Unexpected events happen in life, and the happen in work. Things break, fail and occasionally become compromised. It's not really a matter of if it will happen, it's when. How do you protect your organization from negative impacts of those events? Or at least mitigate the impact?
The answer is an Operational Impact Assessment and it's part of a larger, more comprehensive Business Impact assessment. "BIAs" are fairly well-known in the enterprise world but are starting to become more common for small/medium-sized businesses and organizations. OIAs focus on the technical and operation aspects of your company and form an important piece of the puzzle. In fact, we recommend even if you're not doing a full BIA, you should at least start performing regular OIAs no matter what size your organization is.
Creating an OIA
So what exactly is an OIA? The easiest way to describe it is a process to discover possible weak-points or points of failure in your operations and assess how those might affect things in your organization. For example, if you're an accounting firm and your central file-server goes down, this may have a large impact on your ability for you and your employees to do their work. Contrast this with, if a single PC dies, it affects that employee but isn't necessarily a show-stopping issue.
You may already have thought of several of these types scenarios in your head for your own business or organization. The purpose of creating an OIA is to get those scenarios on paper and look at the big picture of how important those tools and systems you use are and what dependencies they have. Going back to our file-server example, everyone knows they require power, but it also depends on the 10-year-old network switch in the closet that connects it to everything else in the network. The server itself doesn't have to have a problem for it to be a glorified paperweight. This is where the true purpose of OIAs really shines.
Getting started is actually pretty easy, however it can be a bit of a time-consuming (and somewhat mentally draining!) process so it's very important to dedicate time to it.
The first step is to build a list of the tools you regularly use in your operations. These can be physical tools like mill or embroidery machine, or virtual tools like a practice management software or customer relationship manager. Basically anything you use daily/weekly in the course of business.
Once you've built out your list, rank those tools by order of importance to your organization. Put the "world ending" stuff at the top with the more "it would be inconvenient but we'd get by" items towards the bottom. Try to be as honest as you can about the importance of these items as many times while working through this process with our clients we see some things which are ranked far too low with others ranked higher than they should be. A handy question to ask yourself while ranking items is "how long can I go without this tool before I start losing money, productivity or control?"
Once you've got your list built and sorted, the real fun begins. Starting from the top of your list, mark down the dependencies that tool has. Try to make this list of dependencies as complete as possible. You don't want to overlook anything. List everything from electricity to whether or not a machine or software requires specialized knowledge. Cloud-based software? Don't forget to put down "Internet" as both a dependency as well as an actual tool in your list (internet/network connectivity has it's own list of dependencies).
Once you've listed dependencies out for each tool in your list (actually called your "stack"), you can start cross-referencing items to look for common dependencies and potential shortcomings. For example, say you use 2 different cloud-based softwares as well as VOIP for your phone system. All 3 are within your top 5 important items in your stack and all require the internet as a dependency. If the internet were to go down, it would have a massive impact on your business. As a result, working on ensuring internet access remains available should be a priority.
OIAs can also help highlight security vulnerabilities as well: The the file server from the accounting firm mentioned above gets hit with ransomware the show's over. As a result, ensuring access to the server is restricted to only those who need it as well as ensuring proper backup/disaster recovery is in-place should remain a focus. Overall, the assessment gives you a view as to potential weak-spots so you can focus on ways to shore them up. More advanced approaches (which we may cover in another article) can also tightly zoom in to budget and cost/benefit analysis making it easy to know how much money can or should be dedicated to identified areas of need.
An Ongoing Process
Once you've completed your first OIA the journey's not over. Regularly reviewing and updating your assessment should be something scheduled out on a regular basis. How frequently depends on the size of your company and how often changes occur. Typically we recommend a minimum of once a year however this can be changed to once a quarter or even once a month in rapidly growing/changing organizations.
Finally, the most important part of this exercise is to be thorough. Don't try to make this something you hammer out in 20 minutes and then move on to other things. An incomplete OIA is an ineffective OIA and you won't get any actual value out of it. The more time you spend on it the more value you'll get out of it and the more your business or organization will benefit.
Having trouble creating your own OIA? It just so happens we help our clients in this area and a whole lot more. If you need help, just click the button below to get started.