Disaster Recovery Journal Winter 2022

A nonprofit organization, however, would likely have a completely different list. Third, assign a percentage to each impact category based on its relative importance. Typically, the top categories make up the majority of the weighting per centage. Here are the same BIA categories we used above with sample weighting per centages added: 3. Brand, image, and reputation (20%). 4. Penalties, fines, and sanctions (15%). 5. Legal/regulatory requirements (10%). 6. Increase to operating expenses (5%). In the example, the areas most impor tant to the bank are not losing revenue; minimizing impact to customer service; maintaining brand and image; and mini mizing penalties, fines, and sanctions. Based on the above weighting, the busi ness processes which have the most signif icant impacts in these top four categories are the most critically time sensitive and need to be recovered the soonest. As with the example, the total of your weightings should add up to 100%. The Most Common Mistake Made in Weighting Impact Categories The most common mistake people make in weighting their organization’s 1. Loss of revenue (25%). 2. Customer service (25%).

impact categories is not taking the process seriously enough. How you weight the different areas is your judgment of what is critically time sensitive and what is not. Your weightings might determine what is restored first after a disruption and what is left to be recov ered at a later time. The consequences for your organization are potentially huge; therefore, you want the right processes to be designated as critical. After You Weight the BIA Impact Categories What happens after you weight your BIA impact categories? You integrate the results into your BIA process. The impact categories and their weight ings are used to evaluate the dollar and non-dollar impacts of a disruption to each business process over various periods of time (12 hours, 24 hours, etc.). This allows you to determine the recov ery time objective (RTO) for the different business processes. The following tables below illus trate how this is done where impacts are involved. In this example, the impacts to customer service and brand, image, and reputation (both of which have high weightings of importance) are significant within the first 12 to 24 hours. Based on the scoring (impact score multiplied by the weighting of each category and aggre gated), those processes experience a sig

nificant impact in 12 hours and would need to be recovered in 12 hours or less. Weighting your impact categories is a small task which can make a big differ ence to the effectiveness of your BIA and recovery plans. Takeaways n Weighting your categories is not simply a ranking of how important the processes are to the business. n It is important to get input from management in weighting impact categories. n The most common mistake in weighting impact categories is not taking the process seriously. n Incorporate the results of your weightings in your BIA process. n Weighting impact categories is a small task that can make a big difference. v Michael Herrera is the CEO of MHA Consulting, a leading business continu ity planning and information technology consulting firm. Herrera is the founder of BCMMetrics, which specializes in business continuity software designed to aid organizations in devel oping and executing business continuity programs.

Richard Long is a senior advisory con sultant and practice team leader for MHA Consulting, where he has successfully leads international and domestic disaster recovery, technology assessment, crisis

management, and risk mitigation engagements.

1=none to negligible, 2=minimal, 3=moderate, 4=critical, and 5=catastrophic.

QUANTITATIVE IMPACT SCORE

RTO 0 – 4 HRS OR LESS

RTO 1 – 12 HRS OR LESS

RTO 2 – 24 HRS OR LESS

RTO 3 – 48 HRS OR LESS

RTO 4 – 5 DAYS OR LESS

RTO 5 – 5 DAYS OR MORE

Loss of revenue

1 1 1

1 1 1

1 1 1

1 1 1

1 1 1

1 2 2

Increase in operating expense Penalties, fines, and sanctions

QUALITATIVE IMPACT SCORE

RTO 0 – 4 HRS OR LESS

RTO 1 – 12 HRS OR LESS

RTO 2 – 24 HRS OR LESS

RTO 3 – 48 HRS OR LESS

RTO 4 – 5 DAYS OR LESS

RTO 5 – 5 DAYS OR MORE

Customer impact

3 1 3

4 1 4

4 1 4

4 1 4

4 2 4

5 2 5

Legal/regulatory requirements Brand, image, and reputation

26 DISASTER RECOVERY JOURNAL | WINTER 2022