Business Impact Analysis (BIA)

The UCSF Business Impact Analysis (BIA) process identifies and evaluates the potential effects (financial, life/safety, regulatory, legal/contractual, reputational and so forth) of natural and man-made events or disasters on business operations. The information is quantified and analyzed and reported to executives to meet regulatory diligence, compliance requirements, and as an input to disaster recovery solution planning. This is a broad brush approach to seeing the risk at a high level. 

Documentation
Business Impact Analysis Process

Frequently Asked Questions (FAQs):

 

What is a BIA?

The UCSF Business Impact Analysis (BIA) process identifies and evaluates the potential effects (financial, life/safety, regulatory, legal/contractual, reputational and so forth) of natural and man-made events or disasters on business operations. The information is quantified and analyzed and reported to executives to meet regulatory diligence, compliance requirements and serves as an input to disaster recovery solution planning. This is a broad approach to seeing the risk at a high level.
 

How do I know if a Business Impact Analysis (BIA) is required?

To determine if a BIA is required, please complete the Business Impact Analysis Request Form (must have MyAccess Account):

  1. Go to URL: http://Help.ucsf.edu
  2. Select 'Consulting and Development'
  3. Login with your MyAccess Account
  4. Select 'Business Impact Analysis Request Form'
  5. Complete all necessary fields and click the 'Order Now' button

 

What is a BIA interview?

The BIA interview is an informal meeting conducted by the IT Service Continuity Manager with the Business Owner, Technical Application Manager and any Subject Matter Experts. The purpose of the meeting is to document the Business' requirements for restoration of IT services following a major disaster (ex. Major Earthquake) and to determine IT's recovery capabilities. Ultimately, the BIA serves as a means to derive the Business Owner's requested Recovery Time Objective (RTO) and requested Recovery Point Objective (RPO).

 

Who should attend the BIA interview?

The Business Impact Analysis interview attendees should include:

  • Business Owner or Customer representative: An individual that understands the key business processes an application or system supports and impacts of downtime.
  • Technical Application Manager: An individual responsible for the support of the application or system life cycle, including: maintenance, upgrades, development, etc.
  • Subject Matter Experts (SMEs): An individual(s) that can provide application or system expertise from a business or technical perspective.

 

What are the types of BIAs?

There are two types of BIAs:

1. Comprehensive BIA: A Comprehensive BIA is conducted for all critical applications or systems that must be restored within 24 hours following a disaster.

2. Basic BIA: A Basic BIA is an abbreviated version of the Comprehensive BIA and is conducted for less critical applications or systems.

 

What type of BIA will I need?

A Basic BIA will be required if:

  • The application or system can be restored later than 24 hours after a catastrophic disaster.
     

A Comprehensive BIA will be required if:

  • The application or system must be restored within 24 hours after a catastrophic disaster.

What are the BIA Interview questions?

Basic BIA Questions for the Customer:

  • What is your Department Name?
  • What is a brief description of your department (or website URL)?
  • What business function does this application or system support?
  • Can this application or system be down longer than 24 hours? If no, please explain:
  • In the event this application or system is unavailable due to a major outage, how long are downtime procedures viable before major impacts occur?
  • If your application or system resides in a UCSF Data Center, data is backed up every 24 hours. Do you have any special needs that require more frequent backups? If yes, please explain:
  • Has a Business Impact Analysis (BIA) been conducted before? If yes, please attach a copy.

 

Basic BIA Questions for the Technical Application Manager:

  • What is the Application Name?
  • What is the Organization (ex. Campus, Med Center, Enterprise - Both)?
  • Who is the Technical Application Manager?
  • Who is the Business Owner?
  • What is a description of the application or system?
  • What are the number of users?
  • What is the Server Hosting Arrangement?
  • Where is the infrastructure location?
  • Who is the Disaster Recovery Plan Manager?
  • Is the application built with High Availability? If no, can it be?
  • What is the current Disaster Recovery Strategy?
  • What is the Recovery Capability Status?
  • Who is the Backup Owner?
  • Where is the Data Backup location?
  • Has a Security Risk Assessment been completed in the last 12 months?

 

Comprehensive BIA Questions for the Customer:

Includes all above 'Basic BIA Questions for the Customer' and:

  • Who are your customers (internal or external)?
  • What are your peak operating periods?
  • What are the inputs and outputs to your department?
  • Do you have existing response and recovery plans?
  • What functions does your department support?
    • What is the function description?
    • What is the function impacts if unavailable (ex. Financial, Operational, Regulatory, Productivity, etc)?
    • Who is impacted if this function is unavailable (ex. Students, Patients, Scholars, etc)?
    • What is the function's RTO?
  • What are your department's Application Dependencies?
    • What is the application description?
    • What is the application's RTO?
    • What is the justification for this RTO?
    • What are the manual workarounds?
    • What is the status of manual workarounds?
    • How long are manual workarounds viable?
    • What is your data loss tolerance?
    • What is the justification for this data loss tolerance?
    • What is the impact rating?
    • Who is your IT point of contact?
    • What are the upstream application/data dependencies?
  • What are any interdependencies or unique relationships this department relies upon?
  • What are the Recovery Staffing Requirements?
  • What are the Resource Requirements?
  • What are the Risks?

