Tuesday, 14 June 2011

Business Impact Analysis

I had a query from a college friend the other day who said 'We have been advised by our IT Auditor that we need to complete a Business Impact Analysis to establish the criticality recovery priority of systems, the nature of risk to which they are exposed and the contingency measures to be implemented. We do have a Risk registers where we have been documented all IT Risks and its calculated control.'

I've commented before ("What is the Real Risk?" May 2009) that whilst we tend to be good at identifying risks we can easily look at them from a personal rather than an organisational point of view. If you identify the risk of tripping over a wire you think of the impact as injury rather than thinking of it as the amount of work not done and the consequences of that because someone is off on sick leave with a broken leg.

My answer was, 'It sounds as if they are wanting evidence that you have identified what impact the loss of individual systems would have on the organisation as a whole – which would then allow you to prioritise systems against each other so that if you lost more than one you would know which to bring back on line first.

'We tend to think of risk in terms of things like “email system goes down” but they are asking what would the impact of that be – what would be impossible and what delays would alternatives bring?

'E.g. – loss of all email communications sent from external contacts until situation resolved or external contacts advised to send via alternative methods leading to delays from known regular contacts and total loss from unknown, new or occasional sources. Internal communications needing to be routed through other means – telephone, internal post, introducing delays up to one day.

To register these details can be time consuming and involve careful thought. The JISC infoNet Risk Management infoKit recommends describing risks with a sentence construction such as: "There is a risk that A, caused by B, will lead to C". "C" may be more than one consequence and may involve writing quite a bit of text!