I hope you are doing well. My question is about resource availability during a business impact analysis.
I based my BIA analysis on the Advisera form. In connection with the audit, there was confusion in the context of defining the "time after which the resource is necessary". How should this field be understood? As an example: the MAO time for an activity is 24 hours. The assumed RTO time is 12h. Resources needed for restoration are: 3 people, 1 key system, telecommunication links. By "immediately" do we mean immediately after the incident occurs, or after the activity has been recovered, or do we assume the time we give the employees to react/start the activity.
Please note that the "time after which the resource is necessary" term will vary according to the asset considered.
For example, if the situation is the loss of an office where employees performed a process, we can have these necessary resources to ensure continuity: an office, furniture, workstations, employees.
These assets may have different times for which they will be needed. Since it does not make sense to bring the employees to the office before it is ready to accommodate them, they will have different times for need (e.g., the office is necessary immediately after the incident, and employees will be necessary 2 hours after the incident).
This planning is useful when you do not have a hot site strategy implemented and the alternative infrastructure will be built after the incident.
Thank you for your reply. This is a difficult thread for me. Going further with the example of the same activity:
The activity let's assume is about development, maintenance and debugging for system x
MAO time for an activity is 24 hours. RTO time is 12h. Resources needed for restoration are: 3 people, 1 key system, telecommunication links.
The basic assumption for the location is hybrid work by default and office work as an alternative. The hardware will be purchased after the loss and the system is backed up in an alternative server room.
Using the Employees resource as an example:
1. In the case of an office related failure - the situation is unchanged, the interruption of operation has not occurred.
2. in case of failure of the system x - suppose it needs these workers to repair it (they are also responsible for its maintenance), the scheduled time for error verification is 1 hour, 8 hours takes the procedure to run the backup, 1 hour testing after the backup. A total of 10 hours. Then it needs the resource after 2 hours max to maintain the RTO time.
3. in the situation of failure of telecommunication lines necessary for remote work - needs employees to 10 hours in the office to provide them with 2 hours to check the configuration, start up computers, etc.
What resource availability time should I enter in this case. The time depends on the type of disruption and the strategy adopted. With the increase in the number of resources, increases the difficulty of determining the time of availability.
On the basis of the sent example, will it be correct to assume the availability time of the resource as 2 hours and add in additional information message, which results in this time, will be ok?
Or is the assumption of the form different? The instructional video went through this thread, I feel, very quickly, and this is in my opinion a very important assumption.
I've seen BIA analyses where resource availability times were dropped, but I wouldn't want to do that if I can confirm that I know how to use the tool accurately. Best regards
Now, considering your scenario, item 1 is ok. Since it is the alternative site, any related failure will not affect the normal operations.
For item 2 your assumption is correct (I’m assuming that by “procedure to run the backup” you mean the activities to bring the system online again, not only recovering data). Since the total time for working the recovery, activities is 10 hours, to achieve the 12h RTO, employees need to be available at most after 2 hours of the disruptive incident.
For item 3, since you considered 2 hours to perform all necessary checks and activities required to bring communication lines, then to achieve the 12h RTO, employees need to be available at most after 10 hours of the disruptive incident. Please note that the 2 hours defined as needed to perform all necessary checks and activities will in fact depend on the type of disruption, and some of them may require an intervention of your supplier (e.g., communication cable disruption, equipment failure, etc.), so it should be better to bring the employees as soon as possible.
For this situation you may consider two main strategies: 1) the failure occurs on an element you have control over, and 2) the failure occurs on an element controlled by your supplier (in this case you have to take into account its own RTO). For example, if the supplier RTO is 4 hours, and your internal activities take 2 hours, after those of the supplier, then your supplier needs to be available at most after 6 hours of the disruptive incident occurs so you can achieve your 12 hours RTO.
Thank you for your answers. Then, if I understood correctly, based on the above considerations in the questionnaire field: availability time for the Employee resource, I should enter the shortest possible availability option, which is 2 hours from scenario #2. Am I correct?