Hello, and welcome back to this next TomCast from GuardSight, an Iron Bow Technologies company; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Since we dove into the initial part of organizational resilience during the last TomCast (Disaster Recovery for those of you that are uncertain of what I am talking about), we are going to continue that thread of organizational resilience. Today’s topic will be about a Business Impact Analysis, and what benefit that provides your organization as you plan for business continuity and continued resilience.

Ok, so what is a business impact analysis? To quote Gartner, a business impact analysis is “the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption.” Otherwise referred to as a BIA, this analysis is vital to understanding what your business-critical needs are in order to continue operation.

Many organizations that are interested in addressing their overall resilience dive into a disaster recovery plan or a business continuity plan without conducting a BIA. They have a tendency to pick and choose what they believe is critical and proceed to the composition of a resilient plan, when in fact gaps are introduced that could adversely impact the recovery or continuity process. There is also confusion surrounding who conducts a BIA, Hopefully this talk helps those of you out there that are truly desiring to make your organizations more resilient.

A BIA is performed by a business analyst. If your organization does not have a business analyst, either hire one or go to a temp agency and contract one out. Here is why; specific industry-focused professionals cannot accurately complete a BIA without injecting forms of subconscious business-bias. What do I mean by that? Well, take me as an example. I am a cybersecurity professional. If I look at an organization my most important priority is the securing of data, assets, and endpoints, and I will put cybersecurity as top of the list with regards to the criticality of what I do. Unfortunately, there are many different parts and pieces of business that are outside of cyber that need to be part of the plan.

Ok, there may be more involved in that, but you get the idea. Cybersecurity, unless that is the main focus of the organization, is a part or division within the whole. If the organization is a manufacturer of auto parts, for example, then cybersecurity is not the main business focus. If the organization designs widgets or some such, cybersecurity is necessary, but still not the main focus. Business-focused professionals understand the overall business as a whole and are not focused on the various pieces.

Let me break that down even further. You belong to an organization that generates revenue from a particular area of the business. That revenue-generating part of the business is critical to the success of the entire organization; without it the organization will definitely cease to operate and cease to exist if that department or division is offline for an extended period of time. So, naturally, the focus would be to made certain that particular department or division is annotated as critical and part of the overall business continuity plan, right?

Ok, so what’s next? If an adverse event strikes and that is the primary focus to ensure the business continues to operate, will it continue to operate correctly? If the department or division is brought back online, who will know? How will the organization communicate that business is back online and running? How will the organization continue to compensate their workforce during this time?

If you are tracking along with me, my point to those questions is that your internal communication solution, human resources, payroll, etc., will need to be included as critical business functions (if they are, I am making a generalization here) to ensure that not only do the critical revenue generating functions stay online but the internal communications do as well so that everyone can continue to communicate status, needs, etc.

Obviously human resources and payroll would be in there, because A) human resources can determine the overall status of the workforce and communicate changes to processes and such, and B) everyone continues to be compensated for their efforts as the organization makes the necessary adjustments to remain online during the adverse event. These are the areas that the BIA places focus on, and why a business analyst needs to perform the BIA.

Once the BIA has been completed and gone over by senior leadership, the organization can then begin the process of the business continuity plan (which we will discuss on the next TomCast), as they will know what the precise critical business objectives are. If your organization is struggling with where to start in this process, reach out to the professionals at GuardSight and Iron Bow. These folks understand what these processes require and can help you get started.

We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight or Iron Bow can do for you, head on over to www.guardsight.com or www.ironbow.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!