The following is a lightly edited transcript of our September 2022 webinar on the importance of Business Impact Analysis. The speakers are:
- Kelly Culwell, Senior Manager, Service Transition, Dataprise
- Steven New, Director of Operations, Dataprise
- Tom Shay, vCIO, Dataprise
- Trista Perot, Marketing Director, Global Data Vault
Click the image below to watch the video, or read the discussion beneath it.
Trista Perot (00:00):
Thanks for joining our webinar today. We have an interesting discussion about business impact analysis or “BIA” for short. We’ll cover what a BIA is and why it’s integral to your disaster recovery planning. We’ll also give you tips on what to include in your BIA and how to estimate costs if you were to experience a loss of business operations. Let me start introducing our speakers today. We have Steven New, Operations Director for Global Data Vault, and he is our Veeam Vanguard who always has sage advice on how to protect your business. We have Kelly Culwell, Senior Service Transition manager for Dataprise, and he’s leading our discussion with our special guest, Tom Shay, who is a vCIO for Dataprise. Tom’s role as a virtual CIO is interesting in that he provides a fresh set of eyes when solving tough IT problems, but with that, he has a great depth of experience from many varied client projects. Tom, we are so happy to have you today! Can you help me explain a little bit better what the role of a vCIO is?
What is a vCIO?
Tom Shay (02:49):
The vCIO role is becoming a lot more mainstream these days within IT-managed service providers. And as you said, it basically is a strategic advisor. It’s someone who assists a client with what not only their IT path is and how it can be continued going forward. We provide value on many different fronts within the IT world or your infrastructure, your operations as a whole, applications, security, and risk. What sets Dataprise apart from any other IT MSPs is that while we are here to fill in a gap in the roles that you have within your current firm, certainly we’ll recommend Dataprise solutions, but we’ll also make recommendations based not just on what Dataprise can do, but what’s best for your firm and your company. And if it’s something that Dataprise doesn’t offer, we have other recommendations for you. One of the other great things about what a Dataprise vCIO is, is that in addition to working with our current clients, we’re happy to work on stand-alone projects.
Kelly Culwell (04:26):
A lot of organizations don’t necessarily have CIOs, so it is nice to have somebody who can bring a breadth of experience to them. One of those areas that we’re discussing today is the business impact analysis. We love our friends at Veeam — and Jason Buffington had this quote that says, “Business impact analysis starts in a boardroom and not in the data center.” Typically, when we think of disaster recovery, we tend to hone in on the disaster or the data center component. The technicalities and the servers and the “this” and the “that” without really understanding what happens when systems go down or what impact a server or an application being down will have on an organization. It varies with organizations of all sizes. What we’re discussing today is what the business impact analysis does for stake stakeholders, employees, et cetera. We’ll also talk about its purpose.
What is a Business Impact Analysis (BIA)?
Steven New (05:46):
A BIA basically measures impact and risk of your company. When creating your BIA, you’re going to need to find out how much money you’re going to lose, what impact you’re going to have on stakeholders, and customers. How much capital can you afford to lose during a disaster that would put your company out of business? Those are some of the things that you measure during a BIA. Another process that builds on the BIA is the Business Continuity Disaster Recovery or “BCDR” plan. A BCDR plan is how to address those risks based on the BIA that you’ve established. You’re going to need to measure the impact and risk first, and then in the BCDR plan, address how to stop those risks in a disaster situation. From there, you’ll need to create a runbook.
Based on the BIA and the BCDR, you’ll be prepared to put that runbook together. This will detail the execution of procedures and policies that you create based on your BCDR plan. The last piece of this big puzzle is to identify your incident manager response manager who’s in charge of the runbook. He is going to follow the procedures in that runbook to delegate tasks based on what your company needs.
Kelly Culwell (07:15):
It’s all subjective. What works or what impacts one organization won’t be the same for another organization. When we talk about RTOs and RPOs and five nines, etc., customers really evaluate how many nines they actually need. The BIA will help you fine-tune your business priorities in the wake of an unfortunate event. If your RTOs, or your return to operations are X for a system, perhaps you need to invest more money in the business continuity or the disaster recovery planning for that one specific server, versus every server and every application that you have. And it all goes back to how much money you want spend.
