resources be directed to the right areas to shield the business from losses. In fact, a company may end up spending significantly more on marketing after a disaster as a way to minimize any negative impact on the brand. A BIA report should capture that possibility.
The objective of the business impact analysis is to identify the most critical business systems, the technology requirements, and resources needed to normalize operations.
5 © 2015 Dell, Inc. All rights reserved
A BIA is One Element of a Disaster Recovery PlanA BIA report is just one element of a comprehensive disaster recovery plan that should examine RTOs (recovery time objectives) and RPOs (recovery point objectives). The BIA report should identify all costs related to a potential system crash. This involves calculating the costs of downtime, the cost of total revenue lost, as well as non-recurring costs for things like hardware repairs. (Read our e-book, Downtime Costs How Much? Calculating the Business Value of Disaster Recovery, for more details on quantifying the costs of downtime).
The BIA report examines which IT systems are most critical to the organization, delves into the impact of the interruption of those systems, and quantifies the costs associated with a disaster, be they financial or non-financial.
Another critical part of a comprehensive disaster recovery plan is the risk assessment. Use the risk assessment to identify potential hazards and critical points
of weakness. These can be natural disasters (earthquakes, tornadoes, flooding, etc.), systematic failures (power outages, supplier problems, electrical fires) or intentional attacks (DDoS or e-sabotage by disgruntled employees.) The risk not only extends to the business, but can also include people, property, reputation in the industry, contractual commitments, supply chain, etc.
While undergoing risk assessment, examine the findings in your BIA report against a variety of situations. You can prioritize possible interruptions based on the probability of each hazard, and how likely it is to impact critical systems. You can also use your BIA report to rationalize your organization’s disaster recovery investments.
A BIA report follows no official standards, and each company may change the methodology by which they develop the BIA report. But once information has been gathered, a BIA typically requires that you:
• Evaluate your findings
• Draft a report documenting collected information
• Distribute findings to company leadership
6 © 2015 Dell, Inc. All rights reserved
How to Develop Your Business Impact AnalysisTypically, you will develop a thorough list of questions to pinpoint critical resources, processes, relationships and anything else that’s necessary to evaluate how much a disruption will impact the business. You may even want to set up a training session with key stakeholders at the organization who have deep knowledge and understanding of your organization’s most critical systems.
Collect information in whatever ways make most sense for your organization, whether they be face-to-face interviews, one-on-one calls, or surveys. As with any significant effort, follow-up may be needed.
Gather an accounting of the key actions that each segment of the business performs. Be sure to subjectively rank the importance of precise processes, as well as the groups that rely on those processes for everyday operations. You’ll also want to approximate the impact linked with each business function, including those non-financial impacts that may tarnish the brand. Document anything and everything needed to recover important systems, including staff overtime and hardware repairs, as well as the length of time it takes to go back to a working state.
You’ll also want to investigate the interconnection between the business, IT and other teams, as well as the each potential point of failure, and identify how each impacts things like SLAs, staff, communication, hardware and funds needed to fully recover. For example, a good place to start is to identify the applications that maintain crucial business functions.
A BIA report should rank the most critical business operations, scrutinize the impact of an interruption, and list acceptable levels of downtime, losses, RPOs and RTOs. Furthermore, it should list the order of steps needed for recovery.
Be sure your BIA report includes an executive summary, a description on how you gathered data as well as any other details needed to present the information sufficiently to senior leadership. Charts, workflows and other diagrams also make it easier to illustrate probable losses and recovery recommendations.
You can also use your business impact analysis report to rationalize your organization’s disaster recovery investments.
7 © 2015 Dell, Inc. All rights reserved
Analysis StageDuring the analysis stage, you’ll want to scrutinize the hazards and rank things like RPOs, RTOs and uptime requirements according to key priorities. Once you’ve gathered all necessary information, it’s best to extend review with key stakeholders who can validate the report findings.
Be sure to organize and retain details from each interview, descriptions, methodologies used to calculate costs, timeframes and inventories. These details will surely be needed during the validation process. In addition, it’s important to share early drafts of the report with key stakeholders who can share feedback that might be useful before you present the final report.
The objective of the BIA is to identify the most critical business systems, the technology requirements, and personnel resources needed to normalize operations. More importantly, it should state the time frame expected to restore normal operations.
You may find it challenging to identify the financial impact of losing a key business function, or measuring the impact of customer or market share loss. Be sure to consider things like postponements of sales, labor overtime, fines for regulatory non-compliance, contractual penalties and consumer discontent.
