Business impact analysis for business continuity: BIA for small business
Read this example of business impact analysis (BIA) for a small business from "Business Continuity & Disaster Recovery for IT Professionals" to make the process more tangible.
Let's look at an example to help make this entire process a bit more tangible. A company of about 125 employees works out of a single location. They're situated in a light industrial area surrounded by warehouses and wholesalers. They sell a variety of specialty building hardware such as hard-to-find latches, fasteners, locks, and more. They purchase products from a variety of manufacturers and distributors and sell to a niche market in their region. These customers call in orders periodically. They also run a Web site that has seen sales grow significantly in the past three years, so that Web sales are now equal to non-Web sales.
The company, which we'll call ABC Hardware, does about $20 million a year in sales, about half of that online. Their facility is a large space comprised mostly of warehouse space with some office space. They ship and receive packages daily for Web operations and they ship weekly for their non-Web customer orders.
This company's risks include:
- Risk of fire in the building
- Risk of flooding in the area
- Risk of chemical spill in the area
- Risk of upstream/downstream losses by suppliers, vendors, customers
Let's focus on the risk of a fire in the building. If a fire struck the building, the damage might be contained to one of the areas, either warehouse or office. If the warehouse experienced a fire, inventory would be damaged and the ability to process inventory (receive, pick, pack, ship) would be impaired. If the office area were to have a significant fire, computer systems, including the inventory management system, would be damaged or destroyed.
So, what are the critical business functions impacted by a fire in the warehouse? First, we have the sales function because inventory would be damaged. Second, we have the inventory function because physical systems for managing inventory would be damaged.
What are the processes impacted by a fire in the warehouse? The company has processes in place for the following:
- Picking orders.
- Packing orders.
- Staging orders for shipment.
- Tracking shipments.
- Receiving new inventory.
- Stocking new inventory.
- Updating inventory systems with shipping and receiving data.
- Managing damaged or missing inventory.
- Processing returns of damaged or wrong items.
- Inputting inventory data into inventory system.
- Replenishing packing materials.
- Repairing warehouse equipment.
- Cleaning warehouse areas.
You can see from the list that items 11 through 13 are not critical processes. Other items on the list may not be mission-critical either, but we started with a full list of what goes on in the warehouse. If a fire engulfed the warehouse area, it's possible the building would be off-limits due to safety concerns, the offices might be filled with smoke and unusable, and the inventory might be smoke and water damaged by the fire suppression systems or by the water the fire department would hose in to put the fire out. Therefore, let's assume that a fire would impact all these processes listed. The company has no inventory it can ship to customers. What are the most important processes that have to get back up and running in order for the company to generate revenue and continue operations?
Remember, there are probably 14 other companies out there that are waiting for ABC Hardware to falter so they can swoop in and steal ABC's customers. ABC cannot afford to wait around for the water to dry and the smoke to clear before getting back into business. So, let's look at these first 10 items, along with criticality and comments, shown in Table 4.3.
