- Security TWENTY
- Women in Security
Chris Huggett, Senior Vice President, Europe & India, at the IT services firm Sungard AS, discusses why regularly conducting a business impact analysis is so important.
Having strong, tailored business continuity (BC) plans in place are crucial to an organisation’s survival. But it’s not enough to just have them in place. Instead, they must continually evolve at pace with the organisation and the environment it finds itself operating within.
Most companies recognise the importance of performing a business impact analysis (BIA) prior to creating a BC plan. A BIA can identify core activities, the cost of disruption to processes, and the resources needed to support them. But too many organisations aren’t conducting a BIA regularly enough, which can have huge implications. The recent outage suffered by Google is a perfect example, with failures reported across the company’s services, including Gmail, Google Calendar and YouTube. A Google spokesperson reported the outage was caused by a failure in the company’s authentication tools, which could have easily been prevented by a thorough BIA.
According to a recent Forrester report on the State of Disaster Recovery Preparedness in 2020, most organisations don’t conduct BIAs with any consistency. Instead, they are often treated as a one-time exercise, or something done sporadically.
Here are five reasons for performing a BIA on a regular basis:
1. The ability to uncover new and updated application interdependencies
BIAs establish an organisation’s key products and services to determine how big an impact any disruption would have. They also show application interdependencies. A company’s main applications are likely built around other supporting applications that allow them to function successfully. If one of those is removed from the equation, the main application won’t continue to operate properly. Not mapping these out would suggest that a company is unaware of how the failure of a particular application may disrupt others alongside key business processes.
The same goes for adding new technologies. The more Software as a Service (SaaS) solutions a company has, the more external dependencies it’s reliant on, which only increases potential points of failure. Performing a BIA can help companies get to the bottom of the above, allowing them to have a clear picture of all the resources key activities depend on, determine their respective availability requirements, and address these as needed.
2. Understanding of third-party vendor risk
While a BIA focuses on a business’ own applications and facilities, it should also look at the third-party vendors. Just like a business’ applications and systems change over time, so do vendors, who also have their own interdependencies and BC plans that are constantly evolving. Failure to keep up with these changes can also create risks. Organisations need to know that third-party partners will be there when needed. A BIA evaluates third-party risk to determine blind spots, and the more a company’s vendors change, the more it need to stay on top of this process.
3. The ability to calculate the cost of downtime
Not only do companies need to know what their key applications are, but also how their downtime affects business. The cost of a disaster is often tied to duration, and losing a core application for a few hours or even minutes can have drastic consequences.
Because some applications are more critical than others, tiering them for recovery can reduce expensive downtime – Tier 1 reserved for the most critical applications, followed by Tier 2 and Tier 3. As an organisation evolves, so will its mission-critical applications, and therefore re-evaluating the recovery strategy regularly using a BIA is an important step. Only then can companies identify impact levels – based on time – for each event, determine the necessary recovery objectives, create strategic recommendations for increased business resilience and availability, and then put these practices in place.
4. The ability to factor in new applications or consolidate resources
When a company rolls a new application, everything changes. New applications tend to have tentacles that reach into many different processes. If organisations don’t stay on top of this, they won’t know how a disruption might impact key business activities.
The same goes for the consolidation of systems, environments, and facilities. For example, it’s likely plenty of BC plans rely on multiple buildings. If one location is shut down, an entire contingency plan may have been removed.
Conducting regular BIAs will help companies stay mindful of how adding or reducing resources affects overall resiliency.
5. The ability to tie business needs to IT’s resilience posture
Performing regular BIAs gives the business side of the company a chance to weigh in on what IT and vendors are doing to support them, from the tiering of applications to contractual guarantees from critical vendors.
For instance, if the business side requires certain applications to remain available, a BIA will show whether these are in the cloud with real-time backup and replication as a Tier 1 application should be. The same level of criticality can be weighed and measured against vendors as well, ensuring there’s either a guarantee of availability or a secondary vendor to serve as a backup. BIAs confirm that IT’s resilience posture properly aligns with current business needs.
Ensuring company-wide coverage
Disruptions come in all shapes and sizes, many of which are out of a company’s control. The only thing it can control is how prepared it is when they happen. To lessen the effect and duration, organisations must continually adapt and improve their BC plans. The first step to achieving this is with a BIA.
A BIA is not a one-off activity. It must be revisited regularly to address any changes to environment, including the addition of critical applications, switching vendors, consolidating facilities or systems, and more. Only then can organisations ensure they are resilient enough to withstand anything that comes their way.