Text Only Version

Step-By-Step Approach To
Business Impact Analysis (BIA)

  1. Define the critical business systems your organization operates. This data can be entered and tracked in a spreadsheet.

  2. Classify each system as business critical, important or non-critical. Ask system operators/administrators what would happen if a particular system was not available for an hour, a day or a week. In most cases you can quickly classify systems based on operator/administrators responses.

  3. Document which systems have cross dependencies. There may be non-critical systems that act as upstream or downstream components to critical systems. For example, DNS service may not appear to be critical to a unit until it is discovered that the credit card gateway relies on DNS to send credit card requests and process transactions. This type of cross dependency may require a reclassification of systems when linked to critical applications.

  4. Estimate the cost to identify, remediate, recover and resume operations for each system in the spreadsheet. Include labor, hardware and software costs. For incidents that result in negative reputation, legal and regulatory outcomes, include estimate of fines, legal costs or a marketing campaign to win back student, faculty and staff confidence. Add these costs to impacts defined in step five. 5. Identify the Maximum Acceptable Outage (MAO) for each system. This is the time from the detection of the outage to obviation of importance to business objectives.

  5. Identify and document potential system threats, severity and the probability at which they may occur. For example, a datacenter fire severity would be 1.00 (on a .0 - 1.0 scale) but the probability may only be .01 (1%) in a given year. Threat statistics are available from a variety of sources and are used by insurance companies to calculate insurance premiums. Create a threat score for each incident type in a different section of the same spreadsheet. In the above example you would multiply (.01 x 1.0 =.01) and yield a combined risk score of .01 or 1%. Do this for all conceivable threats. You will also want to list one generic loss at 100% just to have a line item that reflects a complete loss for each system regardless of the incident or probability. This sets the upper bound for the system valuation.

  6. Now you have most of the data needed to start the process. It is best to use the simple formula functions that a spreadsheet provides. For every system you have defined with a loss value, multiply the series of values from the threats with the combined loss values to see the relative loss or impact per system. Do this on a line item basis. For each system calculate all possible listed threats. Do not include items that are not physically possible.

  7. In this last step you will sort the data you have to show the top priority systems both from a business criticality and impact perspective. In the spreadsheet, select all columns in the sheet and use the "auto-filter" function on the data-sorting menu of your spreadsheet to link all the columns relationally. You can now sort on any of the variables in the sheet. Optionally, you can create a scorecard-like report by dressing up the spreadsheet, or add a narrative document and use the spreadsheet as the supporting data source.