December 16th, 2021

Building Blocks of a Business Impact Analysis - WST

An organization’s Business Impact Analysis (BIA) is an important component of any Business Continuity Plan. A strong BIA allows an organization to effectively prioritize resources when designing your continuity structure, processes, and equipment. BIA development generally involves multiple groups within an organization, including business unit managers, information security staff, and senior leadership. You may find it valuable to review the three basic building blocks of a BIA, and to encourage others involved in you BIA processes to understand these concepts as well.

Recovery Time Objective (RTO): This is the most common metric in a BIA. This measures the expected time between failure of “something” and its recovery. “Something” can be almost anything: a particular piece of equipment (for example, a server), a service provided by a third party (an Internet connection), or even a business process or business unit (a specific department in an organization). RTOs can vary greatly, based on how critical the factor is for the organization. For example, a server processing customer information may need to be back online within a matter of hours, while a server that holds only archive information may be able to be down longer. Internet service may need to be back online within minutes or hours, while a secondary connection could be down for a day or more. The same may apply with various business units within an organization. Front-line customer service staff may need to be back in service ASAP, while less time-sensitive groups can wait longer with less impact. Almost any factor in an organization can be assigned an RTO.

Recovery Point Objective (RPO): This metric measures amount of acceptable data loss. Simply put, this measures the time between backups of data. Consider these examples:

  • A Mortgage Loan Processing group creates a large amount critical customer data throughout the day using a loan database server. The organization has determined that they can absorb only one hour’s worth of data re-entry related to mortgage loans. So, backups of the loan database server need to occur every hour, so only one hour’s worth of data could potentially be lost. The RPO for that server is one hour.
  • A training department uses a file server to store training videos. New videos are uploaded to the server infrequently. The organization has determined that they can absorb one day’s worth of work re-uploading new videos in case of a failure, so backups can be scheduled nightly. The RPO for that server is one day.

Backup interval times reflect the RPOs for each process. RPOs can vary greatly between processes. Also, keep in mind that the shorter the RPO, the more expensive the backup processes and technology become. There may very well be points where it’s more expensive to maintain and manage high-frequency backups than it is to re-input data in case of failure. That’s part of the value of understanding, evaluating, and establishing RPOs – you can set realistic expectations for everybody.

Maximum Tolerable Downtime (MTD) or Maximum Allowable Downtime (MAD): This is a more strategic metric. NIST defines MTD as “the amount of time mission/business process can be disrupted without causing significant harm to the organization’s mission.” Leaders in an organization should consider strategic and reputational risks when developing MTDs for various factors. How long (RTO) can a critical service be down before customers start looking elsewhere? How much (RPO) critical data could be lost without irreparable reputational or strategic damage? MTDs vary with criticality; some MTDs may be measured in hours/days, while low risk items may have MTDs measured in weeks.

With the understanding of these three BIA building blocks, organizations can create BIAs that set effective expectations, provide prioritization guidance, and assist in allocating recovery resources. BIA management is definitely a team effort.



Authored by: David Bentley, CISSP

You May Want to Read More:

The Scope of SARs - Something Old and Something New - WST

January 28th, 2021

Did you know that filing Suspicious Activity Reports...

In with the new year, out with the Flash - WST

January 21st, 2021

The writing has been on the wall for a while now ...

Back to Basics: Understanding Risk Concepts - WST

January 15th, 2021

People often make judgements and decisions about risk...

Keep your institution off the evening news.


Contact Us