Business impact analysis for business continuity: Identifying business functions
This excerpt from "Business Continuity & Disaster Recovery for IT Professionals" walks you through common business functions and encourages you to assess those functionalities that are not covered and include them in your BIA.
In this section, we're going to walk through some of the more common business functions found in business today. It's not a comprehensive list but it's intended to do two things. First, you can include these in your BIA and you'll know you've got the major items covered. Second, you can use this to spur your thinking to include other areas that might be related to the items listed. You should begin by listing all the business functions that come to mind unless it's clear they should not be included. As with your risk assessment, it's best to begin by scanning the wide horizon and narrowing your focus later on. It's always easier to cut than to try to find gaps later.
When possible, it's advisable to create a list of all the functional areas of the business and gather SMEs from each area to discuss the critical business functions. Although it's more time consuming to get everyone in a room together, you will more quickly discover interdependencies in this manner. If SMEs sit quietly by themselves and come up with the critical business functions alone, they might miss the elements that are vital to other areas. An alternate method of gathering this data is to have the SMEs generate a list of questions to ask others in their area and compile the results. When the compiled results are ready, the subject matter experts from all areas of the company can meet to go over the results with the specific mission of finding interdependencies. How you manage this aspect of the project will have everything to do with how your company runs on a day-to-day basis.
The common business functions include those shown here. They're listed in alphabetical order, not necessarily in the order in which you would review these areas. The order in which these are reviewed will be dictated by the project management processes you've defined, the data gathering methods you choose, and the structure of your company. Following this section, we'll discuss the specific data points you need to gather from each of these areas.
- Facilities and Security
- Human Resources
- Information Technology
- Manufacturing (Assembly)
- Marketing and Sales
- Research and Development
- Warehouse (Inventory, Order Fulfillment, Shipping, Receiving)
As we look at these business functions, keep your business in mind and think about the key processes that occur in each functional area. After you've documented your key business processes, you will assign a criticality rating to them similar to the ones discussed earlier. As a reminder, you may also want to document key positions, skills, and knowledge in these functional areas. For example, what would the impact be if your head of facilities was injured in a building collapse and your company needed to operate from an alternate location? Who would head that up? What skills or knowledge would be needed in order to temporarily (or permanently) replace your facilities manager in the aftermath of a business disruption? These human factors should be assessed in conjunction with the major business functions.
Facilities and Security
Your company may be located in a single office in a small office building or it may span several continents. Regardless of how many physical locations your company operates, you need to understand the critical processes performed by facilities and security management with regard to your business operations. If a business disruption were to occur, what processes and procedures would be needed in order to get your business back up and running? For example, if the building is damaged or destroyed, physical security of the building will be disrupted. Employees won't be able to just swipe their badge at the front door. Is this a critical business function or not? It depends. If the building is destroyed, it doesn't matter that they can't get into the building. You don't just need an alternate process, you need an alternate location. Once an alternate location is established, you need facilities support. So, the critical business function, in this example, is having a place of business ("facilities"). Security and access are secondary. Notice how it helped to think of a specific scenario -- it focused our thinking so we could see the key areas. Is having a place of business a critical business function? Not in the formal definition of a business process, but it's certainly important. Security usually involves a process -- adding employees to access lists, providing employees with badges, IDs, or other identification, and granting them appropriate access to company resources. This might be highly important during normal business functioning, but does it impact the company's mission-critical operations? It depends on your business. If you work in a secure research environment, facilities and security may be mission-critical. If you work in a software development firm where employees could check code out of an online library and work from home, facilities and security may not be mission-critical at all. Facilities and security, though, may have some critical business functions beyond these macro-level functions just mentioned. For example, is facilities involved with the receiving or shipping of products, inventory, or other tangible goods? If so, these may be critical business functions to be included.
By definition, the financial workings of the company are critical business functions, but not all financial functions are mission-critical functions. For example, tracking receivables and payables are critical business functions because without the ability to keep track of what others owe you and what you owe others, you have no idea about the financial status of the company. Employee payroll is another critical business function (which is a financial transaction that might fall under the purview of the Human Resources department). If employees are not paid, if appropriate withholding and other taxes and deductions are not taken, your company faces serious problems, with employees and with state and federal authorities.