Table 4.3 Example of Business Process and Criticality for Small Business
|Picking orders||Mission-critical||Orders cannot be picked if inventory is damaged.|
|Packing orders||Mission-critical||Orders cannot be packed if they are not picked.|
|Staging orders for shipment||Mission-critical||Orders cannot be shipped if not picked and packed.|
|Tracking shipments||Mission-critical||Orders cannot be shipped if not picked and packed.|
|Receiving new inventory||Important||New inventory can be added to inventory system.|
|Stocking new inventory||Minor||New inventory can be added to inventory system.|
|Stocking new inventory||Minor||New inventory cannot be stocked until damaged inventory is addressed.|
|Updating inventory systems with ship/rec data||Mission-critical||No shipments going out but incoming inventory should be added so the company knows how much good inventory they have. Damaged inventory should be removed from stock as quickly as possible.|
|Managing damaged/missing inventory||Mission-critical||Normally, managing damage inventory is a minor process. In the aftermath of a fire, damaged inventory should be processed as quickly as possible to enable the company to dispose of it as quickly as possible.|
|Processing returns of damaged/wrong items from customers||Minor||New inventory cannot be stocked until damaged inventory is addressed.|
|Inputting inventory data into inventory system||Mission-critical||In order for the company to sell its products, it needs to know, very quickly, what inventory it has that is sellable and what inventory it has that is damaged and must be discarded.|
As you can see from this example, what normally might be high-priority processes shift to lower priorities in the aftermath of a fire. The key to recovery for this company is to sort out its inventory quickly so it knows what it can and cannot sell to customers. The IT systems are not damaged (though a few warehouse computers might need to be replaced) and order processing can still occur. This includes taking phone and online orders, processing orders, comparing orders to inventory levels, charging customer accounts or credit cards, and recording customer data (address, phone, etc.). Thus, the sales function for the company is relatively unharmed but the ability of the company to process and fulfill those sales is impacted.
The business impact analysis for this company now has identified the critical functions in the warehouse with regard to sales, inventory management, and shipping/receiving. The list is not exhaustive. For example, it does not include shipping supply replenishment. In the immediate aftermath of the fire, shipments cannot go out so this isn't a problem. However, it's likely that shipping supplies have been destroyed either by fire, smoke, or water, and need to be replaced before any shipments can go out. If the entire warehouse is impacted, there may be no saleable inventory and shipments will have to wait. In other cases, there may still be saleable inventory and the lack of shipping supplies would actually become a major problem. Therefore, replenishing shipping supplies as a process in the aftermath of a disruption might be mission-critical. This is how walking through scenarios helps you see the mission-critical processes more clearly.
What is the maximum tolerable downtime for these critical business functions and processes? Some of this company's customers are custom homebuilders who are working on tight timelines. They will not wait for a delayed order from ABC Hardware and will look elsewhere for these products. Therefore, ABC believes that with most of their orders, they have one week to recover operations before they begin losing serious revenue. In the risk mitigation phase of their assessment, this company's staff can devise a number of strategies to deal with this scenario either to prevent a fire from occurring or to create alternate fulfillment strategies in the event a fire does occur.
You can continue to expand this example to include other data. For example, you can include the expected financial impact, as shown in Table 4.4. The example is not complete but just shows the beginning of this process as a sample of how you might capture financial impact data. The first function, the sales function, in this example, is not immediately impacted by the fire in the warehouse. Sales are still generated through the Web site and sales people may still be able to access CRM systems and other sales tools to generate sales. The problem is not on the sales generation side but the order fulfillment side. At some point, the company's inability to process inventory and orders will affect sales. Customers whose orders are delayed may cancel, rumors may cause other customers to order from your competitors. If you can't receive new inventory or ship out existing orders, these will eventually impact sales, but not immediately. If you can forecast the delayed financial impact, that's great, but if you can't, just make a note that there is one down the line. We've also included an increased cost for customer service. If you have a fire and word gets out, customers may call about their orders, call to change or cancel their orders, or call to get assurance their order is in process. This may generate more work for customer service, which may need to bring in temporary help to staff the phones or work overtime to handle the increased volume.
Table 4.4 Financial Impact Example
|Business Function||Business Process||Financial Impact|
|Sales||Generating new orders||Delayed impact|
ders Shipping ord
|$2,000 per day
$10,000 per day $
4,500 per day
|Customer service||Handle customer problems||$3,000|
So far, we've seen little or no IT impact. The damage was contained to the warehouse and other than three computers used at the shipping and receiving stations, there was no other impact to IT. However, there are other IT tie-ins. For example, how will the company know the exact status of the inventory? When was the last inventory count performed? What is the status of the orders that were picked and packed -- were they shipped or not? Which customer orders went out and which were on the dock awaiting shipment? Which returns were on the dock when the fire started and which were already processed? As you recall from our discussion in this chapter, there is usually a lag between the last backup or the last known good state and the time of the business disruption. In this case, the company needs to quickly figure out the current status of its inventory as well as the status of customer sales and returns. It needs to know exactly what the status of everything is so that it can figure out what to do and in what order. IT may need to run special reports, print out inventory, shipment, or order lists in order to help warehouse functions get up and running again. These are disaster recovery tasks that the warehouse and IT staff will have to work together on to determine what might be needed.
