The business impact analysis (BIA) is a key facet of any business continuity program. It sits right at the heart of the benefit that business continuity can bring to any organization.
It has concerned me recently that I have read a number of papers suggesting that the business impact analysis is either unnecessary or that short cuts could be used. While it is understandable that people would like to reduce the work involved in delivering a business continuity project, to play around with the business impact analysis without understanding the risks of doing so is to put the whole business continuity plan at risk.
A business impact analysis considers each activity or service within an organization; analyses its importance to the strategic objectives of the organisation as a whole and, if appropriate, the department or division in which it sits. This allows us to start to understand a certain activity’s criticality and build a profile of the organization’s overall critical activities.
The assessment then determines the impact over time of the services or activities being disrupted. This is where business continuity works so well because it is impact focused and not risk led. It looks internally at an organization and not externally – at this stage – at threats. Therefore ensuring a thorough understanding of the impact of disruption to, or loss of, a service or activity rather than what actually might be lost under multiple different circumstances.
Inputs and outputs of a business impact analysis
How tolerant are you?
Once the impacts have been determined, the maximum tolerable period of disruption (MTPD) can be worked out, by estimating how long after a disruption to or loss of that activity, you can survive before recovery becomes impossible. This then also enables subsequent prioritization of appropriate recovery strategies to be selected against time.
The business impact analysis is key to your continuity planning and determining, in the event of any major disruption, what needs to be done.
More importantly, the work will have established what period of ‘downtime’ is tolerable and the recovery time objectives (RTO). Recovery time objectives allow you to know how fast or slowly the business needs the identified activities or services back up and running. This allows the serious planning of how achievable those aspirations are!
Recovery point objective and recovery time objective timeline
How far to go?
One of the challenging areas in today’s ever busier world is to decide just how far into the organisation to take the BIA, and I suspect it is here that the confusion can occur.
The BCI Good Practice Guide suggests options as follows:
Initial BIA: To develop a framework for further analysis and clarify the BCM programme scope.
Strategic BIA: To identify and prioritize the organization’s products and services, and understand the organization’s recovery timescales and disruption tolerance levels.
Tactical BIA: To determine the dependent activities for the most urgent products and services and assess the impact of a disruption on them.
Operational BIA: To determine the required resources for the continuity and recovery for the most urgent activities.
If you have not done any business continuity planning before, carrying out a strategic BIA with the senior management can be extremely useful because it:
- Generates top-level buy-in.
- Creates agreement on the organization’s strategic objectives and what really matters to delivering them.
- Opens the door to agreeing BC champions at lower levels, who can assist in embedding business continuity activities within your organization.
- Prevents later disagreement with the BIA outputs because they set the landscape to begin with.
The value of good guidance
As the business impact analysis is rolled out at the desired level it is important that the BC champions understand what the executive team considers to “really matter,” the outputs they will create and why they are doing this.
Well briefed champions produce far more valuable data than those dumped in the process and simply asked to fill out a spreadsheet or page in a business continuity software application.
Conclusion
Much more could be said about the business impact analysis’ role within a business continuity program, but here I simply wanted to set out its importance to your organization’s wider business continuity framework.
For a BIA to be successful, it must be set against clear objectives and scope; be focused on impacts and not risks, and those supporting the process must understand why they are doing so.
Various horror stories abound the industry of major businesses who got “lost in their own BIA,” emerging years later unfinished. Being very focused on the scope and what you want from it, with clear senior input from the outset allows the business impact analysis to be an outstanding tool, the results of which can steer everything you do during a disruption.
Ultimately, the business impact analysis gives you very useful data for work area recovery planning, allowing smart investment in what can be an expensive service, and often purchased more on gut feel than a fully analyzed requirement. The data can also be used for wider organizational cost-benefit analysis, having established what is critical to your organization in true terms.
The importance of a comprehensive business impact analysis cannot be stressed enough. When all around you is chaos and you stand outside the burning edifice that was your office, it is not the time to regret that some short cuts were taken.