The Business Impact Analysis, or BIA (defined as the process of analysing business activities and the effect that a business disruption might have upon them), is a critical part of successful business continuity management.
Without a thorough and reliable BIA process, an organisation cannot have confidence that they have accurately identified their areas of vulnerability, the possible disruptions they might suffer, or the extent to which they are prepared to respond.
So what do you need to do, or not do, in order to get this process right?
Below is a range of the most common problems that stymie good BIA processes.
- Critical business functions or activities are not correctly identified
It’s important to involve all relevant stakeholders in a preliminary exercise of listing all work functions and discussing these lists in teams, to ensure that nothing is inadvertently overlooked.
- Estimated business impacts are overstated
It’s a common response to assume the worst case scenario when considering the potential impact on the business from the loss of a function or resource. However, an objective assessment looking at what current controls are in place will often result in a less catastrophic outcome.
- The length of time a critical resource or function can be down without impact is inaccurately estimated
Again objectivity must be brought to bear when considering how long a function can be done without. Just because something is usually done, say, daily or within a week of a triggering event, doesn’t necessarily mean that it must be restored within a day or a week. Ask the question, what happens when the office closes down at Christmas time? If it’s possible to reschedule or do without the function in holiday time, it’s possible to do the same during a crisis.
- Too many resources or functions are prioritised as requiring immediate restoration
Classing too many functions as requiring immediate restoration in the event of a business disruption makes for an almost certain failure to achieve the deadline for everything. A realistic assessment of the timeframe for which a function can be done without or worked around is important to allow for better prioritisation and a more achievable distribution of effort during the restoration phase.
- The “key man dependency” phenomenon
Many organisations have functions that can only be authorised or carried out by a small group, or even one individual. There is a tendency in such cases for the organisation to identify this as a business continuity risk that can’t be managed. However, similar to item 3 above, work-arounds have likely been developed for periods of annual leave or illness.
- Interdependencies between business functions/activities are not recognised
This is where silos within an organisation can be a real risk. Teams within an organisation that rely on information or action from another area to achieve their critical functions must recognise this and work closely with the other team(s) to develop work-arounds. Separate BIA workshops for different teams or areas within large organisations are common, but it’s vital to build cross-team collaboration into the BIA process.
- Everyday tools such as common software are taken for granted (e.g. email, internet)
Everyday tools that are so ubiquitous that they are taken for granted can sometimes be forgotten when identifying the tools and processes upon which critical functions rely. Take a step back and consider whether every resource used in a critical function has been remembered.
- Extrapolation is difficult
Imagining the impacts on an organisation of the loss of a function for a day might be relatively straightforward, but how does the impact change if it becomes 2 days, or 5, or 10? Cross-team collaboration in the BIA process is again important to ensure the extrapolation of the imagined impacts over time are realistic.
The results of the Business Impact Analysis process must be an accurate prioritisation of critical functions and resources, in order to allow the organisation to invest in and implement the right business continuity arrangements that maximise resilience and efficacy.
Please contact QRMC if you would like assistance with your Business Impact Analysis.