You can extend this scenario and ask, what if the IT systems were located next to the warehouse and they were destroyed by fire? What if the fire started in the server room and spread to the warehouse? Now the scenario has changed significantly because not only do you have damaged inventory and uncertain status of shipments but you don't have IT system data immediately available to help sort things out. Sales data, inventory status, payables, receivables are all unavailable. The server room is charred, all systems are unusable. Now what?
Let's extend this just a bit so you can get the bigger picture. Table 4.5 shows some of the other operational impacts that might occur as a result of a warehouse fire. The impact on operations shows, for example, that customer perception is not impacted in the sales function. Customers may or may not know about the warehouse fire and if they can still place their order via the phone or Web, there is no immediate impact to customer perception. The same holds true for the customer perception of picking and packing orders. Customers usually don't know how their order shows up at their door (nor do they usually care), they care that the right products show up on time. Therefore, we begin to see a customer perception impact in the processes of "ship orders" and "receive inventory." If inventory can't be shipped, customers don't receive their orders as promised and this impacts customer perception. If inventory can't be received, it isn't available for sale and the customer sees that products are out of stock. We won't go through every cell in the grid, but you can use this to understand how various operations are impacted by a warehouse fire. The employee impact, in this case, is focused on warehouse staff, who are highly impacted by the warehouse fire. Though we did not do it in this example, you could also document the key knowledge and expertise needed to carry out these functions. For example, the key skills needed in this case are people who know how to manage inventory so that orders are properly filled and inventory levels are properly tracked. This data can be added, as appropriate. The same can be done for the IT side of the process. If IT systems were down, which processes would be impacted and how would other operations be impacted? What skills and expertise would be needed for workarounds and recovery?
Table 4.5 Operational Impact of Warehouse Fire
|Business Function||Business Process||Cash Flow||Investor/Market Confidence||Market Share||Competitive Position||Customer Perception||Employee /Impact|
|Sales||Generate new orders||Medium||Medium||Medium||High||N/A||Low|
|Customer service||Handle customer problems||Low||Low||Low||Medium||High||High|
As you can see, this scenario focused just on the warehouse department. The warehouse manager or someone designated by the manager should participate in this business continuity planning process. Only someone working in the warehouse is going to be familiar enough with the various day-to-day processes to generate a realistic view of the impact of various business disruptions. Once they have walked through all the risk scenarios (we mentioned fire, flood, chemical spill, and upstream/downstream impacts earlier), they can assign the criticality, the maximum tolerable downtime, the operational impact, financial impact, and the employee impact.
You may also choose to include additional columns in your impact table (or in your analysis if you choose not to use a tabular format) such as the financial impact and the legal impact. In this scenario, we also could have included the dependencies. Sales are impacted by the availability of inventory data (you can't sell inventory you don't have on hand or on order). Receivables are impacted by the ability to pick, pack, and ship inventory. Payables are impacted by the ability to receive inventory and manage missing/damaged inventory. Payroll is impacted by having to work additional hours to manage inventory damage from the fire as well as to perform work outside the normal scope of warehouse operations. Expenses go up because additional supplies must be purchased to replace the supplies lost in the fire. Sales are down because shipments cannot go out until inventory is adjusted and some customers have purchased elsewhere. The building has to be cleaned by a professional company that specializes in recovering from fire damage and that impacts operations and increases the company's expenses with an unplanned expenditure.
