The business impact analysis (BIA) activity, as part of ITSC planning, is performed against selected business services to determine what the business stands to lose in the event of service unavailability.  The BIA serves as the communications vehicle between business and IT and results in (1) a better understanding of the business by IT and (2) a better understanding of IT capability by the business.  Without a fundamental understanding of business requirements, a satisfactory continuity solution is destined to be, at best, cost-ineffective and, at worst, completely elusive.  It is the BIA activity that determines the level of service required to continue business at an adequate level and provides the input required for IT to employ a supporting infrastructure that provides the business with the required resiliency.  All other activities performed during ITSC planning rely on the correct impact assessment of a business service.  The BIA provides:

• Cost justification for the resulting continuity plan,
• Identification of potential losses due to service unavailability, and
• Identification of the probability of threats to service availability.
  

Empowered with this information, IT can review the existing infrastructure for risk and suggest solutions that are inline with the service’s impact on revenue or other, less tangible impacts, like credibility, competitive advantage or customer satisfaction.

Organizations struggle with objectively assessing critical business services to determine required service levels and impact to the business.  What are the questions to ask to extract the information?  Who is the authoritative source to provide answers and insight?  What story do the answers tell?  How is impact assessment compared across different business services?  ITIL® does not define the contents of a BIA nor does it suggest how the analysis is interpreted.  The execution of the BIA is left to the ITIL®-subscriber to define and the challenges in performing a BIA are hidden obstacles to overcome.  The remainder of this article focuses on “real life” challenges encountered while assessing business impact as part of IT continuity planning.

Challenges

Bridging the gap in understanding between IT and the business for the purposes of IT Service Continuity planning is not without challenge.  During impact assessment with the business and IT, participants often express confusion as to the purpose of the assessment, suspicion relative to hidden agendas or doubt regarding the value of the exercise.  In addition, challenges in corporate culture, scheduling, data collection, willingness to share information and agreement on the resulting BIA rating can hinder or prolong the BIA activity.  Each of these challenges can be addressed proactively to avoid derailment of the planning effort before it gets off the ground.

• Confusion, Suspicion and Doubt
  When meeting with a new group of business representatives or IT representatives to discuss the service impact of a critical business service, interviewers are often met with general confusion relative to the purpose of the meeting, concern about not having the ‘right’ skills to provide the information, suspicion as to the ‘real’ reason the business service is under investigation or doubt that the analysis will be conclusive.  A kick-off meeting should be conducted at the onset of an ITSC planning project and the kick-off repeated for each new service investigation.  The kick-off meeting serves to bring all participants, business and IT representatives, together to discuss the project initiative, timeframes, deliverables and expectations.  Participation of executive sponsors in the kick-off meeting also goes a long way in relieving concerns.
  
• Invincibility
  The nature of ITSC is to consider disastrous events and the organization’s committed response to restoring critical business service.  However, organizations frequently delay ITSC discussion under the premise that an event will never occur.  Organizations suffer from perceived invincibility and struggle to justify time and resources to consider ‘what if’ scenarios.  Current world events prove that disasters do occur, in varying degrees, and mindsets are shifting accordingly.  It is possible to construct successful ITSC plans and achieve coordinated responses to the unthinkable. 
  
• Scheduling
  Because staff members have ongoing, day-to-day responsibilities, dedicating two hours to discuss ‘what if’ scenarios can appear fruitless.  In situations where workload or priority dictates less than ideal access to business and IT representatives, request an hour of scheduled, dedicated meeting time and the ability to seek clarification with resources through offline mechanisms as appropriate.  In situations such as these, it is critical to have champion support in order to encourage staff response to offline requests for information.
  
• Data Collection
  Our organization conducts BIA discussions based on a framework of business impact and probability questions.  The framework is organized into broad areas of investigation, including Customers and Users of the Service, Legal and Contractual Obligations and Unavailability Impact.  Each area consists of a number of questions that further probe for aspects of business service impact.  Because the questions are pre-determined, clients have asked to review the questions offline in lieu of an in-person meeting with the commitment to return answers accordingly.  However, the questions that comprise the business impact analysis are not intended as a questionnaire.  The questions represent a framework in the strictest sense:  it gives structure to the discussion but is not limited by the structure it suggests.  In fact, answers received in-person often uncover details not otherwise known and frequently leads to related questions not included in the framework.  All deliverables of an ITSC planning engagement rely on the accuracy and completeness of the data collection activity; therefore, it is critical to explore business impact of a service through all available avenues, including:  in-person meetings, offline follow-on discussions, system-level data capture and existing documentation (e.g. infrastructure diagrams, contractual agreements, policies and procedures).
  
• Knowledge
  While some of the questions asked in a BIA discussion are relatively easy for the business to answer, we have observed general reluctance to divulge real dollar figures in terms of service contribution to revenue and estimated cost of unavailability per hour of down-time.  The financial aspect of unavailability impact is a key consideration as the organization selects a cost-effective continuity strategy and configuration.  Because continuity solutions differ in effectiveness and cost, revenue contribution and the cost of service unavailability provide a business case for the selected continuity technology.  Management commitment to an overall business continuity process can empower business representatives to provide financial information.  Alternatively, senior management may suggest a dollar figure to use or otherwise designate a representative to disclose financial impact of service unavailability in real terms.
  
• Agreement
  Real world experience suggests that the business and IT are often at odds in agreeing to a level of service.  The business often tolerates zero data loss and requires infinite data retention, which IT typically views as not feasible and unrealistic.  In cases where IT and the business differ in opinion of stated requirements, we recommend that the design activities conclude before deciding feasibility.  In fact, design costing activities often result in the business becoming aware of the cost of their requirements.  It must be the decision of the business whether the IT investment is feasible to support the business service at the required level.  In situations where alternative technologies are available at less cost, the business has the authority to accept the frequently increased risk of a more cost-effective solution.

Summary

As organizations turn focus to business continuity management, IT is tasked with ensuring service continuity in support of the overall business continuity strategy.  While executive management may indicate which business services to include in continuity strategies, IT must determine how to extract the information required in making cost-effective and efficient technology decisions.  Business impact analysis becomes a mechanism to join the needs of the business with the capability of IT.  Identifying potential challenges in assessing business service impact and preparing a strategy to address those challenges in advance of the BIA helps to ensure a quality assessment of impact.  An accurate and complete BIA is the cornerstone of a successful ITSC plan and, ultimately, a successful continuity solution. 

While the BIA is only one of the key activities performed in an ITSC planning project, it serves as a key deliverable on which all other project deliverables are based.  If the BIA is incomplete or inaccurate, the proposed continuity solution will likely be neither cost-effective nor efficient and result in continued exposure to business risk.

About the Author:

Heather DeBernardi is a Senior Systems Engineer at Maryville Technologies whose 10-year IT career and wide range of management, consulting, technology and project experiences help customers successfully design, deploy and manage best practice ITIL®- solutions.

Previous Article

Next Article