Good Practice Guidelines 7.0: Analysing business continuity requirements
This month, we are releasing a series of articles highlighting some of the updates to the upcoming BCI Good Practice Guidelines (GPG) Edition 7.0 ahead of its launch on 1st November 2023.
The GPG Edition 7.0 marks the start of a new journey where the document will be reviewed every year. This means that the GPG can better reflect the changing practices of the business continuity and resilience industry as they happen.
The new GPG consists of six professional practices, split into two management practices and four technical practices. These provide a structure to be used in the development of a Business Continuity Management System. In this article, we will be focusing on revisions to Professional Practice Three (PP3) – Analysis.
The Business Continuity Management System uses two organizational analysis techniques — the Business Impact Analysis and the Risk Assessment. The Business Impact Analysis estimates the impacts of disruption over time to determine the organization’s response, recovery priorities, and resource requirements. The Risk Assessment analyses the relevant risks to prioritised activities to identify concentrations of risk or potential points of failure. Since both of these techniques are introduced and explored in PP3, with their outcomes fundamental to designing appropriate solutions in Professional Practice Four (PP4), it is a critical area for practitioners.
As a result, the group leader for PP3 explained that there was a lot of thought, discussion, and debate on how to make it more practical and efficient for practitioners, as well as to ensure the use of consistent language and messaging across each Professional Practice. The leader also noted that a considerable effort was made to consider and explore feedback submitted by BCI Members on the previous version of PP3 in the GPG 2018 Edition.
Reviewing the BIA types
In this article series, we have already explored how changes to other professional practices within the new GPG 7.0 result in a change of structure or outlook. In addition to these revisions, those who worked to develop the updated PP3 also considered how the GPG can adapt to the changing working practices of the modern-day practitioner and improve their experience.
The group leader highlights that one of the most significant updates to PP3 in the GPG 7.0 is the reduction in the number of Business Impact Analysis types, with this revision making the professional practice more relevant and practical for organizations. As a result, the Initial Business Impact Analysis has been removed from the new edition with the three variations of the BIA now:
Product and Services Business Impact Analysis
Process Business Impact Analysis
Activities Business Impact Analysis
However, the leader explains that, for organizations conducting the Business Impact Analysis for the first time, it may be relevant to carry out an initial assessment at a high level which can be used to develop a framework for more detailed Business Impact Analysis and to clarify the scope of the Business Continuity Management System.
A further change to PP3 is the clear identification of the Process Business Impact Analysis as being ‘optional’ as it is generally performed by process-driven organizations, such as manufacturing.
“When reading through PP3, the professional will find it easy to understand and relate to because of the focus on clarity, as well as the consistency of language and messaging. Secondly, the intention was also for the practitioner to better understand and relate to the components and steps required to implement or conduct a Business Impact Analysis or Risk Assessment in their organization, since all the action steps have been laid out comprehensively yet concisely, with clearly defined stakeholder roles and responsibilities,” said the leader.
A conscious alignment
The leader also noted that another aim throughout the professional practice was to achieve a better alignment with the ISO security and resilience international standards, including ISO 22301 (requirements for business continuity management systems) and ISO 22317 (guidelines for business impact analysis).
“It was a great experience, as both a business continuity professional and practitioner, to work with other professional practice leaders and lead a team of geographically and technically diverse team members, who contributed whole-heartedly to draft the new version. There was a lot of healthy debate which gave a brilliant view of the regional points of view and challenges on the ground,” said the PP3 group leader.
The next article
The next article in this series will explore some of the revisions within Professional Practice Four (PP4).
Download the Good Practice Guidelines Edition 7.0
About the author
Content Creator, The BCI