Tom Shay (08:17):
What we do as part of our business impact analysis workshop is to go through what applications, what services, what it is that’s of importance to your business. Then we tier what’s most important and what’s least important and figure out what an objective for recovery time and a recovery data point. Then we add to that what the actual RTO and RPO is to see where there might be gaps for you. It’s been shown that when something does happen and you need to go through an action plan, more times than not, it’s harder to go through that process properly without the runbook, and without the process and procedures outlined for you. And there’s an obvious cost to that. Outlining those tier one, tier twos, or even down to tier four in level of importance so that you know exactly where your budget should be, depending on how narrow the RTO with the RPO.
Kelly Culwell (09:34):
That’s a good point. The percentages there aren’t small, 34% and 27% gaps in what you can do or what you can deliver, what your expectations are significant, especially if you’re talking about millions of dollars of downtime, outage costs, et cetera. Thinking about types of outages, Steven, can you tell us about different scenarios that you’ve experienced?
Steven New (10:01):
We have seen extended outages of hardware. An example is a customer’s SAN fails. Everybody knows that there are hardware delays with Covid so replacing it could take a couple months. We do see extended outages from hardware fairly often. We don’t really see too many extended outages for internet, but you do need to plan for that as well. Whenever I speak to customers about BIA, is that you need to go into this with the mindset of, “What do I do if my building does not exist?” Because we have seen that with customers. We’ve seen hurricanes, fires, natural disasters, tornadoes. Any natural disaster has the potential to destroy your infrastructure and/or a building. So you need to approach this exercise with a mindset of what do I do if my building doesn’t exist?
Let’s not forget about rogue employees or bad actors. What if somebody gets ahold of your system that’s not authorized and starts deleting your data? Somebody gets inside your V-center server and goes and deletes VMs is example that we’ve seen. And nobody’s favorite is ransomware. Ransomware does exist. It is also considered a “disaster” when it encrypts all of your data that you can’t access anymore. Bottom line, you need to come up with a plan.
How do you calculate impact in a Business Impact Analysis?
Kelly Culwell (11:32):
If you caught our last webinar, we talked about what happens when disaster recovery is activated during all of this. We shared the experience of how one company’s building was on fire, and they lost everything. It can happen in many different ways that might seem really unlikely.
Let’s switch gears a little bit and talk about how we calculate that type of impact. We know that there are direct and indirect costs of a disaster. However, sometimes we don’t think about things like employees being impacted. Tom, what do you see in this area?
Tom Shay (12:08):
These direct impacts are somewhat obvious. If your infrastructure’s down, if your customers can’t reach you, or whatever it may be, depending on the industry obviously, there’s going to be a loss of revenue. And in some ways, it’s a potentially permanent loss of revenue and loss of productivity. Things are down, your people aren’t working, things aren’t moving forward, and you have operating costs associated with that. In a situation where maybe you don’t have the proper backups and everything is all in one area, and now that data is lost, now you have to recreate that.
And if that’s possible, that’s certainly an additional operating expense that no one wants. If it’s not possible, that could be a much bigger problem, potentially even a compliance issue depending on the type of firm that we’re talking about. And speaking of compliance, what if you can’t meet a service level agreement with one of your clients. You might now incur a financial penalty or you could now have an issue within a a government agency that’s hitting you up for something that you’re no longer compliant with. These are some of the potential direct costs.
Kelly Culwell (13:40):
Carrying that on into a little bit of the goodwill and compliance, health and safety, et cetera areas…
Tom Shay (13:46):
Now these are the more indirect costs. Again, customers can’t reach your website, they can’t reach you, your phone system’s down, whatever it is that they normally do to get to your products or services. You have the ability to lose customers. Also, though, when staff is unproductive, and they see that the reason is that the planning wasn’t there, you could lose good people. That staff goodwill is quickly lost in a situation where your payroll system goes down. Not too many people I know are interested in working for free! That’s another way to potentially lose good staff. Then you have business partners. Again, your accounting system goes down, you can’t pay your business partners, people that are bringing in goods to assist your business. That’s going to create another issue.
