Buisness Impact Analysis - way to justify IT spending
1. Business Impact Analysis - a way to justify
budgets
Konstantin Smirnov CISA, CBCP
Konstantin.Smirnov@ex-oracle.org
2. Purpose – why bother?
• Often “cheapest strategy of doing nothing” proved
to be costly
• More often companies waste their time and
money on technology/other things they do not
need and will never use while ignoring simple
helpful advice
• I want to share my thoughts, so they will act as a
“germ of idea” for others. Absolute perfection is a
myth. But we can change (what we can) to the
better – one little step at a time.
3. What is Business Impact Analysis?
First of all, for those who can’t remember what it is.
Business Impact Analysis is:
• This is a way to understand what kind of resources
your business relies upon and how soon it needs
them if something bad happens
• Business Impact Analysis is a part of Business
Continuity Planning – an effort to help your
company to get through interruptions caused by
disasters, infrastructure failures, pandemics and so
on.
5. How it usually goes
• Customers can wait a bit, they’ll understand
• So how long can we stand still? Is it going to be
expensive for us?
• I do not need any analysis! Let protect everything.
That will make a recovery quick!
• Sorry, I did not know it is going to be so expensive.
Maybe we do not need such a quick recovery?
6. So, are we doomed to lose? No!
We can protect
pretty much
against
anything! And
we can recover
fast!
Hmm… so
How much expensive! Do
downtime can we need this
we afford? much and so
fast at all?
7. Is there any way to make sense?
• You can’t afford to overspend, unless you print
money*
• The cost of doing nothing can be high – business
may go bust
• The remedy: spend a bit upfront**, so you will not
spend or lose too much in the future
* Not a joke. Heard it from a man from Central Bank of <…>
** Not necessarily money. It could be your time – still a valuable resource.
8. Way to make sense!
Monetary losses, USD
IS downtime
$10 000 000.0 Risk reduction
(money-wise) –
when RTO or RPO IS data loss
ВВ is reduced to the
target level
RPO and RTO to
comply with.
$1 000 000.0
ВС Were taken from MTS
Potential losses are
reduced internal document
СС
(risk reduction RP354-1 “MTS data
money-wise) backup and recovery”
СН
$100 000.0 “Unsafe” Curremnt state is
НН
compliant (losses
“Target” are below the
“Safe”
ОН
target level)
$10 000.0 Curremnt state is
non-compliant
(losses are above the
RTO or RPO is reduced target level)
to the target level
$1 000.0
до 2
Up to 2 from 2 to4
от 2 до 4 from до 88
от 4 4 to from 8 to 16
от 8 до from 16 to 32
от 16 до 32 от 3232 to64
from до 64 свыше 64
beyond 64 Hours
9. Do the homework!
• Prepare well – interview
sheets, questionnaires
• Agree on what the losses
are – legal, finance,
reputation, etc.
• Make sure the losses
evaluation framework is
communicated to the
personnel (whom you
will be interviewing)
10. Run a series of interviews
• See where the
dependencies are
• Use common sense
• Use a common
framework
• Do not make it too
complicated –
remember, other
people will have to
understand it too!
11. Analyse the results
• See where critical
dependencies are (and
what are specific risks)
• See, how quickly losses
grow if a particular risk
scenario happens
12. Make sure you do not overspend*
• Plan the risk
mitigation controls
(counter-measures)
• Calculate two or
three business cases
• Compare the costs of
implementing each
case (strategy)
against risk reduction
• Pick the best one!*
* To be continued in a separate presentation
** Sounds simple. In reality it is a bit more complicated
13. Some things to consider
• All the losses are calculated for a single event
• In a business case make sure you plan for 3-5 years
• Calculate Capex AND Opex
• Consider transformation costs – how much it will
cost to go from AS IS to WILL BE