How to Run a Business Impact Analysis for Your SaaS Stack
If recent history has taught us anything about business continuity, it’s that business interruptions can come at any time for any amount of time. If you’ve experienced these disruptions, maybe you’ve had to “pivot” your operations and reconsider your SaaS stack lineup.
What products, services, or vendors did you need to keep? Without which could you continue normal operations? What’s an allowable outage time before potential impact occurs?
Making SaaS lineup decisions can be challenging if you don’t know how those changes will affect your critical business functions, let alone the financial impact.
So how do you know which SaaS changes will impact your business? We recommend conducting a business impact analysis (BIA).
What is a business impact analysis (BIA)?
A BIA is a process of determining what’s needed to keep your business running as smoothly as possible when disruptions happen. It includes identifying resource interdependencies and setting time-based goals for achieving your company’s vital objectives.
As the research and advisory experts at Gartner define it, “[It’s] the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption.”
Why a business impact analysis is important
If your company doesn’t conduct a BIA, chaos could ensue from a disruption, such as an outage or a cyberattack. Various departments will have differing priorities, and differing priorities could lead to confusion. A BIA will help bring focus and objectivity to identifying your business continuity needs and setting priorities for meeting those needs.
Another potential issue for a business without a BIA is a lack of preparation or overspending. A BIA identifies your business continuity gaps and shortcomings, so you don’t have to guess what you need to do for a recovery plan. For example, as part of business process management (BPM), you’ll want to gather your business continuity requirements through conducting a BIA. With it, you’ll know how SaaS tools affect your business’s bottom line when you add them or take them away.
Without a way to identify your organization’s continuity requirements and gaps, your company could lack the data to support a preparedness investment. A BIA clearly states what you need, what’s missing, and what the organization should do when disruption strikes. So, setting financial goals and budgets based on data will help guide the company through the disruption period smoothly.
In all, a BIA will help you:
- Identify which products and services provide your company the most value, and therefore should be prioritized, protected, and recovered due to disruption.
- Identify which business activities and resources need protection and recovery from interference.
- Set recovery timeframe expectations to guide your company’s priorities during a recovery phase.
- Identify contractual, legal, and regulatory commitments.
- Clarify appropriate spending capabilities to meet recovery objectives.
- Collect and organize additional data like team and staffing requirements, contact information, and more for a business continuity plan (BCP).
How to conduct a business impact analysis for your SaaS stack
1. Prepare for the analysis
Before you conduct a business impact analysis, scope it out. Here are five questions to ask during the scoping phase:
- What is your purpose or goal for conducting a BIA?
- Which stakeholders should be involved in the analysis?
- What products and services are you trying to protect?
- How much disruption protection do you need to keep your business running?
- How should the final deliverable look?
2. Conduct BIA interviews
Contact your stakeholders and conduct interviews. Your interviews should confirm (or change) your answers from the preparation phase and identify gaps in knowledge or priorities. You’ll also want to specify which activities each stakeholder will perform to achieve business continuity should a service or a product be disrupted. Specifically, you’ll want to identify:
- The steps needed to complete the activity or if there are workarounds
- During which peak operation times
- What will be affected during downtimes, like the company’s revenue, costs, reputation, customers, and operations
- Each activity’s dependencies required for its performance, like applications, equipment, team members, and vendors.
- A history of past operation completion failures.
After you complete the interviews, document and report your findings. Each stakeholder should receive a copy of everyone’s report. Your stakeholders should use this opportunity to review the information, make edits as needed, and approve the document when it’s correct.
3. Present a summary
After the BIA, you’ll present your findings to your company’s leadership with a business impact analysis report. You’ll provide an overview of the key activities needed for business continuity, what resources it’ll require to meet those needs, any risks identified during the BIA interview phase, and recommendations based on the risk assessment. More specifically, management should look at each SaaS product and service identified and see how a disruption to it would affect your company. Also, point out the recovery times you’re requesting for each product or service.
What happens after presenting a BIA?
As with any analysis, it does no good unless a plan and action follow it. With interdepartmental input and guidance, your company should form disaster recovery strategies, mitigation strategies, solutions, and techniques for every SaaS item of value in your stack. As a team, you’ll decide how to respond to service disruptions, vendor changes, and more. Decide who will take action and when and how long the action plan remains in effect.
Also, know that a BIA isn’t a one-and-done event. Decide how often your organization will conduct BIAs. Too few BIAs could lead to underestimated analysis, but too many could interrupt your business flow.
How to get the most out of conducting BIAs
Some common complaints about BIAs are that they:
- Take too long to conduct
- Provide inaccurate or unrealistic recovery timetables
- Don’t evolve with the company
- Collect too much data to analyze
- Provide useless or irrelevant data
- Don’t motivate senior management
You can overcome these challenges by doing the following:
- Automate where possible, such as by setting up workflows and creating a questionnaire template.
- Ensure you gather relevant impact information and that it supports recovery time objectives (RTO) and recovery point objectives (RPO).
- Conduct BIAs frequently enough to keep them relevant.
- Refine the BIA’s scope to collect only necessary data.
- Interview only the suitable stakeholders and only use qualified data collecting methodologies.
- Engage top-management through the duration of the BIA process.
How Vendr can help
Vendr can help you get the most out of your SaaS BIAs by managing all your information technology assets and workflows in one comprehensive SaaS management platform. Our platform can help automate your workflows for faster and more frequent data collection and automate the analysis. By maintaining one record system, the platform can keep the right stakeholders involved and top-management engaged.