If your company has legal obligations to pay back a loan from a bank or make payments or reports to investors, these also might be critical business functions to be included in your analysis. In some cases, you may have some leeway with regard to repayment if you experience a natural disaster, but don't count on it. Your financiers don't care, they just want payments on time and in full. Therefore, keeping track of these kinds of financial and legal obligations may be considered critical business functions, depending on the nature of your company and its financing structure.
Accounting, finance, and reporting functions within finance should be reviewed and analyzed. There are many interdependencies in financial functions that cross over into HR, marketing, sales, IT, and operations. If key IT systems were to go down, which business processes would be impacted? Which processes and functions would have to get back up and running first in order to keep the business going?
If your firm experiences some sort of natural disaster, your Human Resources staff will be busy trying to fulfill a number of roles. Employees will usually contact HR for information on the status of the building, the status of the company, whether they should report to work, where they should report to work, and so on. Employees may also use HR as a clearing house for information about the well-being of other employees or information on the broader community. Finally, employees will be looking to HR for information on how, when, and where they'll get paid. In fact, this will likely be the first question many employees ask, especially if the business disruption happens just prior to or on payday. The staff in HR will be in the best position to provide guidance on the kinds of issues for which employees come to them. From there, you can compile a list of critical business functions. Remember, create a list of all business functions, then prioritize them later. If IT systems were to go down, which HR functions and processes are mission-critical? How would they be accomplished in the absence of IT systems? How would this impact other areas of the company?
Critical business functions for IT? It seems like almost all of them are critical most of the time, especially if you judge by the phone calls, hallways pleas, and e-mails begging for assistance when one of the applications, servers, or hardware goes down. However, ultimately, the hardware and software should support the critical business functions, so the IT functions, in large part, will be driven by all the other departments. HR might say "we have to have our payroll application"; marketing might say "without our CRM system, we can't sell any products"; manufacturing might say "without our automated inventory management system, we can't even begin to make anything." Therefore, the IT department's critical business functions are driven externally, to a large degree. However, there are also business functions that occur within the IT department critical to the company's ability to recover and continue doing business after a disaster. For example, the IT department needs to create backups of all data that changes after a disaster. If a disaster happens on a Tuesday and you're able to get some systems back up and running by the following Monday, backups need to start on Monday, as soon as data begins being generated, saved, or changed. Therefore, backup processes can be viewed as critical business functions from the IT view.
There are numerous mission-critical business functions related to legal and compliance areas of your company. If your firm is subject to legal or regulatory statutes and requirements, you're already well aware of these constraints. You need to view these constraints and requirements in light of a potential business outage to determine which of these are mission-critical, which are vital or important, and which are minor in nature. For example, if your firm deals with private or confidential personal data, it must be protected at all times, even if you move to a manual system for the duration of a system outage. Which systems, then, should be recovered first? Which business processes are mission-critical? Those related to remaining in compliance, both in terms of business process and business data, should be ranked very high on your list. The legal and financial consequences, as discussed in the case study earlier in this book (see Case Study 1, "Legal Obligations Regarding Data Security") can be enormous.
If your company is involved with the manufacturing, assembly, or production of tangible products, you obviously need to scour this area for mission-critical functions since your ability to produce your products is the engine that drives your company. There may be some systems that can come online later, but there are likely to be certain systems that must be up and running in order for any manufacturing, assembly, or production to occur. Identify these business processes and systems by understanding what would happen if the production equipment were to be damaged or destroyed. Next, understand what would happen if the production equipment was left in tact but upstream or downstream events impacted your customers or vendors. The impact analysis needs to include both internal and external elements. What business processes should you put in place to deal with the potential loss of a key supplier? We'll look at risk mitigation strategies in detail in Chapter 5. For now, you should be identifying the potential impact of various business disruptions to your manufacturing operations, keeping both internal and external (upstream/downstream) disruptions in mind.
It's also important to understand the interaction between any manufacturing/assembly automation equipment and IT systems. If IT systems go down, how are automation systems impacted? If automation systems go down, how are IT systems impacted? What manual processes can be implemented in the absence of either automation systems or associated IT systems?
