Business Impact Analysis – Getting it Right
It could be the devastating uncontrolled Australian bushfires or the series of floods that affected 13 Indian states, it may be the Fukushima Nuclear Reactor Meltdown in Japan or the most recent n-Coronavirus outbreak. These disasters could cause serious damages to any organisation. In fact, even a small disruption like a power outage, political strikes can throw the organisation off track by months. Are you really prepared? How well are you prepared? Can you recover from a disaster?
An effective Business Continuity Management System (BCMS) will answer all the above questions and will safeguard the organisation against these interruptions. One of the founding pillars of BCMS is the BIA (Business Impact Analysis). BIA lays the foundation for the entire BCMS and if not carried out in true sprit could result in:
- Inaccurate Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
- Inaccurate identification of critical processes
- Incorrect prioritization of critical processes
- Incorrect count of critical resource required to support the crisis
- Incompetence to map dependencies of critical processes
Hence it is crucial that we get the BIA right and continuously keep on improving the BIA based on the lessons learnt from actual events or planned to test.
Let’s dive in to understand how to complete an effective BIA:
While conducting a BIA you are collating data/information required to develop a recovery strategy, by predicting the consequences of overtime for any disruption. Follow the below few steps to effectively complete the BIA.
Like any other management system, BCMS also requires a Top-Down approach. An effective BIA requires the support of the Management Executives, without which the analysis is destined to fail. Management should help in defining the following
- Agree on BIA Methodology
- Impact Categories (Legal, Reputational, Regulatory, etc…)
- Parameters for defining ‘Low, Medium and High’ against each impact categories
- Urgency / Priority Categories
Conduct interviews rather than just sending questionnaires
Interviews are always more effective than just sending questionnaires. These conversations will increase the accuracy and efficiency of the data collected for the BIA. This will also ensure that the business coordinators are always in sync with the requirement to capture near accurate impact details.
Capturing the BIA data post Interview
Any BIA software or a simple Excel format can be used to capture the findings of the BIA interviews. However, it is crucial to capture the following
- Impact overtime for all the activities/tasks
- Maximum Acceptable Outage (MAO)
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
- Minimum Business Continuity Objective (MBCO)
- Critical dependencies
- Internal Processes
- External Vendors
- Vital records
- Non-IT Infrastructure
- Critical resource count
The process coordinator should have the BIA vetted by the respective process head, to ensure they are in sync with the captured data and analysis.
Consolidate and analyse the BIAs
The purpose of Consolidation of BIAs is to provide all the stakeholders, a holistic view of the data/information collated during the BIA process. The consolidation should be able to clearly point out the most critical processes as per the scope, prioritised as per their criticality. This will help the business/top management decide on the relevant strategies required to recover these processes.
Involvement of the IT Team
Complete an IT BIA for each of the applications/services used by the organisation. It should also capture the current status of these application/services, like;
- DR status (is the application available on DR?)
- RTO & RPO
- Storage and Backup details
- Server and Network details
These details should be then compared with the BIA details obtained from business departments. This should be then presented to the management showcasing the organisation’s requirement versus its current ability to deliver these requirements. This will help the management take cost-effective solutions to meet up with the organisation’s requirements.
Following the above steps will guide an organisation to develop an effective BIA. However, this is not the end of the process. BIA is a continuous process and needs to be revisited at least on an annual basis or post any major business changes (these could be, but not limited to, change in staff strength, organizational changes, onboarding / termination of services, technological changes) or major incident.
ISO 22301 – Business Continuity Management Systems, ISO 22317 – Guidelines for business impact analysis (BIA)
For more blogs click here
It would have been better if there were a small liner kind of definations used for these termologies.