Complacent versus resilient Featured

8:00pm EDT July 26, 2008

Businesses in the Midwest didn’t expect the floods. Others didn’t know a tornado was going to hit them. Companies don’t know when hackers are going to get into their database. The company in Florida didn’t expect its former employee would wipe its hard drives clean before she left (and it didn’t have a backup).

“It is not a matter of if, but when,” says Bill Douglas, a Certified Business Continuity Planner (CBCP) and Program Director for Houston-based DYONYX. “Two out of five businesses without a continuity plan never come back from a disaster. One in five go away within five years. Those that have a plan have the tools to survive. The first place to start with a continuity plan is with a Business Impact Analysis (BIA).”

Smart Business asked Douglas for his input on the need for and development of a BIA.

What is a BIA, and why is it important?

The BIA is the first step in any recovery plan. You need to know the critical processes and what it is going take to keep them going. The BIA is a procedure that helps you prioritize the importance of every one of your business processes in each of your business units. Unless you analyze each process and its importance to the company, you may be spinning your wheels on things that are not cost-effective.

You need to divide all of the processes into one of three categories: mission critical, business sensitive and business tolerant. Mission critical are those processes that your business can’t operate without. Answering the phone or access to customer records may be two examples. Business sensitive are those processes that are needed but may be able to be delayed for a short time until the critical things are handled. Business tolerant are those processes that make someone’s job easier. That might be certain spreadsheets that are used from time to time and can be recreated once everything else is up and running.

What is the process in developing a BIA?

Start with each department and find out what its critical processes are. You know your applications; build questionnaires to identify which of the three they are. Drill down to how necessary they are. Talk with business managers and IT managers to determine what would happen to the business if each of the applications went away.

A full BIA takes time and money. Is there a way to shorten the process?

Typically, a full BIA takes a minimum of two to three weeks to analyze business work-flow practices, depending on the size of the business. It is important to involve both business managers and IT managers. The business units know what would happen if each application was not available. IT knows what resources are available and what would have to be replicated at alternate locations. If you work with both IT and business at the same time, you can more quickly get the whole picture. Time is money. You may find that some of your applications are not needed. It is possible that you could save upfront by eliminating applications or processes that bring no value.

If all my systems are designed to be fault tolerant, why do I even need a recovery plan?

Fault tolerant means that the system is always available. If some portion of your system becomes contaminated, you need to find, isolate and recover. You need a plan in place to be able to keep part of the system going while the source of the problem is handled. Things may be going very well, but what are you going to do if the whole building or data center disappears or is inaccessible for a period of time? Since Sept. 11, it is easier to recognize that ‘the smoking hole’ can happen to anyone.

How do I know if I am paying too much or too little for recovery?

Business recovery is insurance. Like everything else there is some price you are willing to pay. Looking at impacts over time you have to determine what is essential. Can you get by for a day, a week, or a month? Looking at cost over time you can view different solutions and the internal impact. You have to consider the return on the investment. You hope you never have a disaster, but what if you do? What is critical? Maintaining customer contact may be most critical. If customers can contact you and receive assurance that you’re going to be back online and within a reasonable time frame, there is a much higher likelihood they will wait.

BILL DOUGLAS, CBCP, is Program Director at DYONYX. Reach him at (713) 293-6314 or