Page 178 - Courses
P. 178
Exploring Corrective Controls
TOPIC 2: RECOVERY PLANNING
Business Impact Analysis
After the completion of the risk assessment, management should complete a business impact
analysis (BIA), sometimes referred to as a business impact assessment, to ensure critical systems are
identified and that recovery objectives are set. The BIA:
Should be completed before writing or updating the business continuity, disaster recovery, and
incident response plans.
Takes the results from the risk assessment and presents a determination of how to manage
critical business processes if there is a process failure or disaster.
Is best performed when the business owner and IT system owner collaborate, and determine the
necessary timing objectives to ensure the right technology and/or contracts are in place.
Business Impact Analysis Performance Metrics
The relevant performance metrics included in the BIA include:
Recovery Time Objective (RTO).
Maximum Tolerable Outage (MTO).
Recovery Point Objective (RPO).
Allowable Interruption Window (AIW).
The organization and IT should jointly agree to the RTO, RPO, MTO, and AIW for each activity
identified in the analysis.
Business Continuity Management Considerations
Business continuity management (BCM) activities include the development and maintenance of the
organization’s business continuity plan (BCP). The BCM is designed to help the organization
continue with normal (or close to normal) operations, even in suboptimal conditions, which could
include a storm, fire, pandemic, or crime. BCM includes provisions for:
Moving operations (recovering operations) to another location if a disaster occurs at a
worksite or data center.
Potentially recovering from different levels of disaster:
Low level — brief, localized disasters.
Medium level — extensive building-wide issues.
High level — permanent loss of a building.
Losses beyond technology, including people, facilities, equipment, supplies, etc.
Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
