Where Does It Hurt? Perform a Risk and Business Impact Analysis

About this research note: Strategy & Planning notes define Where Does It Hurt? the critical decisions and actions surrounding successful adoption Perform a Risk and of a specific technology, tool, or process. Business Impact
Analysis Publish Date: June 18, 2007 Risk and Business Impact Analysis (RBIA) is about assigning the right resources to the most critical areas of the business in the event of a disaster. Make the risk analysis and business impact analysis exercise the foremost consideration during the Disaster Recovery Plan (DRP) process. © 1998-2007 Info-Tech Research Group www.infotech.com
Executive Summary In many Disaster Recovery Plan (DRP) projects, IT is responsible for determining the value and criticality of all data, software, and hardware. Accurate assessments, however, cannot occur unless IT communicates with the business owners of those assets. In order to fully assess the risks to assets from a disaster, it is imperative to conduct a Risk and Business Impact Analysis (RBIA). This research note proposes an analysis of: » Risks that the business faces outside of the technical arena. Outside influences may include equipment failure, fire, power outages, physical security breaches, floods, storms, civil unrest, terrorism, sabotage, and labor disputes. » Risks with regard to technical aspects of the business. This includes penetration testing and vulnerability assessment.
» Dollar impact of disasters. Recovery is a business issue, so this exercise focuses on the business units of the enterprise. While technology is certainly involved, the bottom line is the cost associated with an interruption of service and the impact it has on the business. A well-crafted RBIA provides justification for the expenditures necessary for developing a thorough DRP.
Strategy & Planning 2 Where Does It Hurt? Perform a Risk and Business Impact Analysis www.infotech.com
Planning Point A well-crafted Risk and Business Impact Analysis (RBIA) provides justification for the expenditures necessary for developing a thorough Disaster Recovery Plan (DRP). After all, it is much easier for senior management to approve a DRP budget that has been developed as a result of an RBIA, rather than through simple estimates or best guesses. DRP costs must appropriately balance the value of IT and corporate resources with the potential impact felt by operations should those resources become unavailable due to a disaster.
An inaccurate RBIA may lead management to either overspend or under-commit resources required to adequately protect the company in the event of a disaster. By understanding the potential impact of a disaster, the enterprise has a way to identify appropriate courses of action. Additionally, the RBIA provides valuable information regarding system requirements, network resources, applications, personnel and the interaction they all have to make the business function. The overall purpose of the RBIA is to put an approximate dollar value on what the interruption of the functionality will cost the organization (impact is typically measured in dollars per hour). Many larger organizations have a person on staff dedicated to DRP. Small and mid-size enterprises (SMEs) do not have that luxury. In that case, a senior DRP consultant should be brought in to conduct the interviews and document the potential exposure for the RBIA.
Key Considerations 1. Possible risks faced by the enterprise. Major threats relative to each office's geographical location must be evaluated. IT must therefore analyze risks that the business faces outside of the typical data center environment. Once the external disaster risks have been identified, the DRP team needs to evaluate risks associated with each of the system components in use.
Strategy & Planning 3 Where Does It Hurt? Perform a Risk and Business Impact Analysis www.infotech.com

External Threats
» Fire » Equipment Failure
» Power Outages » Physical Security Breaches » Flooding » Storms (Hurricane, Blizzard, etc.)
» Civil Unrest (War, Local Instability) » Terrorism » Sabotage » Consumer Confidence » Labor Disputes » Interruption of Computer Services
» Interruption of Communications

2. IT and corporate assets catalog. Then, of course, there is the list of... [download for more]