Business Impact Analysis

As recent disasters such as 9/11 and Hurricane Katrina have demonstrated, it is important for organizations to plan for unexpected interruptions to their business processes and to develop plans for dealing with such situations. This is particularly important in today's businesses that rely heavily on information that would be difficult if not impossible to recreate. Preparation for interruptions is done through the development of a business continuity that describes how an organization will recover and restore interrupted critical function(s) after an extended disruption due to disaster or other causes. An essential step in developing an appropriate business continuity plan is to perform a business impact analysis. This process helps identify the risk of exposure to specific threats to the organization and assesses their impact on the organization's functioning if a disaster should occur. The Federal Emergency Management Agency (FEMA) suggests a number of considerations for a business impact analysis.

There is a story of a doctoral candidate who had just finished his dissertation and put it in the back of the car so that he could take it to the university in order to have the final copy signed before being submitted to the graduate school for completion of his doctorate. It was a beautiful spring day and the man was full of the joys of knowing that one has just completed a major milestone in one's life and the that future is rosy. So, he carefully placed the requisite three copies of the dissertation in the back seat and proceeded down the road. However, the day was so beautiful that he decided to roll down the windows. As he pressed the accelerator toward the floor and felt the rush of the wind blowing on his face, his joy soon changed to horror as he watched helplessly as the clean white pages flew out the window and blew down the road.

The worst could have been avoided had the doctoral candidate avoided taking such risks. The candidate could have kept the windows of his car rolled up tightly and kept backup copies (digital and hardcopy) at several different (safe) locations.

The loss of information is not only of concern to poor graduate students without the means or time to recreate their dissertations. As anyone who has ever experienced a computer crash knows, the loss of data and information can be devastating. Without backups of data and information, as well as application software and operating systems, it can be extremely difficult if not impossible to recreate the information stored on one's computer. If this happens to a business, the problem can be multiplied untold times to the point where it is impossible to recover. For this reason, not only data but entire computer systems and their concomitant software programs are regularly backed up.

Sometimes, however, conveniently available backups are insufficient to recover from a disaster. As the tragedies of September 11, 2001, and Hurricane Katrina should have taught us, it is not always sufficient to have a backup disk in the computer lab or even elsewhere in the building. In fact, sometimes it is not sufficient to have a backup disk on the same block or even in the same area of town. By definition, disaster is widespread. By definition, also, disasters are unexpected. In order to face disaster and recover from it, therefore, one must plan for the unexpected and prepare for it.

The Importance of Backup Systems

Of course, in many (if not most) situations, it is impossible to backup everything. From a purely software point of view, one could conceivably backup all data as well as all application and operating systems programs. However, having these things available to recover after a disaster may not be sufficient. For example, if the building in which the business resided was destroyed by a fire, the hardware would also have to be replaced. In some situations, this might only mean that a new computer system would have to be obtained using expedited delivery and new facilities leased in order for the business to be up and running within the week.

In other cases, however, these actions might be insufficient. Getting the power grid, telephone system, or emergency services up and running after a disaster can be of paramount importance. In such cases, waiting a week may not be an option not only for the success of the business, but more importantly from the standpoint of the potential in lives lost if such services could not be quickly restored. This is why there are extensive backup systems and facilities for many such organizations. Although most business organizations do not provide critical lifeline services, interruption of business processes for an extended period of time can be devastating to an organization. Therefore, every business is well-advised to develop a business continuity plan. Particularly in many of today's businesses that rely so heavily on information as their stock in trade, it is essential that data and concomitant systems be backed up and a plan put in place to recover in case of a disaster.