And then again, compliance, health, and safety. I mentioned compliance a little bit, but health and safety extends to things like disconnected security cameras. Thinking about one of my clients in the healthcare industry: if they lose the ability to reach their systems that nurses and doctors rely on to get patient information, well, that’s a huge health and safety issue and certainly a compliance issue as well. Those are just a few examples of the indirect impacts that can result from not planning properly.
Kelly Culwell (15:14):
To expand on examples a bit, there may be a door control system in a sensitive facility, something that keeps the doors locked. I imagine that there are always ways for the employees to get out, right? You wouldn’t be able to have a code or meet code if your employees couldn’t get out unless it was a prison. Then they wouldn’t be employees, hopefully. But anything like that could potentially put somebody at risk. If you have a gate control system that allows trucks or employees in and out of a facility or in and out of an area, like if your business is loading trucks with gravel. You must include everything and think outside the box.
What if your trucks can’t get to the place where they load the gravel because some system failed? That’s an issue. And the answer may simply be that you’re going to have a guy stand there to open the gate every time a truck needs to go through, right? But that’s at least a plan. And that’s thinking ahead. And that’s the thing that you need to do for these BIA’s is really dig down and think about what it is that we could impact or what could be impacted by an outage. With that, let’s talk about the actual elements of a business impact analysis.
What are the elements of a Business Impact analysis?
Steven New (16:28):
First off, you’ll need to identify any networks, applications and systems that would be impacted if you were to experience an DR event or a disaster. I’m also going to add in hardware to that as well, because we’re going to approach this with a mindset that your building may not exist. You’ll need to take an inventory of your hardware, your switches, what is where. After you gather this information, you’ll need to identify the risk to business operations should anything be compromised. Once you get that data, then you can estimate the cost. If operations were to go offline, is it going to cost a hundred thousand dollars a day? Is it going to cost a million dollars a day? I know that’s a big gap there, but you’re going to need to understand the cost of what it would take to take your business out of business, essentially.
And then you’re going to need to identify the gaps in the recovery strategy. But first, you need to make sure that you have a recovery strategy. That’s the most important thing! If you don’t have one, you need to create a recovery strategy so that you can get your business back online and operating as quickly as possible so you don’t lose those million dollars a day, a hundred thousand dollars a day, $500,000 a day, you need to get up as quickly as possible.
Kelly Culwell (18:04):
That goes back to the boardroom and not data-centered mindsets. It makes me think of examples from personal experience where you ask somebody what systems are located in a particular facility, and you get one of these situations where they’re shuffling around papers, and they’re trying to find their spreadsheets or whatever, and nobody really knows. Unfortunately, people don’t find out exactly what’s in there until they’re down or something happens with that building. Or as Steven says, the building doesn’t exist anymore. Make sure that you’re engaging the correct people as you have these conversations. The stakeholders are identified, where all of these systems are, what the impact would be on those if they’re down. We have a customer who has quite a few locations, and sometimes they run as silos on their own. And maybe certain systems in one location mean a lot more to them than they would in another location. You need to make sure that you’ve identified those appropriately, which leads us into the scope of the BIA, Tom. When Steven mentioned filling the gaps — and there are a lot of gaps that we have to fill — we’re not going to be able to fill all of them. How do we go about doing this when we talk with customers?
Tom Shay (19:18):
This is where we are able to tier what’s most important and least important to that client. That’s where we can identify where the gaps are, where those RTOs or RPOs do not meet RTAs and RPAs, and where there might be a system that does not have a proper backup solution. If it’s down, that’s an issue. Thinking about one of my clients who is an assisted living facility, one of their main concerns is their telephony. Unfortunately, all of their telephony is in one place, and that was identified through our BIA exercise. This was something that they realized was an issue. But as you said, not all gaps must be filled, right?
