Business continuity professionals often perform a business impact analysis (BIA) as one of the first steps in establishing their organization’s business continuity program or management system. The scope of the BIA (and the business continuity program as a whole) is commonly determined by reviewing an organizational chart and establishing a one to one relationship between departments and BIAs. While this is a very comprehensive approach, it can be very time consuming and unnecessarily drain valuable resources. In addition, the results of this process (e.g. recovery objectives) are typically subjective and lacking in cohesiveness with management objectives.
While the previous school of thought was to perform a BIA in order to determine program scope and objectives, current practices indicate that the BIA should follow the establishment of program-level objectives and priorities using a top-down approach. Utilizing “top management” to establish the business continuity program will lead to closer alignment between the program and the organization’s strategy.
Instead of utilizing a grassroots approach to execute the BIA, a management-directed approach will lead to more meaningful results, including recovery objectives within management-approved constraints and parameters that align to organizational risk tolerance.
- Form a Group of Top Management Advisors
The first step a business continuity professional should take to establish an effective, long-lasting business continuity program is to gather support and input from the organization’s top management. Often referred to as a business continuity steering committee, this interdisciplinary group is primarily charged with overseeing program performance and ensuring the program aligns to organizational objectives and values. Utilizing a management systems approach, which is now found in most leading business continuity standards, will help ensure that top management is aware of and actively involved in the program, ensuring program alignment with the organization’s most strategic objectives.
- Establish the Scope of the Business Continuity Program (Identify the Organization’s Key Products and Services)
The next step in achieving meaningful BIA results (and, more broadly, establishing the business continuity program) is leading a discussion with the newly formed steering committee to determine the organization’s business continuity scope. The most cost-effective, efficient and aligned business continuity programs are scoped by identifying the organization’s key products and services and planning for their continuity and recovery. British Standard (BS) 25999 defines products and services as the “beneficial outcomes provided by an organization to its customers, recipients and stakeholders.” In other words, key products and services are the organization’s important outputs and value offerings – often driven by revenue (current and potential), reputation, regulatory requirements, societal benefit, and more.
In addition, following the identification of the organization’s key products and services, top management should assign each product/service with a maximum downtime tolerance (MDT), which is the maximum amount of time the organization is willing to tolerate the product or service being unavailable to the customer/stakeholder.
- Determine the Scope of the BIA Effort
After the business continuity steering committee assists with identifying the organization’s most important products and services, the business continuity professional can determine which departments/processes contribute to their delivery. Using this approach, only the departments/processes that contribute to and support the organization’s key products and services require a BIA.
- Define Recovery Objectives Using Management-Approved Parameters
The primary objective of a BIA is to estimate the qualitative and quantitative impacts that a loss of key departments/processes/resources would have on the organization’s ability to deliver its most important products and services, ultimately serving as justification for the assignment of recovery time objectives (RTOs). The RTO is the set time for recovery of a process/department/resource following a disruption in order to meet downtime tolerances. Thus, if Department A produces Product #1 (which has an MDT of 24 hours), Department A’s RTO must be less than 24 hours (depending on how long it takes to produce the critical product). Using this approach, all RTOs are determined using a common, objective calculation that aligns with management’s expectations.
- Present BIA Findings to Top Management
Following the BIA interview/questionnaire effort, a critical success factor is to analyze and summarize the BIA findings and present key conclusions and recommendations to management for review and approval. This allows management to understand and consider the findings from the BIA process, make any necessary changes to recovery objectives and confirm that the findings align to overall organizational objectives.
The key benefits associated with scoping and executing the BIA effort using the process explained above include:
- Organizationally Agreed Upon Parameters for Downtime Tolerances
By utilizing the cross-functional steering committee, top management can come to agreement on the objectives and parameters of the business continuity program, ultimately directing the business continuity effort toward protecting the organization’s top priorities. In addition, the steering committee’s agreement on and assignment of maximum downtime tolerances ensures that recovery capabilities are in alignment with organizational strategy.
- Objective Assignment of RTOs
The RTO calculation (maximum downtime tolerance – cycle time = RTO) not only ensures that the department/process can be recovered within management approved timeframes, but also ensures RTOs are objectively assigned and not influenced by middle management subjectivity. Ensuring the consistent assignment of non-biased recovery objectives allows a common thread between all processes/departments, avoiding the possibility of misidentifying a recovery objective, which could lead to missing management’s recovery expectations during an actual disruption or continuously over-spending on recovery solutions.
- Time and Resource Savings
In the current economic climate, nearly all organizations run efficient, lean operations. Oftentimes, business continuity is just one discipline that a professional has responsibility for in the organization’s overall preparedness effort. In addition, business continuity is just one program that top and middle management throughout the organization are involved in and responsible for. Due to this reality, it is important to ensure that business continuity processes are focused and the possibility of having to perform rework is avoided. The top-down BIA scoping approach ensures that the business continuity professional and other involved personnel do not have to perform unnecessary work that is out of scope. In addition, this approach ensures that the initial BIA effort is scoped to only include what top management has deemed as critical to achieving organizational objectives.
Overall, the processes and tips provided above ensure your organization establishes the scope of its BIA effort (and overall business continuity program) according to the organization’s overall strategy, priorities and objectives – ultimately ensuring the business continuity program aligns to management’s preparedness expectations.
Jacque Rupert, Senior Consultant
Avalution Consulting: Business Continuity Consulting