Business Continuity Plans

A business continuity plan (also referred to as a disaster recovery plan or a business process contingency plan) is a logistical plan that describes how an organization will recover and reestablish interrupted critical function(s) after an extended disruption due to disaster or other causes. Business continuity plans are written to address the possibility of loss of an organization's facility or access to it, loss of information technology, loss of people, or loss of one or more elements of the supply chain. A business continuity plan comprises the actions and procedures necessary to restore any data lost when a system stops functioning. The plan should include both consideration of how to minimize the negative impact of a potential disaster and as well as how to maintain or quickly regain normal operations after a disaster occurs. Business impact analysis is the process of identifying the risk of exposure to specific threats to the organization and assessing the impact of these threats should a disaster occur. The three phases of developing a business continuity plan are shown in Figure 1.

ors-bus-770-126445.jpg

Risk Assessment

Part of the task of developing a business continuity plan is to assess the degree of an organization's risk that is associated with various potential disasters. Risk assessment is the process of determining the potential loss, probability of loss of the organization's objectives, and the concomitant impact on the business. Risk assessment will help the organization perform risk management by analyzing the tasks and activities of the organization, planning ways to reduce the impact if the predicted normal course of events does not occur, and implementing reporting procedures so that project problems are discovered earlier in the process rather than later.

During risk assessment, the various risks that could affect the organization are defined and the probability of their occurrence is estimated. However, not all risks are equally pressing, so their relative impact needs to be estimated. For example, for a business located in Washington, DC, it is more important to plan for recovery after a terrorist attack, fire, or tornado than it is to plan for recovery after an elephant stampede. Similarly, without additional information that changes the probability of occurrence, it would be unsound practice to spend a large amount of money to prepare for the possibility of a flood in a desert area. However, no matter how one tries to quantify risk, the perception of risk is always a subjective thing. In addition, risk assessment must also take into account the severity of the impact if the risk is incurred. For example, the planning for a high impact but low probability risk does not eliminate the need to plan for a lesser impact, high probability risk. In addition, there are things that one can do to reduce the probability that a fire will occur. Similarly, in many organizations although the loss of data could be disastrous, the loss of the hardware would be less so since hardware can be more easily replaced. Business impact analysis is a type of risk assessment.

Business Impact Analysis

During business impact analysis, data and information are collected from each business unit in the organization to determine what standards or regulations must be upheld in an emergency situation. The analysis describes and prioritizes the tasks within each unit, and identifies the resources necessary to perform the critical tasks (without which essential business processes cannot proceed). These tasks are usually evaluated on the basis of the recovery time objective -- the time goal for reestablishing and recovering the business functions and resources. The recovery time objective should be prioritized and take into account any interdependencies between processes and functions as well as any possible economies of scale. All processes and functions within a business unit or department may not have the same recovery time objective. For example, although it might be necessary to recover telephone technical support of the customer service department within minutes of interruption, other functions within the department (e.g., development work) could be delayed significantly longer without impacting the organization's effectiveness. Although it might be possible to recover many or all of the processes or functions in the organization quickly, in most cases this would also entail excessive expense. A properly conducted business impact analysis can help cut down on unnecessary expenses during the recovery period.

In addition to analyzing the impact to effectiveness of the various internal business processes, it is also important to analyze the impact of interruption of processes external to the business as well. The inability to obtain raw materials, supplies, or component parts from one's supply chain could bring a business process to a halt if there is not a continuity plan. This is particularly true if there is only one source for the input. Similarly, one must also continue the other side of the supply chain, including the transportation of products to warehouses or retail outlets or of an interruption in those facilities. Although some business interruptions may affect only the organization or one of its facilities, other interruptions may be caused by area-wide disasters. The business recovery plan should plan for such contingencies.

Applications

Considerations When Performing Business Impact Analyses

Critical Products, Services & Operations

The United States government Federal Emergency Management Agency (FEMA) suggests a number of considerations for a business impact analysis. Before a business continuity plan can be developed and implemented, an organization must first identify its critical products, services, and operations. The areas considered in this part of the analysis should include such things as the products and services offered by the organization as well as the facilities and equipment needed to produce them; the products and services that are provided by suppliers or vendors (particularly if these are sole source); "lifeline" services such as electricity, water, sewer, gas, telecommunications, and transportation; and which operations, equipment, and personnel are vital to the continued functioning of the facility or organization. In addition to the primary systems that are necessary to keep the organization functioning, one must also consider support functions that also need backup. These include payroll, communications, customer service, shipping and receiving, and information systems support (Disaster, n.d.).

