Business Impact Analysis
As recent disasters such as 9/11 and Hurricane Katrina have demonstrated, it is important for organizations to plan for unexpected interruptions to their business processes and to develop plans for dealing with such situations. This is particularly important in today's businesses that rely heavily on information that would be difficult if not impossible to recreate. Preparation for interruptions is done through the development of a business continuity that describes how an organization will recover and restore interrupted critical function(s) after an extended disruption due to disaster or other causes. An essential step in developing an appropriate business continuity plan is to perform a business impact analysis. This process helps identify the risk of exposure to specific threats to the organization and assesses their impact on the organization's functioning if a disaster should occur. The Federal Emergency Management Agency (FEMA) suggests a number of considerations for a business impact analysis.
There is a story of a doctoral candidate who had just finished his dissertation and put it in the back of the car so that he could take it to the university in order to have the final copy signed before being submitted to the graduate school for completion of his doctorate. It was a beautiful spring day and the man was full of the joys of knowing that one has just completed a major milestone in one's life and the that future is rosy. So, he carefully placed the requisite three copies of the dissertation in the back seat and proceeded down the road. However, the day was so beautiful that he decided to roll down the windows. As he pressed the accelerator toward the floor and felt the rush of the wind blowing on his face, his joy soon changed to horror as he watched helplessly as the clean white pages flew out the window and blew down the road.
The worst could have been avoided had the doctoral candidate avoided taking such risks. The candidate could have kept the windows of his car rolled up tightly and kept backup copies (digital and hardcopy) at several different (safe) locations.
The loss of information is not only of concern to poor graduate students without the means or time to recreate their dissertations. As anyone who has ever experienced a computer crash knows, the loss of data and information can be devastating. Without backups of data and information, as well as application software and operating systems, it can be extremely difficult if not impossible to recreate the information stored on one's computer. If this happens to a business, the problem can be multiplied untold times to the point where it is impossible to recover. For this reason, not only data but entire computer systems and their concomitant software programs are regularly backed up.
Sometimes, however, conveniently available backups are insufficient to recover from a disaster. As the tragedies of September 11, 2001, and Hurricane Katrina should have taught us, it is not always sufficient to have a backup disk in the computer lab or even elsewhere in the building. In fact, sometimes it is not sufficient to have a backup disk on the same block or even in the same area of town. By definition, disaster is widespread. By definition, also, disasters are unexpected. In order to face disaster and recover from it, therefore, one must plan for the unexpected and prepare for it.
The Importance of Backup Systems
Of course, in many (if not most) situations, it is impossible to backup everything. From a purely software point of view, one could conceivably backup all data as well as all application and operating systems programs. However, having these things available to recover after a disaster may not be sufficient. For example, if the building in which the business resided was destroyed by a fire, the hardware would also have to be replaced. In some situations, this might only mean that a new computer system would have to be obtained using expedited delivery and new facilities leased in order for the business to be up and running within the week.
In other cases, however, these actions might be insufficient. Getting the power grid, telephone system, or emergency services up and running after a disaster can be of paramount importance. In such cases, waiting a week may not be an option not only for the success of the business, but more importantly from the standpoint of the potential in lives lost if such services could not be quickly restored. This is why there are extensive backup systems and facilities for many such organizations. Although most business organizations do not provide critical lifeline services, interruption of business processes for an extended period of time can be devastating to an organization. Therefore, every business is well-advised to develop a business continuity plan. Particularly in many of today's businesses that rely so heavily on information as their stock in trade, it is essential that data and concomitant systems be backed up and a plan put in place to recover in case of a disaster.
Business Continuity Plans
A business continuity plan (also referred to as a disaster recovery plan or a business process contingency plan) is a logistical plan that describes how an organization will recover and reestablish interrupted critical function(s) after an extended disruption due to disaster or other causes. Business continuity plans are written to address the possibility of loss of an organization's facility or access to it, loss of information technology, loss of people, or loss of one or more elements of the supply chain. A business continuity plan comprises the actions and procedures necessary to restore any data lost when a system stops functioning. The plan should include both consideration of how to minimize the negative impact of a potential disaster and as well as how to maintain or quickly regain normal operations after a disaster occurs. Business impact analysis is the process of identifying the risk of exposure to specific threats to the organization and assessing the impact of these threats should a disaster occur. The three phases of developing a business continuity plan are shown in Figure 1.
Part of the task of developing a business continuity plan is to assess the degree of an organization's risk that is associated with various potential disasters. Risk assessment is the process of determining the potential loss, probability of loss of the organization's objectives, and the concomitant impact on the business. Risk assessment will help the organization perform risk management by analyzing the tasks and activities of the organization, planning ways to reduce the impact if the predicted normal course of events does not occur, and implementing reporting procedures so that project problems are discovered earlier in the process rather than later.
During risk assessment, the...
(The entire section is 3029 words.)