What you'll discover from this process is that as you walk through these scenarios, you'll begin getting ideas about how to mitigate the impact of these disruptions. In Chapter 5, when we discuss mitigation strategies, you'll find that one mitigation strategy might be helpful for three or four different risk scenarios. Thus, what would reduce your risk in the event of a fire might also be an excellent strategy for mitigating the risk of flooding or a chemical spill in the area. These economies are found only by thoroughly assessing risks and impacts so you can see the big picture and develop optimal mitigation strategies.
Now that you have identified the critical business processes for the warehouse department, you can also look at the impact a flood would have. For example, if employees cannot get to work, if trucks cannot come in to deliver inventory, if trucks cannot pick up shipments, many of these activities are impacted. If the warehouse area is flooded, you have a similar problem as you did with a fire. If the area surrounding the building is flooded but your inventory and IT systems remain in tact, you have a different set of challenges.
By identifying the critical business functions and processes, you can clearly see the impact various risk sources would have on the business. You can assign criticality and maximum tolerable downtime in preparation for developing effective strategies for addressing these risks.
If you were to continue with this example, you would define specific recovery objectives based on criticality, you would identify organizational and system dependencies, and you would define work-around procedures that could be used. This would comprise the impact analysis for the warehouse department for the risk of fire. If you expand it to include the same assessments for each threat source identified in your risk assessment, you would have a comprehensive impact analysis for your warehouse department. Each department in the company would complete this process and you'd have the risk assessment and impact analysis for the entire company. As you can see from just this small example, it's a large undertaking and may well take more time than any other part of your project. Allow enough time to get this completed but don't let it get long and drawn out. Most of this can be completed by departments in a reasonable amount of time, though the more complex the business systems, the longer it will take to perform this assessment.
Use the following table of contents to navigate to chapter excerpts.
Business Continuity and Disaster Recovery for IT Professionals
Home: BIA for business continuity: Introduction
1: BIA for business continuity: Overview
2:BIA for business continuity: Upstream and downstream losses
3:BIA for business continuity: Understanding impact criticality
4:BIA for business continuity: Recovery time requirements
5:BIA for business continuity: Identifying business functions
6:BIA for business continuity: Gathering data
7:BIA for business continuity: Data collection methodologies
8:BIA for business continuity: Determining the impact
9:BIA for business continuity: Data points
10:BIA for business continuity: Understanding IT Impact
11:BIA for business continuity: BIA for small business
12:BIA for business continuity: Preparing the BIA report
|ABOUT THE BOOK:|
|Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are emerging as the next big thing in corporate IT circles. With distributed networks, increasing demands for confidentiality, integrity and availability of data, and the widespread risks to the security of personal, confidential and sensitive data, no organization can afford to ignore the need for disaster planning. Business Continuity & Disaster Recovery for IT Professionals offers complete coverage of the three categories of disaster: natural hazards, human-caused hazards and accidental/technical hazards, as well as extensive disaster planning and readiness checklists for IT infrastructure, enterprise applications, servers and desktops – among other tools. Purchase the book from Syngress Publishing|
|ABOUT THE AUTHOR:|
|Susan Snedaker, Principal Consultant and founder of Virtual Team Consulting, LLC has over 20 years experience working in IT in both technical and executive positions including with Microsoft, Honeywell, and Logical Solutions. Her experience in executive roles at both Keane, Inc. and Apta Software, Inc. provided extensive strategic and operational experience in managing hardware, software and other IT projects involving both small and large teams. As a consultant, she and her team work with companies of all sizes to improve operations, which often entails auditing IT functions and building stronger project management skills, both in the IT department and company-wide. She has developed customized project management training for a number of clients and has taught project management in a variety of settings. Ms. Snedaker holds a Masters degree in Business Administration (MBA) and a Bachelors degree in Management. She is a Microsoft Certified Systems Engineer (MCSE), a Microsoft Certified Trainer (MCT), and has a certificate in Advanced Project Management from Stanford University.|