Quantitative analysis and qualitative analysis both play an important role in the Business Continuity Planning process. However, most people tend to favor one type of analysis over the other. When selecting the individual members of the BCP team, try to achieve a balance between people who prefer each strategy. This will result in the development of a well-rounded BCP and benefit the orga- nization in the long run. The BIA process described in this chapter approaches the problem from both quantitative and qualitative points of view. However, it’s very tempting for a BCP team to “go with the num- bers” and perform a quantitative assessment while neglecting the somewhat more difficult qual- itative assessment. It’s important that the BCP team perform a qualitative analysis of the factors affecting your BCP process. For example, if your business is highly dependent upon a few very important clients, your management team is probably willing to suffer significant short-term financial loss in order to retain those clients in the long term. The BCP team must sit down and discuss preferably with the involvement of senior management qualitative concerns to develop a comprehensive approach that satisfies all stakeholders. Identify Priorities The first BIA task facing the Business Continuity Planning team is the identification of business pri- orities. Depending upon your line of business, there will be certain activities that are most essential to your day-to-day operations when disaster strikes. The priority identification task, or criticality prioritization, involves creating a comprehensive list of business processes and ranking them in order of importance. Although this task may seem somewhat daunting, it’s not as hard as it seems. A great way to divide the workload of this process among the team members is to assign each participant responsibility for drawing up a prioritized list that covers the business functions that their depart- ment is responsible for. When the entire BCP team convenes, team members can use those prioritized lists to create a master prioritized list for the entire organization. This process helps identify business priorities from a qualitative point of view. Recall that we’re describing an attempt to simultaneously develop both qualitative and quantitative BIAs. To begin the quantitative assessment, the BCP team should sit down and draw up a list of orga- nization assets and then assign an asset value AV in monetary terms to each asset. These num- bers will be used in the remaining BIA steps to develop a financially based BIA. The second quantitative measure that the team must develop is the maximum tolerable downtime MTD, or recovery time objective RTO, for each business function. This is the maximum length of time a business function can be inoperable without causing irreparable harm to the business. The MTD provides valuable information when performing both BCP and DRP planning. Risk Identification The next phase of the Business Impact Assessment is the identification of risks posed to your organization. Some elements of this organization-specific list may come to mind immediately. The identification of other, more obscure risks might take a little creativity on the part of the BCP team. Risks come in two forms: natural risks and man-made risks. The following list includes some events that pose natural threats: Violent stormshurricanestornadoesblizzards Earthquakes Mudslidesavalanches Volcanic eruptions Man-made threats include the following events: Terrorist actswarscivil unrest Theftvandalism Firesexplosions Prolonged power outages Building collapses Transportation failures Remember, these are by no means all-inclusive lists. They merely identify some common risks that many organizations face. You may wish to use them as a starting point, but a full list- ing of risks facing your organization will require input from all members of the BCP team. The risk identification portion of the process is purely qualitative in nature. At this point in the process, the BCP team should not be concerned about the likelihood that each type of risk will actually materialize or the amount of damage such an occurrence would inflict upon the continued operation of the business. The results of this analysis will drive both the qualitative and quantitative portions of the remaining BIA tasks. Likelihood Assessment The preceding step consisted of the BCP team drawing up a comprehensive list of the events that can be a threat to an organization. You probably recognized that some events are much more likely to happen than others. For example, a business in Southern California is much more likely to face the risk of an earthquake than that posed by a volcanic eruption. A business based in Hawaii might have the exact opposite likelihood that each risk would occur. To account for these differences, the next phase of the Business Impact Assessment identifies the likelihood that each risk will occur. To keep calculations consistent, this assessment is usu- ally expressed in terms of an annualized rate of occurrence ARO that reflects the number of times a business expects to experience a given disaster each year. The BCP team should sit down and determine an ARO for each risk identified in the previous section. These numbers should be based upon corporate history, professional experience of team members, and advice from experts, such as meteorologists, seismologists, fire prevention professionals, and other consultants, as needed.