A solid business impact analysis (BIA) gives any organization the ability to know, with some certainty, which lines of business are the most critical. This give your organization the ability to determine which lines of business you will recover and in what order you would recover them in disaster scenario. The technology teams will be using this information to determine the infrastructure and systems they need to recover and will give them an recovery priority for each.
We can use this information in our vendor management program to determine which vendors are critical, which vendors are high risk and it will influence how we manage our most critical and high risk vendors.
One of the tips-and-tricks I've learned over the years is to use the recovery time objectives (RTO), the recovery point objectives (RPO), and the maximum tolerable downtime (MTD) the BIA for your own organization will develop to match against those of your vendors. If the vendor's RTO, RPO and MTD are greater than your organization's RTO, RPO and MTD, that's a problem. The problem is, your vendor may not be able to recover in your time frame.
I'm curious, to know how others are using the BIA for in their vendor management or third party risk management programs and whether or not it's working.
Original Message:
Sent: 09-10-2019 10:21 AM
From: Tammy Burns
Subject: Business Impact Analysis
How does the business impact analysis effect our vendor management program?