 

Comprehensive BIA Questions for the Technical Application Manager:

Includes all above 'Basic BIA Questions for the Technical Application Manager' and:

  • What is the number of IT Personnel that support this application?
  • What is the status of the Disaster Recovery Plan?
  • Where is the Disaster Recovery site?
  • When was the Disaster Recovery Test?
  • What type of test was conducted?
  • When was the last time backup data was validated?
  • Who validated the backup data?
  • What is the required infrastructure (ok to attach drawing)?
  • What operating systems are required?
  • Are all servers virtualized?
  • What are the application dependencies?
  • Are there any known risks or threats (ex. Vendor does not allow current security patches)?
  • What is the Likelihood Rating of a failure of this application?
  • What are Likelihood controls in place to prevent a failure?
  • Do you have any documentation (ex. Architecture Drawings)?

 

What is the information in the BIA used for?

The information in the BIA is used to classify IT systems based upon criticality. Based upon the Business Owner's requested Recovery Time Objective (RTO) and the viability of downtime procedures or manual workarounds, a criticality Tier is assigned. Standard disaster recovery solutions are developed based upon an application's tiering and a data backup schedule is created based upon the Business Owner's Recovery Point Objective (RPO). Following a major disaster, IT will also use the RTO to define the restoration order of critical IT services.

 

What are the application Tiers?

RTO Tier Name Tier Definition DR Strategy Short Technology Description
Up to 15 minutes 0 Core technology infrastructure that requires multiple data centers to be able to serve production without manual intervention. Geographically clustered
(Active-Active)
Real time data replication between data centers (Active Directory, DNS, DHCP).
Up to 6 hours 1 Systems are critical to patient health and safety for immediate clinical decision making or patient diagnostic and documentation. Failure to function for even a short period of time could have a severe impact on patient treatment. Manual downtime procedures are planned, but cannot be sustained for a long period of time. Hot/Warm Standby Dedicated DR environment at alternate data center. Servers are racked, configured, tested, and ready to use at alternate data center. Asynchronous replication of business data and system states to available hardware.
Up to 24 hours 2 Systems are required in order to perform critical business operations, but can allow for manual processes for up to 1 day as a reasonable workaround. Warm Standby Servers are provisioned and configured at alternate site. Replicated snapshots throughout day to available hardware.
Up to 5 days 3 Systems are necessary to UC Health, but short-term interruption or unavailability of 3 to 5 days is acceptable. Cold Standby Hardware and servers are reserved or allocated at an alternate data center. Backup restoration to hardware with horizontal scaling and ship on-demand hardware.
Up to 30 days 4 The functions affected do not jeopardize health, safety or security of patients, faculty, students or employees and manual procedures could be used until system is available. ATOD
(At Time of Disaster)

Quick ship agreements may be possible with preferred vendors for delivery at time of disaster. No hardware in place at alternate site.

 

When will I see the BIA results?

BIA results will be provided within 1 business week following a BIA interview.

 

How do I access my BIA Summary Report?

1. Login to Catalyst by clicking the following URL: https://ucsf.bccatalyst.com
2. Once you log on, you will navigate to the homepage where any documents assigned to you will be visible.
3. Click on the appropriate Business Impact Analysis (BIA) title to access the summary report.
Within the summary report, you can click on any blue title to make updates, or revisions.

The summary report is broken down into several sections:

  • Overview: provides a brief summary of the application/service(s) being analyzed
  • Function: describes the business functions supported by the application(s) being analyzed
    • Recovery Time Objective or RTO denotes the time following a disruptive incident in which an activity must be resumed or application recovered.
    • If you need to update/change an RTO, or have major revisions to our conclusions, please provide a brief email to Francine Sneddon (Francine.Sneddon@ucsf.edu) in order to provide awareness of modification.
  • Applications: detailed analysis of the application/service(s) being analyzed.
    • Recovery Time Objective or RTO denotes the time following a disruptive incident in which an activity must be resumed or application recovered.
  • We took into account available manual workarounds, business requirements, and impacts of downtime when assigning RTOs
  • If you need to update/change an RTO, or have major revisions to our conclusions, please provide a brief email to:
  • Interdependencies: documents other internal departments or teams required to perform the business function(s) in the summary report
  • Recovery requirements: captures the IT personnel who support, deliver, and maintain the application/service(s) being analyzed

 

How often will BIAs be reviewed?

BIAs will be reviewed annually or when a major change to the business impact or system/application is identified.