Potential Disasters

The next step in determining the impact of various disasters on a business is to determine what potential disasters may befall and to assess the probability of occurrence and the potential impact of each. Disasters to be considered include not only those that could occur within the organization (e.g., a fire), but also those that could affect the entire community (e.g., a hurricane). The latter type of disaster could affect lifeline services as well as make other resources more difficult to obtain than would a disaster that only affected the organization's facility.

It is, of course, very difficult to consider all the possible emergencies with which an organization could be faced. However, there are several categories that should be considered and that can help guide this part of the analysis (Disaster, n.d.).

  • Historical emergencies comprise those things that have happened in the past in the community in which the organization is situated or at the organization's facility or at other facilities in the area. Examples of this kind of emergency include fires, severe weather conditions (e.g., hurricanes, tornadoes), hazardous material spills, transportation accidents, earthquakes, terrorism, and utility outages.
  • Potential geographic disasters include those that can happen as a result of the facility's physical location. These include such factors as proximity to flood plains, seismic faults, or dams; proximity to facilities that produce, store, use, or transport hazardous materials; proximity to major transportation routes and airports; and proximity to nuclear power plants.
  • Technological disasters are those that could arise from a process or system failure. Examples include fire, explosion, or hazardous materials accident; failure of a safety system; failure of telecommunications systems (e.g., for networks); failure of a computer system; power failure; heating/cooling system failure; or emergency notification system failure.
  • Another general type of disaster results from human error. The probability of this type of disaster can be reduced through proper training in job tasks and in emergency procedures. Examples of human error that can have disastrous effects on an organization's functioning include lack of adequate training for personnel; poor equipment maintenance (due to poor training of maintenance technicians, inadequate procedures, or failure to follow procedures); and carelessness, misconduct, fatigue, or substance abuse.
  • Disasters can also result from the physical design or construction of the facility. Things to be considered include the construction of the facility, any hazardous processes or byproducts, safety of the facilities for the storage of combustible materials, layout and location of the equipment, lighting, availability of evacuation routes and exits, and the proximity of shelter areas. The analysis should also consider any potential emergencies or hazards that the business is regulated to consider.

Estimation of Likelihood & Impact

Once a list of potential causes of emergency situations or disasters has been developed, the next step necessary to determine their impact on the business is to estimate their likeliness of occurrence. Although the resultant number is subjective, this task is an important part of risk analysis and necessary to determine the potential impact of each cause to the business.

Once probabilities have been assigned to each of the potential disaster causes, one can assess the potential impact of each on the business. This step involves the estimation of the impact of the various types of disasters on the organization's market share. Considerations during this part of the analysis should include such items as loss due to an interruption of the business, inability of the employees to report to work, inability of customers to reach the organization's facility, impact due to inability to meet contractual requirements (including loss of future business and imposition of fines, penalties, or legal costs), interruption of the supply chain (both of parts and supplies to the facility and products from the facility). A sample form for performing these estimates is shown in Figure 2.

ors-bus-770-126446.jpg

Conclusion

A business continuity plan is a logistical plan that describes how an organization will recover and reestablish interrupted critical function(s) after an extended disruption due to natural disaster, sabotage or terrorism, or other cause. Particularly in businesses that rely heavily on information, it is essential that data and concomitant systems be backed up and a plan put in place to recover in case of a disaster or other type of business interruption. Otherwise, the organization may not only lose short-term profits, but long-term market share as well. Business impact analysis is an essential part of developing a business continuity plan. This process includes identifying the risk of exposure to specific organizational threats and assessing the impact of these threats should the unthinkable occur.

Terms & Concepts

Application Software: A software program that performs functions not related to the running of the computer itself. Application software includes word processing, electronic spreadsheets, computer graphics, and presentation software.

Business Continuity Plan: A logistical plan that details how an organization will recover and reestablish interrupted critical function(s) after an extended disruption due to disaster or other causes. Business continuity plans are written to address the possibility of loss of an organization's facility or access to it, loss of information technology, loss of people, or loss of supply chain. Business continuity plans are also known as disaster recovery plans or business process contingency plans.

Business Impact Analysis: The process of identifying the risk of exposure to specific threats to the organization and assessing the impact of these threats should they occur.

Business Process: Connected activities that take input into the organization and transform it into output that is distributed to the customer. Business processes include all activities associated with management, operations (e.g., purchasing, manufacturing, marketing), and administration (accounting, human resources).

