More than just a BIA!
The BIA (business impact analysis) process has, and probably always will be, a much-discussed topic in regard to BCM (business continuity management). Why? Well, because it’s so incredibly important that’s why! Who in their right mind would build a house on sand? Why therefore would you develop and implement a BCP (business continuity plan) for your organisation without sound foundations? I’m a great believer in the term “act on facts” and if I have the responsibility for the company’s BCP then those ‘facts’ must be gathered from the most reliable and knowledgeable sources - the business process ‘owners’. The facts or information required and how it is gathered is down to the BC professional. I think everyone agrees that one of the key requirements in producing a BCP is that the plan is based on the ‘business’ requirements.
A BCP is most effective when the information gathered from the business is relevant, consistent and fit-for-purpose. In these days of ever-increasing threats then it has never been more important that the information gathered from the BIA, although dynamic, can be easily interpreted for use in a variety of disaster/disruption scenarios – not necessarily the worst-case.
My personal approach to ‘gathering’ the best information has always been through face-to-face BIA meetings with the most appropriate ‘owners’ of the information. In most cases the meetings will be held with senior manager level ‘owners’. This is so important as it will inform strategies for such things as alternative workspace/workarea recovery, IT backup and recovery and supply chain resilience as well as the plan itself. If I’m honest in my desire to gather information that can be as dynamic as possible then the process needs to be kept as simple as possible. If a BIA is too complex and ‘technical’ for the business owner to understand then you will either ‘lose’ them early on in the process or you will get unreliable information. There has to be a two-way benefit for both the business owner and myself because the output will make up the main body of their plan, which they will be expected to implement successfully if and when needed.
The main steps in my BIA process are to identify and meet face-to-face with the ‘right’ people, gather the information in a simple but informative and engaging manner, send them the output to review and confirm, consolidate with the rest of the BIA data from across the business, gain ‘sign off’ from the respective directors and then obtain ratification by the company’s business continuity steering group or equivalent. The process is then carried out again every 12 months. Through this familiar and consistent approach each review requires less time unless there is a major restructure. However, even this can be minimised as everyone becomes more familiar with the process.
In my 18 years as head of business continuity at a major UK supermarket retailer, up until 2012, I must have conducted at least 1,500 individual BIA data collection interviews. This also included the company’s subsidiaries one of which was based in the US.
There are so many other benefits to be realised when undertaking the annual BIA data collection exercise. As I have already stated, my approach has always been through face-to-face interviewing. In addition to gathering sound information, which is clarified and confirmed on the day, you are able to inform, educate and promote what business continuity really means in its broadest sense to so many individuals.
From a career opportunity perspective, it also provides the BC professional with a unique insight into how the business works, as well as who is most instrumental and influential in making it all come together. As we all know building your internal ‘network’ is a major benefit in our line of work!
It is not unusual when business owners are talking about their resilience in a BIA meeting that they often ‘open up’ about other concerns they have about the company’s exposures. This can then be picked up and passed on to the relevant ‘risk-related’ areas within the organisation. If one thinks about the more expansive role and responsibilities for leading organisational resilience then conducting effective, efficient and dependable BIA’s goes a long way to equip oneself to fulfill such a role in a way that no other risk-related function in the company (such as information security or health and safety) can match.
I have now taken this approach, which I believe was a major contributory factor in embedding BCM in the aforementioned retail company’s culture, into many different companies across many different sectors. I believe it has helped my clients to have a better understanding and appreciation of what goes into making a business continuity program and how it really relates to their business. I cannot imagine how benefits such as plan integrity, sound and robust strategies as well as increasing and maintaining levels of awareness and education can be achieved without the BIA process.
The BIA has been integral to the business continuity methodology since long before the very first version of the BCI’s Good Practice Guidelines back in 2001. For me it remains the cornerstone of good and effective BCM, which will continue to evolve and enable business continuity professionals to use it in an increasingly flexible and adaptable way. I think that the BIA is a resilience tool in its own right and an unmistakably important part of how to create, implement and maintain sound and robust business continuity plans. Long may that continue!
About the author
Director, Mellish Risk & ResilienceSteve is the founder and Managing Director of Mellish Risk & Resilience Limited, which specializes in organizational resilience and business continuity management with an emphasis on collaborative leadership and cultural integration. He has been a Fellow of the BCI (Business Continuity Institute) since 2000 and was awarded an honorary fellowship in 2015 for services to the institute. Much of Steve’s, more than 25 years, experience has been gained from creating and establishing an enterprise-wide business continuity program for Sainsbury’s, one of the UK’s largest retailers. He was also instrumental in creating the company’s incident management capability, which over a 12-year period responded to more than 60 serious incidents. Elected onto the BCI Board of Directors in 2002, Steve has twice held the position of Chairman in 2004-2006 and 2012-2014. He built a reputation for expanding the global profile and membership of the BCI as well as introducing a well-structured approach to strategic planning and change management. Since leaving Sainsbury’s in 2012 he has built up a client base across many different countries and industry sectors including retail, financial, broadcasting, utilities, aviation, logistics and public sector. In 2018, Steve won the BCI’s Global and European Continuity & Resilience Consultant of the Year awards as well as receiving the CIR Lifetime Achievement Award. Steve continues to offer his knowledge, skills and experience in a voluntary capacity, being appointed as a Trustee of Garden House Hospice Care in January 2016 and also Chairman of the Garden House Hospice Trading Company in January 2017. Steve is a very experienced writer and public speaker, having chaired and presented at numerous high profile conferences for the past 20 years in countries all around the world.