The business leadership to whom you present the report will then see the maximum allowable downtime and will therefore be able to approve, authorize or recommend a business continuity strategy and recovery plan ideal to maintain the availability, customer service and reputation your organization’s customers have come to expect.
Lastly, never consider a BIA report to be final. This should be a living document that requires review and updates periodically as the business changes and grows.
Never consider a BIA report to be final. This should be a living document that requires review and updates periodically as the business changes and grows.
8 © 2015 Dell, Inc. All rights reserved
BIA InstructionsThe BIA is designed to capture every Key Process along with its Dependencies, RTO, RPO and the Hard Dollar Loss to plan an efficient recovery strategy in the event of a disaster or outage. A Key Process is defined as those processes that are mandated by the legislature or customer. A BIA must be filled out for each Key Process. The Business Continuity and Recovery group will develop reports that will show the priority and criticality of each Key Process for Division and Executive management.
Accountability Section
The Accountability section of the BIA questionnaire will identify the manager, division and section that own the key process along with the key personnel that fully understand the complete process of how process flows. It is recommended that The Subject Matter Expert (SME) for this key process be the Team Lead in filling out the BIA questionnaire. It may take a couple of SMEs to complete this questionnaire.
Key Process Description
This section summarizes the fundamental information for this Key Process. This section will determine the peak period(s) for this Key Process and whether or not manual procedures are needed and/or ready in the event of a disaster.
Recovery Point Objective (RPO)
The RPO is the point in time to which systems and data must be recovered after an outage. This section will determine the back-up strategies needed for this Key Process and/or validate the existing back-up strategy.
Please list the Mainframe and Server Applications used for this Key Process along with the RPO, type of mandate for each application, the location of the software (building the server resides in) and justification of the mandate.
If this Key Process is a state, federal or customer mandate, please explain the impact if the product or service is not delivered.
Collect information in whatever ways make most sense for your organization, whether they be face-to-face interviews, one-on-one calls, or surveys.
9 © 2015 Dell, Inc. All rights reserved
Recovery Point Objective (RPO) Section
This section will identify the period of time in which systems, application or functions must be recovered. If this key process cannot take a break in service, meaning, that all data entered is critical, then the RPO is within 24 hours. Back-up tapes should be kept off-site and should be updated weekly. In the event of a disaster, the plan may be that the Information Technology Division (ITD) will enact recovery processes from those tapes. Some key processes need a more frequent backup than once a week. If this is the case, please make sure you choose the proper timeframe in the Recovery Point Objective drop-down.
It is also essential to know if the section or division creates their own back-up and the location of that back-up. This data will help the ITD determine the best recovery strategy for this key process.
Recovery Time Objective (RTO) Section
This section is similar to the RPO in that it asks for the maximum allowable downtime. This section is specialized to resources whereas the RPO is specific to data. If a specific resource is needed to complete this key process, meaning that it is critical in getting to the completion of the key process, please indicate the longest amount of “downtime” that can be experienced before all recovery efforts would be lost.
Dependencies Section
This section will outline the flow of the key process. It is important to Business Continuity to know the who, the what and the when for each step of the key process. It is important to know the upstream and the downstream dependencies for each key process.
Hard Dollar Loss and Legal Implications Section
This section will outline the amount of hard dollar loss the agency will experience for this key process in the event of a disaster or outage. It is critical to determine the types of losses experienced and assign the amount of dollar loss for that loss category. This is to help the Business Continuity and Recovery Program and the Executive Steering Committee prioritize the recovery of key processes.
Three Steps to Start your Business Impact Analysis
Get started on creating a business impact analysis for your organization by following these three steps:
1. Read this document illustrating the importance of a BIA, what information it should contain, and instructions on how to use the tools.
2. Use the Business Impact Analysis Assessment Tool, an Excel template you can use to collect critical information for the BIA. Download the templates here.
3. Use the Business Impact Analysis Executive Summary Template, a Word doc template you can use to build your BIA report. Download the templates here.
10 © 2015 Dell, Inc. All rights reserved
© 2015 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).
Dell, Dell Software, the Dell Software logo and products — as identified in this document — are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.
About Dell Software
Dell Software helps customers unlock greater potential through the power of technology — delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com.
If you have any questions regarding your potential use of this material, contact:
Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com
Refer to our Web site for regional and international office information.
For More Information
Ebook-BusinessContinuityStrategy-US-KS-26680