Marketing and Sales
Marketing activities help create demand for the company's products and services by establishing or expanding knowledge of the company and its products/services. Sales activities are those actions that actually create a sales transaction and bring revenue into the company. Some companies may determine that marketing activities in the aftermath of a business disruption can be put on hold while sales activities should be a top priority. Other companies may see marketing activities as mission-critical in the aftermath of a business disruption because they are businesses that need to stay in touch with customers, keep their products/services in front of customers, and cannot afford to let rumors and erroneous information about the company's status float around, especially in today's world of instant, on-demand news. How you approach marketing and sales functions in your firm from a business continuity and disaster recovery standpoint will depend largely on the size of your company, its market visibility and other internal factors. Clearly activities that support the company's ability to perform sales transactions will most often be considered either vital or mission-critical activities and systems.
If your company doesn't manufacture, assemble, or produce tangible products, it probably develops and sells intangible products such as service, software development, research, analysis, and others. Whatever it is your company does, it sells something in order to generate revenue. Therefore, your operations are what end up generating those goods and services that are sold to customers. As with manufacturing and assembly, operations are what generate sales and therefore are almost always part of the most urgent mission-critical business functions. Although "operations" is a rather broad and vague term, each company knows exactly what its operations are and how these operations contribute to revenue generation. It is within that scope of knowledge that these activities should be assessed for criticality.
Research and Development
Some companies or organizations are funded through investors, through grants, or operate as nonprofits. They may be dedicated solely to research and development and may not generate revenue in the traditional sense of the word. However, every organization needs funding and that funding almost always comes with some sort of expectations and requirements about what is to be achieved with that funding. Therefore, you can view activities that bring in funding as your sales activities and can assess their criticality in that light. For example, if your organization does biochemical research and you're funded by federal or state programs, you still have business functions related to deliverables to consider. Is the next round of funding predicated upon the successful delivery of the results of current development or testing? If so, you have several mission-critical systems to consider along with assessing the impact of a business disruption to your research. Do you have live cultures growing in a lab that need to be tested and assessed? If so, what would happen if the research building was destroyed by fire or by an earthquake or tornado? How would your research be impacted and how would you recover? Though these are a bit different from traditional business functions and are not related directly to IT systems, these are questions that should be asked and answered if you're in this business.
Warehouse (Inventory, Order Fulfillment, Shipping, Receiving)
If your company deals in tangible goods of any kind, you have processes for handling inventory, order fulfillment, returns, shipping, and receiving. In some companies, these functions are handled by outside firms. For example, you may manufacture or assemble a product that is sent out daily on trucks to some other company that handles the remaining inventory processes. Nonetheless, your company has to keep track of what it makes and what it ships out at minimum. So, there are two elements here, the actual manufacturing or assembly (covered earlier) and the tracking, storing, and moving of these products. These two functional areas are closely tied together and the interdependencies in these areas should be given special attention. If IT systems go down, how are these activities impacted? If the building is ravaged by fire or flood, how are these activities impacted?
Use the following table of contents to navigate to chapter excerpts.
There may be other functional areas not listed here that exist in your company. If so, be sure to explore each functional area and determine the various business processes used in each area along with their relationship to the business's IT systems.
|ABOUT THE BOOK:|
|Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are emerging as the next big thing in corporate IT circles. With distributed networks, increasing demands for confidentiality, integrity and availability of data, and the widespread risks to the security of personal, confidential and sensitive data, no organization can afford to ignore the need for disaster planning. Business Continuity and Disaster Recovery offers complete coverage of the three categories of disaster: natural hazards, human-caused hazards and accidental/technical hazards, as well as extensive disaster planning and readiness checklists for IT infrastructure, enterprise applications, servers and desktops – among other tools. Purchase the book from Syngress Publishing|
|ABOUT THE AUTHOR:|
|Susan Snedaker, Principal Consultant and founder of Virtual Team Consulting, LLC has over 20 years experience working in IT in both technical and executive positions including with Microsoft, Honeywell, and Logical Solutions. Her experience in executive roles at both Keane, Inc. and Apta Software, Inc. provided extensive strategic and operational experience in managing hardware, software and other IT projects involving both small and large teams. As a consultant, she and her team work with companies of all sizes to improve operations, which often entails auditing IT functions and building stronger project management skills, both in the IT department and company-wide. She has developed customized project management training for a number of clients and has taught project management in a variety of settings. Ms. Snedaker holds a Masters degree in Business Administration (MBA) and a Bachelors degree in Management. She is a Microsoft Certified Systems Engineer (MCSE), a Microsoft Certified Trainer (MCT), and has a certificate in Advanced Project Management from Stanford University.|