So you decided to do an internet search on Business
Continuity – and the sites you came across spoke a language you’ve never heard!
As in any industry, the BC/DR community has its own jargon. Here’s a breakdown
of a few terms used in the early planning stages.
Business Impact
Analysis (BIA) is a term that is tossed around a whole bunch in reference
to business continuity planning. The BIA is generally done at the beginning of
the planning process and the plan is based around its information. During the information gathering phase of the
planning process, the Business Impact Analysis determines the processes,
resources and assets that are necessary to the health of the business, how they
depend on each other, and the criticality of each.
Recovery Time
Objective (RTO) is determined for each process – how soon do we need this
process up and running, and how soon do we need it at full capacity after an
incident. In some cases, the RTO can be a staged process that might include
temporary workarounds until all of the resources needed for the full process
are restored. Perhaps your organization has a sales process that utilizes a
rather large database. The database has an ordering system built into it so
sales personnel can track what a customer purchases, how often the purchases
are made, the quantities, and other information that assists them in the sales process.
The IT department needs to know from the sales department how quickly their
database needs to be back up if the servers hosting the database go down – and
the sales department needs to know from the IT department how quickly it can be
done. The gap between the two times then requires a plan to provide minimum
service to the customers while the database is being brought back to full
capacity.
Recovery Point
Objective (RPO) is determined for data – how much data can we afford to
lose? Is it one hour – or one week? The determination depends on how quickly
your organization can rebuild the data that is lost. If you have a process that
only gathers data once a week, then it will have a longer RPO than a process
that has thousands of lines of data entered every day. For example – though
your payroll process is important to getting the employees paid, it might only
need to be run twice a month, and doesn’t change often in between. However,
your sales staff communicates with 200 customers in a day, and places orders.
The reconstruction of the sales database would require calling all of those
customers in order to get their orders back. So a day’s data would set the
sales department back a lot more than it would the payroll department,
depending on when the failure occurred. Backups for the sales data would need
to be done daily or more often, where backups for payroll would only have to be
done as new data was entered.
An Incident is
any unplanned interruption that has the potential to affect any business process.
This can include anything from a major disaster to just a failed backup. Even
though the backup might not be needed at that precise moment, there is still
the possibility that it could affect a process.
These definitions will help sort out some of the information
found on the web, and perhaps in the event you decide to hire a consultant,
help you to begin to understand their explanation of their services.
