Quantitative analysis and qualitative analysis both play an important role in the Business Continuity Planning process. However, most people tend to favor one type of analysis over the other. When selecting the individual members of the BCP team, try to achieve a balance between people who prefer each strategy. This will result in the development of a well-rounded BCP and benefit the orga- nization in the long run. The BIA process described in this chapter approaches the problem from both quantitative and qualitative points of view. However, it’s very tempting for a BCP team to “go with the num- bers” and perform a quantitative assessment while neglecting the somewhat more difficult qual- itative assessment. It’s important that the BCP team perform a qualitative analysis of the factors affecting your BCP process. For example, if your business is highly dependent upon a few very important clients, your management team is probably willing to suffer significant short-term financial loss in order to retain those clients in the long term. The BCP team must sit down and discuss preferably with the involvement of senior management qualitative concerns to develop a comprehensive approach that satisfies all stakeholders. Identify Priorities The first BIA task facing the Business Continuity Planning team is the identification of business pri- orities. Depending upon your line of business, there will be certain activities that are most essential to your day-to-day operations when disaster strikes. The priority identification task, or criticality prioritization, involves creating a comprehensive list of business processes and ranking them in order of importance. Although this task may seem somewhat daunting, it’s not as hard as it seems. A great way to divide the workload of this process among the team members is to assign each participant responsibility for drawing up a prioritized list that covers the business functions that their depart- ment is responsible for. When the entire BCP team convenes, team members can use those prioritized lists to create a master prioritized list for the entire organization. This process helps identify business priorities from a qualitative point of view. Recall that we’re describing an attempt to simultaneously develop both qualitative and quantitative BIAs. To begin the quantitative assessment, the BCP team should sit down and draw up a list of orga- nization assets and then assign an asset value AV in monetary terms to each asset. These num- bers will be used in the remaining BIA steps to develop a financially based BIA. The second quantitative measure that the team must develop is the maximum tolerable downtime MTD, or recovery time objective RTO, for each business function. This is the maximum length of time a business function can be inoperable without causing irreparable harm to the business. The MTD provides valuable information when performing both BCP and DRP planning. Risk Identification The next phase of the Business Impact Assessment is the identification of risks posed to your organization. Some elements of this organization-specific list may come to mind immediately.