There’s fierce debate around the value of a business impact analysis (BIA) in business continuity planning. “How can you proceed to make a business continuity plan without knowing the impact of losing a process or department?” some ask. “Why do a BIA at all, since every department needs to be recovered after a disruption?” others reply.
To choose your own point of view in this debate, you must first understand what a business impact analysis is, when it is done in the cycle of business continuity planning, how you perform it, and what it should tell you when completed.
What is the BIA?
It’s helpful to start by defining terms. According to standard ISO/TS 22317 from the International Standards organization, “The BIA process analyses the consequences of a disruptive incident on the organization.” The outcomes of that process include the following:
- Endorsement or modification of the organization’s business continuity program scope
- Identification of legal, regulatory, and contractual requirements and their effect on business continuity requirements
- Evaluation of impacts on the organization over time, which serves as the justification for business continuity requirements
- Identification and confirmation of product/service delivery requirements following a disruptive incident, which then sets the prioritized timeframes for activities and resources
- Identification and establishment of the relationships between products/services, processes, activities, and resources
- Determination of the resources needed to perform prioritized activities (e.g. facilities; people; equipment; information, communication and technology assets; supplies; and financing)
- Understanding of the dependencies on other activities, supply chains, partners, and other interested parties
- Determination of how up to date the information needs to be.
The BIA assumes that all departments are dependent upon each other to carry out their functions, but not all dependencies are equal. The billing department is dependent on the IT department for the information it needs to bill customers. The billing department is also dependent upon the cafeteria to feed its employees and could get along fine without the cafeteria but not without the IT department.
The BIA should also establish the timeframe within which serious impact to the business will occur. This allows you to prioritize which functions to recover first, second, and third based on how their absence will affect the business.
When do you perform a BIA?
The BIA is usually performed after conducting a risk assessment of the business. The purpose of the risk assessment is to determine the risks that threaten the operations of the business. If your business is along the east coast of the United States, then you’re probably not too worried about earthquakes. However, if you’re a manufacturer in, say, Pittsburgh and you rely on a supplier in the greater Los Angeles area, then earthquakes are a possible threat to your business.
Once you’ve determined the type of risks your company faces and their likelihood of occurring, then it’s time to conduct the BIA. Who should be involved in that process depends upon the size of the organization. The larger the business, the more complex it tends to be. At the least, the leader(s) of each department and its key staff should be involved.
How do you conduct a BIA?
Your method for conducting the BIA will vary with the size of your organization, but there is information you should always gather:
- Are there regulatory requirements?
- Are there legal requirements that need to be met?
- Are there time requirements for re-establishing services?
- Are there service level agreements in place?
- What dependencies exist between departments?
- When will the disruption begin to impact the financial stability of the business?
- What IT applications are used and are there workarounds if they’re not available?
- What equipment needs to be available and are there workarounds if it isn’t available?
There are several ways to approach a BIA. You can choose a formal approach that involves interviewing people from each department to obtain the required information. This can be a time-consuming process though and time, as always, is in short supply in most companies.
Another approach is to send a questionnaire to each department. Care has to be taken in creating the questionnaire to make certain the questions are clear. Even with the most carefully written questionnaire, expect respondents to ask for further clarification.
A third approach is to use computer software to generate the BIA. This is a hybrid between the formal approach and the questionnaire approach. It’s most often used when a company has purchased a business continuity management system (BCMS) for its business continuity program.
What will a BIA tell you?
The outcome of a BIA should be the following:
- A ranking of business processes by their criticality to the business
- A recovery time objective (RTO) for each of these business processes
- The critical internal and external dependencies of each business process
- Those processes which have workarounds in place and those that do not
- An action plan to address any deficiencies uncovered by the BIA
Information gathered and analyzed by the BIA are crucial to creating a business continuity plan. It’s a step in the business continuity planning process that should not be skipped. It may be true, in a small company, that the senior leaders have a good idea about what business processes are critical. Assumptions should be always challenged, however, because without hard and fast data business leaders can let their biases color their judgment. The BIA can provide unfiltered facts about business processes and help the organization create its plan for recovery when a disruption occurs.
DAVID DISCENZA, Certified Business Continuity Professional and president of Discenza Business Continuity Solutions, has been involved in business continuity planning since 2009. He was the business continuity manager for the Risk & Information Management (RIM) group within American Express. His responsibilities included the development, maintenance and testing of their business continuity plan. He was also responsible for creating the emergency communication strategy for the RIM organization. David is a graduate of Boston College and Indiana State University. He has extensive experience working with major US corporations including General Electric and CIGNA Healthcare. David is certified as a Business Continuity Planner by the Disaster Recovery Institute International.