Business impact analysis for business continuity: Determining the impact

This excerpt from "Business Continuity & Disaster Recovery for IT Professionals" lists some specific impacts disasters have on business.

We've delineated some of the more common business functions. Now, let's turn our attention to some of the specific impacts to a business. As with other lists, this one is extensive but not necessarily exhaustive. Be sure to review this list and remove any items that do not pertain to your business and add any elements that are not included that do relate to your business. Remember, too, that a business disruption can run that gamut from a hard drive failure to an earthquake that levels your building to a pandemic that impacts an entire region or nation. Once you've looked at all the potential impact points, we'll discuss specific data points to collect and analyze as well as how to put those together with your risk assessment data. The impact of any business disruption may include:

  1. Financial. Loss of revenues, higher costs, potential legal liabilities with financial penalties.
  2. Customers and suppliers. You may lose customers and suppliers due to your company's problems or you may lose customers or suppliers if they experience a business disruption or disaster.
  3. Employees and staff. You may lose staff from death, injury, stress, or a decision to leave the firm in the aftermath of a significant business disruption or natural disaster. What are the key roles, positions, knowledge, skills, and expertise needed?
  4. Public relations and credibility. Companies that experience business disruptions due to IT systems failures (lost or stolen data, modified data, inability to operate due to missing or corrupt data, etc.) have a serious public relations challenge in front of them. These kinds of failures require a well-thought-out PR plan to help support business credibility. What impact would system outages or data losses have on your public image?
  5. Legal. Regulations regarding worker health and safety, data privacy and security, and other legal constraints need to be assessed.
  6. Regulatory requirements. You may be unable to meet minimum regulatory requirements in the event of certain business disruptions. You need to fully understand these regulations and their requirements related to business disruptions, both natural and man-made.
  7. Environmental. Some companies may face environmental challenges if they experience failures of certain systems. Understanding the environmental impact of system and business failures is part of the business impact analysis phase.
  8. Operational. Clearly operations are impacted by any business disruptions. These must be identified and ranked in terms of criticality.
  9. Human Resources. How will staff be impacted by minor and major business disruptions? What is the impact of personnel responses to business operations? What are the qualitative issues to be addressed (morale, confidence, etc.)?
  10. Loss Exposure. What types of losses will your company face? These include property loss, revenue loss, fines, cash flow, accounts receivable, accounts payable.
  11. Social and corporate image (strongly tied to public relations). How will employees, customers, suppliers, partners, and the community view your company? How will its image be altered by a minor or major business disruption?
  12. Financial community credibility. How will banks, investors, or other creditors respond to a minor or major business disruption? If the cause is a natural disaster, the challenges are different than if the cause is man-made. If the company failed to secure or protect data or resources, there are additional consequences both to the corporate image and to the company's credibility in the marketplace.

(Adapted from the Disaster Recovery Institute)

After you've compiled a list of your business functions and processes, you should assign a criticality rating to them. Payroll, accounts payable, and accounts receivable usually qualify as mission-critical business processes. Furniture requisitions for new employees usually fall to the bottom of the list as minor. Rate all your identified business processes and sort them in order of criticality. You might end up with a table or matrix that looks something like that shown in Table 4.1.

Table 4.1 Business Function and Criticality Matrix

Business Function Business Function Criticality
Human Resources Payroll
Employee background check
Mission Critical
Finance Debt payments/loan servicing
Accounts recievable
Quarterly tac filings
Mission Critical
Mission Critical
Mission Critical
Marketing and Sales Customer sales calls
Customer purchase hitory
Mission Critical

Use the following table of contents to navigate to chapter excerpts.

Business Continuity and Disaster Recovery for IT Professionals
  Home: BIA for business continuity: Introduction
  1: BIA for business continuity: Overview
  2: BIA for business continuity: Upstream and downstream losses
  3: BIA for business continuity: Understanding impact criticality
  4: BIA for business continuity: Recovery time requirements
  5: BIA for business continuity: Identifying business functions
  6:BIA for business continuity: Gathering data
  7: BIA for business continuity: Data collection methodologies
  8: BIA for business continuity: Determining the impact
  9:BIA for business continuity: Data points
  10:BIA for business continuity: Understanding IT Impact
  11: BIA for business continuity: BIA for small business
  12: BIA for business continuity: Preparing the BIA report
Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are emerging as the next big thing in corporate IT circles. With distributed networks, increasing demands for confidentiality, integrity and availability of data, and the widespread risks to the security of personal, confidential and sensitive data, no organization can afford to ignore the need for disaster planning. Business Continuity & Disaster Recovery for IT Professionals offers complete coverage of the three categories of disaster: natural hazards, human-caused hazards and accidental/technical hazards, as well as extensive disaster planning and readiness checklists for IT infrastructure, enterprise applications, servers and desktops – among other tools. Purchase the book from Syngress Publishing
Susan Snedaker, Principal Consultant and founder of Virtual Team Consulting, LLC has over 20 years experience working in IT in both technical and executive positions including with Microsoft, Honeywell, and Logical Solutions. Her experience in executive roles at both Keane, Inc. and Apta Software, Inc. provided extensive strategic and operational experience in managing hardware, software and other IT projects involving both small and large teams. As a consultant, she and her team work with companies of all sizes to improve operations, which often entails auditing IT functions and building stronger project management skills, both in the IT department and company-wide. She has developed customized project management training for a number of clients and has taught project management in a variety of settings. Ms. Snedaker holds a Masters degree in Business Administration (MBA) and a Bachelors degree in Management. She is a Microsoft Certified Systems Engineer (MCSE), a Microsoft Certified Trainer (MCT), and has a certificate in Advanced Project Management from Stanford University.

Dig Deeper on MSP technology services

Cloud Computing
Data Management
Business Analytics