Exploring the Good Practice Guidelines 2018 edition: Analysis (PP3)
A word about the redesign of the BCM Lifecycle.
The BCM Lifecycle has evolved visually from a separate stand-alone cycle of activities, to become a series of inter-connected cogs. The new design recognises business continuity management as a key discipline in the overall organizational resilience picture. The related management disciplines are shown as separate but closely linked cogs to represent the relationship between the disciplines. Throughout the guidelines, the importance of collaboration between these disciplines is emphasised.
Analysis is the stage of the BCM Lifecycle that reviews and assesses an organization to identify its objectives, how it functions, and the constraints of its operating environment. The main technique used to analyse the organization is the Business Impact Analysis (BIA). A risk and threat assessment is also undertaken at this stage.
The Analysis Professional Practice has been subject to the most change as part of the GPG revision. The key change is the alignment to ISO/TS 22317:2015; the international standard for business impact analysis guidance. While different BIA methods exist, the GPG 2018 edition provides guidance for professionals to apply and adapt these methods as appropriate to the size, complexity and type of the organizations they work in. Combined with a risk and threat assessment, the BIA remains the most effective technique to analyse the organization and to determine the business continuity requirements that will support a more informed response to disruptions.
The GPG 2018 edition recognises that there are many approaches to doing a BIA, and that all types of BIA are not always required. A lengthy and overly complex process is not necessary, and when applied appropriately, the BIA is invaluable when gaining a thorough understanding of what an organization requires when things go wrong.
PP3 describes how the business continuity professional considers the risk of disruption to an organization by undertaking a risk and threat assessment. It recognises the need for a closer relationship between the business continuity and risk management disciplines when building organizational resilience.