October 2007 Archives
Though the title of this submission may not sound like a bedtime story you may read to your children, there is a moral to this story. In my last submission, I explained how important it is to complete a Business Impact Analysis (BIA) for the organization. I listed a number of reasons why this is important, but the most important reason gets it's own blog submission, this one!
So what is an RTO you may ask? According to DRII and DRJ glossary, the RTO is...
RECOVERY TIME OBJECTIVE (RTO): The period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). RTO’s are often used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation.
The RTO is a powerful number that should NOT be randomly chosen. By completing the BIA, you should be able to determine what critical functions your area is responsible for. Through the analysis, you should be able to determine within a reasonable timeframe how long a critical function could be down without negatively impacting your customers.
Most units want to skip this part. Just like the prioritization the critical services, they want to pick a number for the RTOtime frameprioritizing that they think would make their management happy. By choosing RTO's instead of really understanding the critical function, we create false criteria in which recovery plans are built on. Recovery plans have no hope of working because everyone knows they cannot possible hit the targeted RTO stated in the plan. In knowing this, the recovery teams do not take the recovery plans seriously. Like "The Boy Who Cried Wolf", how will you know when your recovery plan is telling the truth or just making it up?
How can this all be prevented? Taking the BIA seriously and understanding what it is to be used for. The BIA is more than a silly survey that slows you down in the planning process. Like "The Tortoise and the Hare", slow and steady DOES win the race. In this case, the race is to create a recovery plan that is actually usable and practical.
Here are some critical decision that use the RTO
- The strategies you need to implement
- The cost of implementing those strategies
- When should you declare a disaster or wait out the event
Don't let your Recovery Time Objectives (RTO) be a "Wolf in Sheep's Clothing". Complete the BIA and analyze the results for a better understanding of the services you provide. The moral of this story is: will your plans be built out of straw, sticks or bricks and can they withstand the huffing and puffing of an outage?
What is a BIA?
According to DRII and DRJ glossary of terms, a BIA is: A process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a business continuity event.
Penn State has adopted a 5-phase approach to business continuity planning. See the Recovery Planning Process Flow Chart for the 5-phase process. The BIA is completed in Phase 2 of the process. We provide departments and campuses with a survey that helps them identify the critical services they run within their area. They need to judge what the impact to Penn State would be both financially and operationally if that service is not operational for a specified period of time. Peak periods of operation would need to be identified for each critical service. For example, students registering for classes would be a higher priority service at the beginning of the semester than the ability to post grades. However, posting grades would take priority at the end of the semester when registering for classes would be lower priority.
A BIA is designed to help departments and campuses understand their "business" better and help them prioritize their critical services. It will also help determine which services need funding for recovery strategies.
Why is the BIA misunderstood?
If the BIA provides a lot of answers, then why is it the least understood. Most units want to skip this step primarily because they do not see the "value" or IT units do not want the business units to get involved.
Most units feel they already understand their business and in most cases they are correct, but trying to prioritize services based on intuition does not provide concrete reasoning for decision-making. Nor can intuition explain how decisions were soundly justified after an event occurs and hindsight comes into play. Knowing up front what impacts would occur and what they would be, gives units the authority to make decisions that have the University's outcome in the best interest.
By understanding the priorities of the business units, IT can adjust their priorities and strategies to fit the business needs. Also, cost can be evaluated based off of the time needed for recovery of the technology which supports the business requirements. Typically, the faster you need technology the higher the cost to recover and vice versa. If you need technology back fast, the BIA will provide the data that supports the reasoning for spending the money to recover quickly.
How can Administrative Information Services (AIS) help?
We work with departments and campuses to show them the how critical the the BIA is. We also provide an easy method of collecting this information. We provide a 20 question survey to managers within the departments and ask them to complete it. This should take no longer than 4 hours to complete and is web-based. Penn State uses Strohl Systems BIA Professional to create the survey, collect the data and analyze it. We hope that in making this process as "easy" as possible, units will start to see the benefit and will want the survey to assist them on many levels, from short term decision- making to long term strategy.
Next week: BIA and the RTO!