In that case, the issue was that if the telephony systems were gone, the residents still had a need to reach outside emergency services or professionals within the medical field, or within that particular client campus. That was a need to address in order to keep them running. That’s a major issue as far as the residents are concerned. It might be something that’s not as high a priority as making sure emergency and medical services are working properly, but these are the things that we can address during a planning session. We look at specific applications, we’ll look at specific services. We will work with you to find and prioritize those based on your assessment of what you feel is the proper way to address those. From there, we can work on where there might be gaps. We can put dollar amounts to those so that you see not only the impact of losing a particular service or application but what that could mean financially.
Kelly Culwell (21:16):
That’s a perfect segue into the next slide. We’ve talked about the elements, the reasons, the costs, and direct and indirect impacts. This image is a template of an example spreadsheet in a BIA. It’s not really real-world numbers per se, but it shows how these calculations can be put together in a usable format. Can you walk us through a little bit of what this looks like? I see we have scoring scales and costs and impacts…
Tom Shay (21:50):
Without giving away all of the Dataprise secret sauce, this chart is a snippet of what we do when we go through a business impact analysis workshop. There are a few columns (not shown) where we detail exactly what services are important to you or what services you have. Then we tier them as to: important or not important. We include applications within that, which would also include things like accounting systems, payroll, etc. Every industry has its own system that might be more or less important. The score reflects exactly what that client will feel when we’ve gone through the workshop.
We include a scale estimating what that the potential revenue impact is. And then we talk about the direct cost impacts and the goodwill impacts: when a payroll system is down, what impact does it have on your internal staff when your website is unreachable, what does that have on your customers? So on and so forth. This is just a snippet of the process we’ll go through when we conduct a business impact analysis for you.
Kelly Culwell (23:21):
That’s pretty cool stuff. How long does this process take?
How long does it take to create a Business Impact Analysis?
Tom Shay (23:36):
That’s dependent on what you’re looking for. One of the benefits Dataprise has is that we are flexible in our offerings. We can do this as a one-off exercise where a client is just looking to do a business impact analysis, or they want to learn how to do it for their own internal staff. We can use this as a beginning step for that client, but also as a teaching method. We can give that client all of our final data and reports and walk them through the process. If their IT team joins us throughout the workshop, they have the ability then to continue on themselves, updating it as their infrastructure changes. We also have a service where Dataprise conducts the ongoing analysis either continually or on an annual basis. It’s really up to the client as to what they’re looking for and what will work best for their particular business.
Kelly Culwell (24:49):
Your team has a number of certifications for this BIA development. Can you tell us about those?
Tom Shay (25:04):
We have a wonderful team across the entire country. All of them have various certifications, but not only that, there’s a lot of real-world experience. I’m not the only 20-year veteran of the IT world. There are a few of us that have that level of experience. That brings about first-hand knowledge of things that have happened in the past. For example, I can speak to Super Storm Sandy and other events of that nature that would be very helpful to clients. There’s also the hands-on experience we’ve had with other clientele that gives us unique insights. We’ve already seen this scenario with x, y, z client, and this solution could be very helpful in your situation. That’s another benefit of Dataprise as a managed service provider, we can utilize the successes of other clients and bring those forward to your business.
Kelly Culwell (26:09):
Let’s talk about how to get started with a BIA plan. Steven, do you want to recap?
Steven New (26:16):
The main thing that we need to recap is that you do need a BIA. That’s very important. You’re going to need to create a BCDR plan as well, and then you’re going to need to create a runbook. If you’re in a disaster situation and don’t have any of those documents, you are going to have issues achieving a good RTO or RPO. We need to get these created today and work with Tom to get you a BIA in place.
How do you start creating a Business Impact Analysis?
Kelly Culwell (26:43):
That’s a good point. To get started with the BIA — since that’s what we’re here to understand today — we need to identify who should be involved. We need to allocate time. This is not something that is just, “Here. Fill this out,” and you just sort of wing it, right? You need to make sure that you’re allowing enough time to thoroughly investigate this. Honestly, it’s a big task. It’s going to take some time, and we’re all busy, but you need to understand it from a business impact standpoint. Take the time now, do it properly, because it could save you in the long run. In theory, once your initial BIA is created, updating and adjusting it is a much easier task. Tom, how do people engage a vCIO?
