Risk analysis and business impact analysis are two important aspects of the ITIL training, specifically in the ITIL Service Design Stage of the ITIL Service Lifecycle. Risk analysis deals with minimizing the likelihood of service downtime due to problems that are likely to occur. The business impact analysis deals will minimizing the financial and soft losses that a company will suffer if a service was interrupted.
In a way, risk analysis and business impact analysis are related as they both aim to ensure that the business will not be severely affected by possible interrupted services. The full details of the impact of risk analysis and business impact analysis in IT service management are often explored in ITIL online courses as risk analysis and business impact analysis are important processes in the ITIL framework.
Let’s take a look at these two important analysis processes: risk analysis and business impact analysis.
The likelihood that a disaster or other serious service disruption will actually occur is an important factor for the definition of IT Service Continuity Management requirements. It is the core reason why risk analysis processes exist. Therefore, the possibility of a disaster or any other serious service disruption is evaluated during a risk analysis process. Furthermore, the impact in the case of the disaster or service disruption are analyzed in a risk analysis session. In addition, risk analysis determine what is needed to recover the services again.
For instance, a risk analysis will ask questions such as: what will happen if a fire happens in data center of the company in which all the servers burn down? Or what will happen if a flood happens, or earthquake happens and if this causes servers to go down? Therefore, in risk analysis, there should be an assessment of the level of threat and the extent to which an organization is vulnerable to this threat.
If an earthquake happens in data center location of a company is prone to earthquakes, and if all servers will be harmed due to an earthquake, the company must have a backup data center location in another geographic location in order to recover the services immediately. Such a contingency plan is the output of a risk analysis process.
An example of risk analysis
By the use of risks analysis, threats can be evaluated and reduced. Let’s illuminate this with a scenario. This map shows the seismic movements in United States. White locations show the lowest possibility of an earthquake happening and red areas show the highest possibility of earthquakes happening in the country. Therefore, when planning the IT strategies of a company in United States, earthquake danger must be taken into account during risk analysis.
For instance, if all servers and infrastructure is built in west coast, in case of an earthquake, all operation of the IT service provider might be lost. Therefore, a backup server site which will have the regular backups should be located in a safer secondary geographical area. And in case of a disaster in one of the locations, another location can handle the operation and by this way, service outage or loss of data can be minimized. This is a good example of how risk analysis is used to minimize the risk of downtime by assessing the likelihood of a specific risk happening and affecting service performance.
Risk analysis as part of availability and security management
Note that, risk analysis is also a key aspect of ITIL Availability Management and Information Security Management. Availability management aims to meet the availability requirements of the business or customer. Therefore, any risk that can cause to a drop in the availability service level targets can be assessed during risk analysis. Similarly, security management aims to ensure security of the confidential data of a company fundamentally. If there are leakages or risks that can cause a loss in security of the company confidential data, these risks can be assessed and reduced with the help of risk analysis.
Standard risk analysis methodology
In order to deal with risks in a company, a standard methodology, such as Management of Risk should be used to assess and manage risks within an organization. For instance, during risk analysis, a risk can be weighed according to two dimensions: Possibility and Impact. This method scores the possibility and impact of a risk from one to ten. A risk can have a lower likelihood to happen but if it happens, impact can be very high or vice versa. Therefore, after risks are scored based on their possibility to happen and impact if they occur, the possibility and impact of each risk are multiplied to have the final score of a risk. Based on the results, risks are prioritized and the respective proactive actions were taken to reduce the impact of risk when it occurred.
Business impact analysis
Regular business impact analysis is one of the objectives of the IT service continuity management process. The purpose of the business impact analysis is to quantify the impact to the business that a loss of service would have. Let’s consider a money transfer service provided by a bank to its customers from nine a.m. in the morning till four p.m.in the afternoon. What happens if this service is lost for five minutes i.e. how many customers will be affected and how will this impact the business of the bank? These kinds of assessments are done in scope of business impact analysis. Business impact analysis is closely related to risk analysis.
Business impact analysis: financial losses and soft losses
Note that an impact identified during business impact and risk analysis could be a financial loss or soft loss in case of a loss of service. For instance, if the money transfer service of a bank is lost for five minutes during hours of operation, and if the bank is getting commissions from the money transferred, this will cause a loss in revenue. And if this loss of service happens too frequently, reputation of the bank will be harmed in the market and the bank might lose customers consequentially. This is an example of a soft loss.
Business impact analysis: identifying the most important services
Business impact analysis will identify the most important services. Therefore, it will be a key input to the IT strategy. Based on the business impact analysis, the company will be able to see which services will cause the most impact in terms of financial and soft loss if they were to be affected. Note that, determining the likelihood of a loss to be suffered is part of risk analysis. This will help to company prioritize its services accordingly. For this reason, business impact analysis is a key input to the strategy.
The two fundamental aspects of business impact analysis
Business impact analysis identifies 2 fundamental points. The first point is forming the damage or loss that may take place if a service is interrupted. As we described already, business impact analysis determine the financial or soft loss that will happen in case of a loss of service. The second point is determining the time within which minimum levels of staffing, facilities and services should be recovered. Reconsider our money transfer service example. Let’s assume that the money transfer service has been lost somehow. How long will it take to recover this failure? How long will it take to make this service operable again? How many engineers should work in fixing the problem? These kinds of assessments and plans to recover a loss of service are done in scope of business impact analysis as well.
Business impact analysis and risk analysis is closely related: both aim to minimize damages caused by interruption of services provided by an IT service provider. Service owners should be familiar with the processes used during risk analysis and business impact analysis and can take an ITIL course to learn more about business impact and risk analysis within the ITIL framework.