If you are preparing or updating a Disaster Recovery Plan (DRP) for your company or your department, your first tasks will be: identifying which critical business functions need to be restored first; what equipment and data will be needed to restore them; and the management and people needed to resume work. The best way to begin this task is with a Business Impact Analysis of each functional group or department.
The Business Impact Analysis (BIA) form provided here is a comprehensive tool to collect this information and to share it among interdependent functional teams in a simple, consistent format. A BIA must be completed for each identifiable functional team or group in your department or company by its manager or leader and becomes a formal part of the final DRP document. A given group or department may have more than one critical business function, but, typically, each team has one critical function that all its other work supports.
The BIA form requires each manager to identify their group’s most critical function, the times they must complete and deliver their work, and the equipment, data and software needed. Managers must also ask questions critical for disaster recovery, such as:
- Can this function be deferred?
- Can it be performed manually?
- Can the work be done from home?
- What would be the effect of the loss of this function on the corporation?
Your task is to find and document those functions that the managers find most critical and to help managers prepare to restore them should disaster strike.
Your company may have a different scale for business function criticality than the five-point scale provided in the form. If your company does not yet use such a scale, consider promoting the one provided as a place to start for companywide commonality.
Setting the stage
Ideally, your company or your department will have assigned a manager to be the champion of Disaster Recovery Planning. You’ll need one, as the best way to gather this information is in an informal manager’s meeting with all group managers present and no other business in the way. A DRP champion will make this step easier. Depending on the number of the managers, this meeting will take about two hours.
Send a copy of the BIA form to each manager a week ahead of time so they can review it. Each manager will be responsible for actually completing their group’s BIA in this meeting. Be prepared yourself for managers who didn’t have time to read it and will bring up questions while you are collecting the data. Your best preparation is to complete a BIA form for your own group or team. Note where you had problems coming up with answers; the managers could also find those points difficult and ask you for help with them.
The best way to get the information recorded is to have a paper copy for managers and to walk them through each step. The informal feedback this generates will help them and you understand the interdependencies among all groups and take the tedium out of what could be just another exercise in form-filling. Be prepared to take and answer questions throughout the session, but be ruthless with time: this step needs to be completed in one sitting.
Part A: Criticality analysis
The first step is always going to be identifying the crucial business functions and the tools and expertise needed to perform them. Each manager’s appraisal of their own group or team’s needs will be individual, from the deadlines they need to meet to the documents and computing resources, mainframe and PC, that are needed to get there. Expect the managers to find other information they need to collect or back up in order to resume business. My own group discovered that no one knew where to find the phone number for a critical contractor, a problem they solved immediately after the meeting.
Item 16, the Level of Criticality, may be on a different scale for your company. The function of this scale is to provide a uniform standard for how soon each critical business function must be restored. This is intentional; if the function is crucial for survival, then the manager responsible for it must find a way to resume it within the given time limit. The DRP is the tool by which that will happen, if they list all the information and resources they will need.
In the course of completing the section, managers may find they have common needs that the DRP must address, such as uniform ordering of replacement hardware and software, shared resources such as desks, office supplies, manuals, phonebooks, and phones, as documented in the Business Impact Summary pages. Document these group needs separately for inclusion in the DRP and be sure to inform the managers that this is what you are doing. This goes a long way towards building trust in the DRP project and in keeping channels of communications open among all parties. Shared requirements are easier to remember.
Part B: Facilities and equipment requirements
This section asks managers to provide numbers of desks and other equipment needed for a disaster of a given duration. This question tends to raise the issue of alternative workspace for the group, for individual departments, and, for sufficiently great disasters, the entire organization. If your organization does not yet have a program for departments to offer alternative disaster-recovery workspace on a reciprocal basis, you should broach the subject here. Document the need and any offered solution, but keep the managers focused on completing the BIA forms.
Business impact summary
If your company already has a standard suite of applications that it requires for all hardware, list them yourself and tell the managers they do not have to list them. Be sure to have the managers fully document any vendors for computer systems, including support personnel and their contact numbers. If your organization does not rely on your Purchasing organization to negotiate and hold such contracts, be sure these are noted as crucial documents that will need backup and relocation to a secure site for disaster recovery.
Of particular importance here is the actual physical documents required for critical business functions identified in Part A. Expect managers to be surprised at the amount of paper documents, including files, they may need to meet crucial deadlines. You can also expect some surprise over the lack of backups and the potential cost of duplicating so much paper. Your organization may already have a document retention policy that covers which paper it should hold and physically back up. If not, or if the managers are uncertain as to how it would operate for them, note this and move on.
Note: Document retention policies go hand-in-hand with disaster recovery plans. If your organization does not have or is not currently following a plan, this may be a way to springboard thinking on the subject. Since it is separate from disaster recovery and manager time is fleeting, you may need to note that it is an issue for later consideration and continue completing the BIA information.
Questions IV, V, VI, and VII are particularly important if your organization does not have a prior DRP or relies on an outside vendor for data recovery at outside computing sites. An “Emergency Response Plan” (ERP) refers here to any and all contingency plans usually handled by building management, including fire evacuation, chemical spills, and bad weather. Be sure to follow up on all ERPs with building or site facility management.
DRPs are usually invoked through the operation of an ERP. Pay attention to any suggestions they put into Question IV and any other contingent disaster recovery plans they know of. Be sure to follow up if the answers are not complete or you have no knowledge of the other plans, if any.
Assessing the BIA results
At the end of the process, collect the BIA forms and have them typed up on the original template for each manager. Keep a copy and deliver a copy to each of the managers, asking for any corrections or additions. Preferably, this should be done in the next two days. If you do not receive feedback, seek it out. You will probably find a number of holes in the information provided. Get them filled by the manager responsible, and stress that this document is part of the Disaster Recovery Plan and anything not on it won’t necessarily be recovered.