Tom Shay (27:33):
To engage us specifically? It’s that email address at the bottom there, marketing@Dataprise.com. But I’d love to just go through this a little bit further in the fact that, yes, unfortunately, Kelly, there is a lot of time needed. To offer a real-world example, I’m working with a municipality, a county, and we’ve had to do this workshop during three different sessions because we just couldn’t get through all the different applications that they needed to evaluate. It was a good three to four hours’ worth of work. It’s important to have each point person involved so not only was the director of IT for this county present, but also the county executive. We included the people handling the medical and emergency services. To liken that to your company, it could be different business unit owners or different application owners within your business that need to participate.
When you engage a vCIO, these are the things that we’ll address and get input from all of those people. What we’ve found through this process is that certain gaps are identified that were previously unknown. It becomes very enlightening to them, helpful to them, and valuable to them. From there, they can make informed decisions as to what’s most important to remediate and what gaps might not need to be “fixed.”
Kelly Culwell (29:11):
It’s always good to have a fresh set of eyes, a third-party, to come in and look at things. It’s easy to become nose blind, if you will, to our own environments. Having another expert come in and poke around and ask questions will often be helpful.
Trista Perot (29:26):
Awesome guys, that was really great information. I do have a handful of questions that I’ll share. I think they’re mostly for Tom, but Kelly and Steven, feel free to weigh in.
Question: When you are preparing for a BIA workshop, what types of financial information do you need
before you get started to really streamline it? Are there documents that you need to prepare prior to the workshop? What does that look like?
Tom Shay (29:54):
I have to be honest with you, I’m less concerned about the financial side, and I’m more concerned about the actual gaps themselves. Because as you go through it, you will notice that there are certain things you don’t realize that when they go down, there isn’t a backup solution or a way to narrow those objectives, those return time objectives, and the recovery time objectives, to the recovery time actuals. That being said, anything we can gain from you on that lost revenue side, we’ll certainly ask of it, but there’s no major preparation on that point. We can adjust those numbers more on the fly. To me, certain things are more important, such as the actual potential gaps themselves.
Trista Perot (30:41):
To build on that, do you provide a list of things that folks need to bring to the workshop?
Tom Shay (30:48):
No, but what we will ask prior to a workshop is, “What are the actual services and applications they are concerned about?” This is part of how you engage us and how we adapt to these exercises based on client-need. It doesn’t have to be for every service and every application. There are some clientele that just approach it with, “This is what I’m doing. I’ve got a list of 30, 40 different applications that I’m working with,” and, we identify the gaps. But there are others who are there just to get a training of what we can do and how we can help them. We then hand it over to them for them to update it moving forward. We get out of their way. They give us two or three or four top applications, top services that they’re most concerned about, and then we can continue the workshops and the business impact analysis from there. What I would ask prior to a workshop, is that the client identify what those particular services and applications are. That’s all I would need.
Trista Perot (31:53):
Question: How many people should be involved when creating the business impact analysis?
Tom Shay (32:09):
It’s true that more people involved can lengthen the process, but it also gets more people to understand these actual impacts. When you’re talking with a business unit owner, he or she may be someone who knows their application but doesn’t understand how it impacts the business as a whole. When you get them in the same room with some of the other people that are discussing these things, I am able to step back a bit and let them talk about the challenges of trying to remediate those gaps and narrow those gaps. It’s then that they realize, “Oh, it’s not just the click of a button,” or we just throw money at something, and there’s a lot more involved in resolving some of these potential issues.
More and more gets fleshed out, and the result is that the company understands each other’s business units and their ways of working together better. Sometimes it has an impact greater than just a business impact analysis. So yes, I have no issue and no problem with all the business unit owners or the application owners of those as well as the director of IT and a CEO and CFO involved.
Trista Perot (33:31):
Question: Are the IT services provided by Dataprise remote services, or you can you handle large implementation projects on site?
Tom Shay (33:47):
We can do both. If there’s a necessity where we need to do something and we need to go somewhere, we can certainly provide staffing on-prem, nationwide. Depending on the nature of what it might be, we can also travel to do what’s necessary. We can certainly handle both.