Once the mission critical activities or services of the organisation have been identified, the purpose of Business Impact Analysis (BIA) is to formally define the business critical processes of the organisation, their resource requirements, technology risks and loss impacts they face. Moreover through BIA specific IT components are correlated with the critical processes that they support and based on that information, the consequences of a disruption to the components on the critical processes are characterized.
The technology risks thus identified will contain enough information to produce the IT Requirements report. This should include not only the technological components (specific hardware, applications and peripherals which in turn point to infrastructure, servers, databases and networking components) but also the specific Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) required by the business units for their critical business processes. The definition above relates to two different objectives. The BIA gathers ‘process RTO’, the recovery time objective for the process as a whole. In order to achieve this objective there is a critical path of underpinning components. The latter must be recovered in a shorter timeframe in order to achieve the process RTO. Throughout the remainder of this document the timeframe to recover such underpinning components will be referred to as the ‘component RTO’.
The process RTO specifies the critical processes’ desired recovery time and the ITSC Plan will need to consider the actual RTOs for all dependent components (e.g. infrastructure, server build, network connections, data restore) in determining how or whether it is possible to achieve an overall RTO which meets the requirements of the business.
The RPO specifies the recovery period for data, e.g. no more than 24 hours of data can be lost. This is a trickier metric since it is a checkpoint in time which may require that database checkpoints, transaction logs or write-through disk data, more frequent backups, and all the associated recovery procedures are carried out in a timely and consistent fashion.