Business Impact Analysis (BIA) is an important first step in developing an effective business continuity plan. The March 2003 Business Continuity Planning Guidelines published by the FFIEC defines BIA as follows:
* Identification of the potential impact of uncontrolled, non-specific events on the institution's business processes and its customers.
* Consideration of all departments and business functions, not just data processing.
* Estimation of maximum allowable downtime and acceptable levels of data, operations, and financial losses.
As with most FFIEC guideline documents, the definition is broad and without specific instruction on how to meet these requirements. The Business Impact Analysis is such an important step in the development of an effective Business Continuity Plan that it is imperative credit unions know and understand what is necessary to make it useful.
We have reviewed the disaster and business continuity plans of numerous institutions. Most have documented some sort of BIA, but most rarely meet the standard set by the new FFIEC guidelines.
The goal of the Business Impact Analysis is to place as much objectivity as possible into the process of selecting what business processes or functions are most important for the institution to recover in the event of a disaster. In the past, most disaster recovery plans focused only on recovering the technology that the institution uses. BIA should first identify all business functions for each department.
Once identified, the effect of each function's loss needs to be assessed. There are several categories that the function should be measured against. Examples would be financial impact to the institution, impact on customers, impact on the institution's ability to remain in compliance with regulations, and impact on other business functions or departments. Each of these areas should also be evaluated against length of the loss. Examples would be function lost for 24 hours or less, 24 to 48 hours, 48 hours to one week, and greater than one week.
Once you have rated each business function on each of these criteria, the institution must then determine the required recovery period for each function. Using formulas to objectively define the recovery period based on the value of the business function to the institution provides the most practical method of prioritizing business functions across the institution's departments. It is best to match the required recovery periods to the same time of loss criteria evaluated earlier.
Finally, based on the priority, detailed information should be gathered and defined that includes essential personnel, technologies, facilities, communications systems, vital records and data. From this point a specific Business Continuity Plan can be developed for each of the institution's highest priority business functions. If the BIA is improperly developed, specific BCPs may not be developed for critical functions and the institution may waste resources developing plans for functions that do not need to be recovered.
Following a specific methodology for BIA development that objectively sets the institution down the path toward creating effective BCPs will assure successful continuity of the business through any disaster large or small.
Romir Bosu is president of Compushare, Inc., a provider of information technology, consulting and implementation solutions for community financial institutions nationwide.