Disaster: Any event that prevents the continuation of normal functioning of the organization's business processes and functions.

Information System: A system that improves the flow of information and data between people or departments.

Market Share: The proportion of total sales of a given type of product or service that are earned by a particular business or organization.

Recovery Time Objective (RTO): The time goal for reestablishing and recovering a business's functions and resources.

Risk: The quantifiable probability that a financial investment's actual return will be lower than expected. Higher risks mean both a greater probability of loss and a possibility of greater return on investment.

Risk Assessment: The process of determining the potential loss and probability of loss of the organization's objectives. Risk assessment is one step in risk management.

Risk Management: The project management process of analyzing the tasks and activities of a project, planning ways to reduce the impact if the predicted normal course of events does not occur, and implementing reporting procedures so that project problems are discovered earlier in the process rather than later.

Supply Chain: A network of organizations involved in the production, delivery, and sale of a product. The supply chain may include suppliers, manufacturers, storage facilities, transporters, and retailers. Each organization in the network provides a value-added activity to the product or service. The supply chain includes the flow of tangible goods and materials, funds, and information between the organizations in the network.

Bibliography

Henry, A. (2006). Developing a business continuity plan. Rural Telecommunications, 25(6), 14-20. Retrieved October 11, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=23337414&site=bsi-live

Disaster information. FEMA. Retrieved 26 July 2010, from http://www.fema.gov/hazard/index.shtm

Mazouz, A., Crane, K., & Gambrel, P. A. (2012). The impact of cash flow on business failure analysis and prediction. International Journal of Business, Accounting, & Finance, 6 (2), 68-83. Retrieved November 26, 2013 from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=83173535&site=ehost-live

Sikdar, P. (2011). Alternate approaches to business impact analysis. Information Security Journal: A Global Perspective, 20 (3), 128-134. Retrieved November 26, 2013 from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=60900178&site=ehost-live

Wahle, T. & Beatty, G. (1993). Emergency management guide for business and industry: A step-by-step approach to emergency planning, response and recovery for companies of all sizes (FEMA 141). Retrieved 26 November, 2013, from FEMA Website. http://www.fema.gov/pdf/business/guide/bizindst.pdf

Wright, T. (2011). Can business impact analysis play a meaningful role in planning a cost-saving programme?. Journal of Business Continuity & Emergency Planning, 5 (1), 400-408. Retrieved November 26, 2013 from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=61819907&site=ehost-live

Suggested Reading

Anderson, J. D. (2007). How's your disaster recovery plan? CPA Technology Advisor, 17(4), 58-59. Retrieved October 11, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=26379774&site=bsi-live

Fitzpatrick, G. (2007). Risk intelligent enterprises business impact analysis benefits. Accountancy Ireland, 39(1), 38-41. Retrieved October 8, 2007, from EBSCO Online Database Business Source Complete. http://search.ebsco-host.com/login.aspx?direct=true&db=bth&AN=24040967&site=bsi-live

Hudson, R. (2000). Business continuation demands planning. Business Insurance, 34(25), 17-18. Retrieved October 11, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=3571817&site=bsi-live

Semer, L. J. (1998). Disaster recovery planning for the distributed environment. Internal Auditor, 55(6), 40-46. Retrieved October 11, 2007, from EBSCO Online Database Business Source Complete. http://search.ebsco-host.com/login.aspx?direct=true&db=bth&AN=1401195&site=bsi-live

Smith, J. (2013). Strategic continuity planning: The first critical step. Journal of Business Continuity & Emergency Planning, 7 (1), 6-12. Retrieved November 26, 2013 from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=91896038&site=ehost-live

Vozar, R. (2013). Disaster preparedness. Smart Business St. Louis, 6 (6), 20. Retrieved November 26, 2013 from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=88179354&site=ehost-live

Essay by Ruth A. Wienclaw, Ph.D.

Dr. Ruth A. Wienclaw holds a Doctorate in industrial/organizational psychology with a specialization in organization development from the University of Memphis. She is the owner of a small business that works with organizations in both the public and private sectors, consulting on matters of strategic planning, training, and human/systems integration.