How to improve the quality of your Business Impact Analysis by overcoming Heroes, Egos and Common Pitfalls
A high quality and well conducted Business Impact Analysis (BIA) process is at the heart of all good business continuity, disaster recovery and organisational resilience planning. It is the foundation of your recovery program, and everything else must flow logically from it.
A BIA predicts the consequences of any disruption to a business function or process and gathers information needed to develop appropriate recovery strategies, and most importantly to prioritise resources and effort.
A well conducted BIA provides a statement of requirements for recoverability, a hierarchy of priorities, and the value proposition to support senior management’s investments in recovery and prevention strategies. It also highlights an organisation’s vulnerabilities, and provides the basis for optimal investment, and a more resilient and sustainable positioning of the organisation to survive almost any disruption event.
Ultimately, it is the responsibility of the Board of Directors and the CEO to make sure that the organisation can meet the expectations of its customers…and its shareholders.
“As the foundation for informed decision making and with the organisation’s survival at stake, it is vital to ensure consistency and quality of the BIA process.”
Reliable results can only be achieved through effective facilitation, integrated coordination of the process, and strong leadership with the courage to challenge participants and stress test their contributions.
“Overall, you should perform the BIA with an open mind and follow the facts wherever they may lead. Existing preconceptions may be shattered, but if preconceptions were reliable there would be no need for a BIA.”
What are some of the tell tale signs that your BIA process needs improving?
Without consistency it isn’t possible to compare ‘apples with apples’ across the organisation with any confidence.
A quick example…..Lets consider an organisation where the maximum tolerable disruption period for Process A and Process B have both been determined by participants in the BIA process as being 24 hours. This implies similar levels of business priority for each process. Assuming the figures were arrived at by the participants during separate information gathering activities (e.g. standalone workshop, survey, etc.) then are we confident that they have both applied exactly the same lens in reaching their conclusion?
If they haven’t then the planned recovery and prevention strategies, and development of continuity and response plans will be misaligned, jeopardising the continuity and survival of the organisation in the event of a disruption. Funding cannot be targeted effectively (either over or under), and the risk of failure increases.
“Not adopting a great BIA process can have significant downstream consequences.”
Here are some of the indicators or signs that your BIA process needs improving:
- The hierarchy of priorities and tolerance levels for disruption (or recovery objectives) change wildly year on year
- The opinions of participants change very quickly when pushed in search of justifications
- The business impact factors used don’t align with the organisation’s risk management framework and criteria
- Too many or too few critical processes have been identified
- Outliers are prevalent in the results that are contrary to reasonable expectations and are not backed up by quantifiable justifications, scenario examples and with clear decision traceability
- Functions and processes have been considered in silos only with little or no organisation wide consideration and ‘big picture’ rationalisation
- Finally, when faced with an actual disruption scenario, the plans prove to be inadequate
How can the BIA process be improved and what techniques can be adopted to overcome these challenges?
1. Independent and Centralised Facilitation – appoint a common facilitator for the whole process, set the scene well ( get everyone on the same page), reinforce and reframe the analysis context over and over again, and use real life examples.
2. Create a Consistent Context – it is important to base analysis on the worst case scenario i.e. plan for the worst and hope for the best. Existing controls, strategies and workarounds should be ignored initially i.e. consider the raw impact first. Always focus discussions on the impacts of disruption and not the causes. The permutations of what could happen are endless.
3. Predefine the Organisation’s Tolerance – make use of the organisation’s risk criteria/consequence table to provide the language for consequences. Importantly, agree a rough maximum tolerable disruption threshold and make use of indicators for it to guide BIA conversations (this helps to remove subjectivity and ensure consistency across sessions). These indicators can also be used to challenge participant’s opinions, further enhancing the quality of outcomes. For example, it was predetermined that an indicator of maximum tolerance is $10 million financial loss (a high impact in the organisation’s risk tables). When a participant suggests that their maximum tolerance for not being able to operate Process X is 3 days, then ask them to explain how the organisation would lose $10 million within 3 days. The decision of 3 days must reconcile with our indicators of maximum tolerance.
4. Metrics and Qualifiers – don’t just take a participant’s word for it without stress testing their opinions. Request metrics and quantifiable statistics to support their claims. For example, past incidents that have occurred, maximum fines for a breach, number of customers impacted etc.
5. Document the Justification – The rich conversation that plays out as part of the BIA process is invaluable. Justifications for decisions on priorities, tolerances, etc. should be documented and retained for future reference. People change and corporate memory is lost. The next time the BIA process is conducted, the documented reasoning behind why decisions were made is critical for ensuring consistency across periods and transferring unique insights and knowledge that can be built upon.
6. Standardised Approach – Different consultants, or project leaders = different approaches = different results. Consider establishing clear guidelines and procedures for how your organisation conducts the BIA process, and enforce repeatability.