Throwing the BIA Baby Out with Bathwater?
‘Do not throw the baby out with the bathwater’, an old German proverb, the earliest record of which is ascribed to satirist Thomas Murner in 1512. referring to discarding the essential while retaining the superfluous because of excessive zeal.
The English version being ‘do not throw the champagne out with the cork’- appropriately said by Lily Bollinger.
With the advent of artificial intelligence and the rush and the zeal to make it the “silver bullet” (something that cures a severe problem quickly) the problem being, the perception that the Business Impact Analysis (BIA) is a worthless endeavour. The role of AI could and should be to bring the BIA to life by providing genuine analysis, but this is a big topic that warrants further coverage at a later date. Before I continue, I would like to attribute some of my thinking on this topic to my friend and mentor Mr Ian Charters Hon FBCI. Who has influenced me and debated with me on this very topic over the years.
Some historical context if I may, over twenty years ago, I was tasked with the role of Corporate Business Continuity Manager for a large organisation as their chosen expert on the subject, based on the fact that I was the only person they knew that had read and understood the current version of good practice in BCM (publicly available specification 56) the predecessor to BS25999[1] and ultimately the international standard and good practice guidelines.
My confession here is that I was a novice eager to learn and develop what I now know to be a Business Continuity Management System. As an organisation there was an obligation to do this.
So, how to go about it? Employ external experts, who arrived with pre-created software which contained the business impact analysis, my first introduction to this concept and training from the consultant on how to operate the system and the inputs and outputs to the BIA.
Software compliant with the current thinking at the time and software that would provide compliance, but not necessarily competence.
The BIA was a huge questionnaire that took some time to complete and frankly the skill was to try and provide a good reason to do it.
I understood the concept, but the truth was that it was time consuming and largely became a list of resources (a wish list) with some arbitrary guesses on acronyms that were poorly understood, these being the Recovery Time Objective (RTO) and the Maximum Tolerable Period of Disruption (MTPD). Terminology we still use today, in current standards and good practice guidelines. Terms that I must explain most weeks as a BCI approved tutor.
Most people may know that the concept began as a method used in prioritising responses in information technology as it was then (digital).
In early BCI Good Practice Guidelines, there were three distinct levels of business impact analysis, the Strategic, Tactical and Operational BIAs. Which lead to the development and design of strategies and tactics and compiling operational resource requirements (and how to obtain them).
This then logically fed into the creation of a response hierarchy at, you guessed it, strategic, tactical, and operational levels, which included strategic, tactical, and operational business continuity plans (BCPs).
Infinitely logical in my view, which then led to rehearsing and exercising strategic, tactical, and operational BCPs. A consistent approach I believe, which some organisations have retained in terms of nomenclature even now.
The simple plain English version (for me at least) is that there is a need to understand the Top Management’s aspirations and tolerances at a strategic level and compare this with the aspirational capability at the operational level.
As good practice developed there was a recognition that it was extremely unlikely that the Top Management Team would indulge in this level of activity, preferring to push this down to operations, something you may recognise today.
This led to the concept of “The Initial BIA” as the title suggests, it precedes the strategic level Top Management BIA which then morphed into a Products and Service BIA.
So, let’s go back to plain English, Top Management rarely if ever engage in undertaking a BIA, however if you undertake the analysis for them and submit it as a report to them, they will take the time to contradict the report, inadvertently undertaking the strategic level BIA.
In the transition between Good Practice Guideline 2018 and the latest Version 7 [2] the concept of the “Initial BIA” has disappeared, but read a little closer and there, hiding in plain sight, is a high-level initial analysis, which may contain previous BIAs.
At this point I would like to mention something undervalued which is the “Final Analysis” which has been present for many years, now called the “Consolidated BIA”, something I will return to in part three of this series.
So, once upon a time 3 levels of BIA, then 4 levels of BIA 5 if you include the final analysis, today, officially 3 levels of BIA, the Products and Services, Process and Activity levels (not forgetting the high- level analysis and the final consolidated analysis, so, possibly 5).
At this point I imagine you thinking, is it really that complicated and is there any wonder that the reputation of the BIA suffers badly. Let us just obtain some compliant software and tick that box.
Who is involved?
So, who undertakes this huge task in strict accordance with good practice? The answer is hardly anyone.
Who is said to take part in this venture: Top Management for the Product and Services BIA, Process owners for the Process BIA (said to be optional) and Activity owners for the activity BIA.
However, we now see the emergence of “Resource Owners” – this is expanded on in parts two and three of this series.
Who creates the consolidated position? You, the BC Professional. We have to say at this point, this all seems a very daunting task does it not?
So, first understand the Top Management tolerances for disruption and their aspirations regarding the recovery capability of the operations as a minimum (a minimum business continuity objective MBCO). In effect what are your priorities, expectations and why?
Then cascade downwards asking those who manage processes, activities, and resources to set appropriate tolerances and objectives to achieve the wishes of Top Management. Already this sounds more efficient.
Imagine if you will, an organisation with two products and services, delivered through six processes and supported by fifty operational activities and a series of resource owners.
I will add to the complexity here by including externally provided products, services, process, activities, and resources (covered in the three-part article on supply chain resilience[3]). This I have experienced in a previous organisation.
For anyone now thinking, ‘but we have hundreds of products and services’, let us not forget that good practice is to group them into a more manageable number.
So, I believe I have now set the stage to develop this further, to discuss how the BIA can be undertaken and add value and to prove its worth before there is a rush to use AI to undertake your BIAs and take away that burden even further.
To conclude part 1 ask yourselves, have we been complicit in developing the BIA to tick a compliance box, promote software and thereby take away the burdensome BIAs reducing them even further in value by outsourcing this to AI going forward?
In part 2 I will endeavour to bring back the true intelligence of the use of analysis of the business in terms of impacts (over time) to ascertain tolerances and time and service objectives in terms of time and service levels. This piece takes a deeper dive into analysing top management’s objectives, analysing impacts over time, and looking at the BIA as an analysis undertaken by the people with the right knowledge.
Learn more about the BCI Business Impact Analysis Training Course
More on
About the author
David Window
Managing Consultant
