Analyzing the I in BIA
In part one I gave an overview of how the concept of the business impact analysis is depicted in standards and good practice to set the stage and the tone. So, the stage is set to develop this further - to discuss how the BIA can be undertaken and add value, and to prove its worth before there is a rush to use AI to undertake your BIAs and take away that burden even further.
The concept is to undertake some analysis of impacts that may occur, over a timeline associated with a disruptive incident. To define analysis – it’s a detailed examination of the elements or structure of something (Oxford languages).
The something in this case is the business and before the reader suggests that not all organisations are operated as a business, which is true, then maybe one of the issues is the actual title of business impact analysis.
Would I change it, ‘analysis of adverse impacts over time of incident’ is a better reflection of the true analysis, which would make an awful acronym.
What are we trying achieve?
The required initial output in plain English is to understand what level of adverse impact is considered unacceptable (intolerable) and in what timeframe would that occur.
This is the starting point, which is often the issue, this would lead to an understanding of the maximum tolerable period (time) of disruption (MTPD) as the unacceptable point in time with unacceptable levels of impact.
Many organisations do not use the concept of MTPD at all, for those who choose not to, this is the first fatal mistake when undertaking a BIA. If you do not know what is unacceptable how do you know what is?
Think back to part one. Remember, start by understanding what top management consider their tolerances to be, then cascade down. Ten days without product or service delivery may be deemed unacceptable by top management.
Top management can have two opinions, how long is too long and what level of recovery is considered to be a stable sustainable state of operation – the minimum business continuity objective (MBCO). Their analysis totally depends on this to set the priorities at a strategic level for products and services.
Although the latest GPG V7 does not mention the MBCO in the Products and Services BIA it does say that the recovery time objective can be suggested by top management. I personally do not believe this is feasible so early in the process, as all lower order processes and activities would have to default to a lesser timescale.
I therefore suggest that the strategic level BIA (Products and Services) can only suggest and propose tolerances and desired service levels leading to prioritisation.
The product and service BIA through analysis, should determine priorities, that which you least tolerate (in terms of time) becomes the first priority, this to me seems to be a common-sense approach.
If top management’s signed off priorities are known from the start, you can stop asking the most worthless question ever when undertaking a BIA: “Are you critical”? The answer to which is invariably, yes. Followed by “when do you want to recover”, answer, ASAP. Not exactly analysis, I would suggest.
Imagine instead that you start a lower order BIA with:
1/ Top management have designated this product or service as priority one, does this product or service depend on your process, activity, or resource?
If the answer is yes, then the BIA is grounded on the tolerances and priorities decided by top management.
2/ Top management have stated that the desired service level for this product or service is 80% of normal operations, which will be considered as the recovered position and a stable sustainable state of operation, prior to understanding how to get back to business as usual (BAU).
Worthwhile mentioning here is that top management’s desires are not always achievable and affordable, and this decision is finalised later when designing strategies and solutions (assuming you are following good practice?)
So, the analysis starts in detail with top management’s desired objectives.
There are a myriad of BIA templates, driven by consulting bodies and software manufacturers or legacy templates within an organisation, even templates often shared between like-minded organisations.
The concept is that you analyse adverse impacts, for which there are a series of impact types or categories. Typically following risk management theory, such as financial, reputational, operational, regulatory etc, the list is endless and bespoke to your organisation.
Why have so many impact types? It is possible and likely that each impact type may have a different tolerance profile.
In plain English, you may tolerate a longer period of time for regulatory impact, but a shorter tolerance in time for reputational impacts.
As a rule, the shortest tolerance takes precedence, and a short tolerance (MTPD) leads to an even shorter recovery time objective (RTO)
So, now we know what impact types matter the most, we know what we deem unacceptable in terms of time and impact.
Always start with the default position of the wishes of top management from the strategic view delivered by the Product and Service BIA.
Example: A manufacturer view
Imagine you manufacture motor vehicles; you have several variants and from three variant models top management have determined that the “Sport Utility Vehicle” is the highest priority in terms of recovery.
The production process for that model automatically defaults to priority one, any operational activities that deliver that production process also default to priority one and resource requirements (internally or externally provided) also become priority one. In an incident I understand what my priorities are.
This assists in creating a dependency map, sometimes called “the value chain” in some organisations. It also closes the “missing link” between the BIAs and supply chain resilience by highlighting priority suppliers (who are not always legal third parties).
It also means that the question, “are you critical” is now redundant, supplanted by “when are you a priority” and a justification as to why.
How is it justified? By analysing the impacts over time. This is where we will go next. Look out for part three, where will discuss impacts over time, dashboards and getting the right people involved.
More on
About the author
David Window
Director
