Never Bring Me a Problem, Always a Solution

• 18 Dec 2025
• David

• Article
• Establishing a BCMS
• Leadership
• Policy and programme management
• 0

  Comment

In part three of this series, I analysed impacts over time and how they are visualised. In Part 4 I will look at a top-down BIA implementation model.

Let’s imagine that your organization has made the following decisions regarding the concept of analysis in the context of business continuity management:

1. In the quest for resilience the organization will create a genuine response capability by in part understanding the adverse impacts that would occur over the timeline of an incident.
2. The organization will measure adverse impacts based on a downturn in positive operating targets. Failing targets imposed by the organization or through regulation or legislation. Positive targets designed to measure success, such as key performance indicators or regulatory parameters.
3. The analysis timeline for the incident will be based on the risk appetite of top management utilising an initial analysis that delivers the top management view of their maximum tolerance for disruption over time and their aspirations for a level of service recovery to a stable sustainable state of operational delivery. Formally expressed in their signed off Product and Services BIA.
4. The initial analysis will be based on current risk registers, horizon scanning and a high-level overview of adverse impacts over time, to establish priorities at a strategic level for the organization’s products and services.
5. Priorities will initially be set by top management, signed off and approved and included in any terms of reference for a business continuity steering group as deliverables (subject to regular review or amendment on meaningful change to the organization.

The stage is now set, and this will inform the scope of the business continuity management system (BCMS).

6. As part of the programme of work to deliver the BCMS the organization will create a Business Impact Analysis Implementation Plan.
7. The BIA implementation will analyse the processes, activities, resources, and any external dependencies that deliver the organizations products and services to deliver the desired recovery outcomes in terms of time and recovery status as defined by top management.
8. Process owners, activity owners and resource owners will undertake a BIA with quantified adverse impacts to establish the relationship between top management’s parameters and process, activity, and resource recovery parameters.
9. Tolerances will adhere to top management tolerances and minimum objectives regarding recovery capability MBCO.

Consolidated analysis

11. All BIA outputs will consolidate into a final analysis and offered in a report to top management to substantiate that operational tolerances and recovery levels are credible, complete, reasonable, sufficiently accurate, and justifiable, by using quantified adverse impacts (over a timeline) that allow for challenge.
12. Business continuity requirements (tolerances, time objectives, including restoration of data points and the minimum capacity of levels of service acceptable to top management) are analysed as a consolidated position before designing strategies and solutions to deliver them cost effectively and within top management’s risk appetite.

Quantifiable adverse impacts

I am not suggesting that everything has to be financially costed, however I am aware of organizations that associate adverse impacts with a costed deterioration of elements of the organization, it is, with sufficient effort possible, therefore, to quantify adverse impacts.

Cost to serve

My experience in managing a procurement department was such that I had to understand the “cost to serve” the organization measured against the benefits (value for money) provided by procurement. This led to positive operating targets and outcomes.

A call centre will have positive operating targets in terms of dealing with inbound calls e.g. timings, satisfaction surveys, or lowering the number of complaints.

The problematic measuring of reputational down-turn

Stating that you receive negativity (press, social media etc) for me is only part of the perceived impact, I ask the question “so what”? Leading to, a loss of future sales, profit, business development targets, funding of the organization and so on. How does the impact manifest itself in an adverse way?

Am I making it too difficult or more realistic in terms of analysis?

I can almost hear the push back, how could I possibly know this when I undertake a BIA? A sufficiently accurate and justifiable indicative estimate is firstly more accurate and realistic than Red, Amber, Green or High, Medium, and Low.

Secondly, it is also more likely to be subjected to a genuine challenge as justification for choosing noticeably short MTPDs and even shorter RTOs with unrealistic 100% recovery cited as MBCO (assuming you stipulate one).

It is more likely to be a true reflection if it is grounded in the stated signed off desires of top management through a top-down delivery.

AI’s real role

We should not outsource the concept of the BIA and subsequently the BCP to an AI-driven piece of software to simply make you compliant to a standard. This may seem to be efficient, reduce the need for human interaction, and save time and cost; however, it will simply reinforce box ticking and a lack of real analysis.

Where AI can help is in the knowledge it can derive from a data lake of information that will offer the organization quantifiable adverse impacts.

Yes, garbage in garbage out (GIGO) is a real thing, bad actors can poison data lakes, these are issues to be dealt with going forward when using AI.

My question is: are poor, unrealistic, colour coded, subjectively described adverse impacts, delivering any value whatsoever when undertaking a BIA? Does it merely tick the box and provide compliance because in your BC policy you have stated that you align to ISO 22301:2019?

Are your BIAs perceived as analysis or simply evidence to satisfy an audit?

If you “seed” the BIA’s out to AI, it will no doubt lead to less effort by the organization and more tick box compliance.

Compliance versus resilience

If your organization only wants to be compliant and not cost effectively efficient and resilient, then AI will offer this, which may come with other threats of data poisoning and even more inaccuracy.

A true BIA is analytical in nature, true resilience and capability can only exist effectively if it emanates from a top-down approach.

A BIA need not be a huge spreadsheet, indeed, it would be better if it was more analytical in a real sense.

If we continue to talk of criticality, utilise colour codes and subjective descriptors, without any real analysis of adverse impacts, working from a bottom-up approach, then the phrase attributable to Henry Ford the American industrialist and business magnate holds true: “If you always do what you’ve always done, you’ll always get what you’ve always got.”

Don’t throw away the champagne and the cork, don’t over rely on AI as a “silver bullet.” Human intelligence is required to understand what is unacceptable in terms of impact and time (MTPD) and what is acceptable (RTO) bonded together with a desired capability to recover to a stable, sustainable state (less than 100%).

The BCI offers a two -day training course as advanced training following a successful certification course (CBCI).

Let’s keep it real, stop ticking the compliance box and not lose human intelligence in the analysis.

More on

• Business Continuity
• Human aspects of resilience
• Case studies, sample tools & practical guidance

About the author

David Window

Director