The business impact analysis (BIA) and risk assessment are foundational elements of every effective business continuity program; however, in our experience, many business continuity planning participants experience a lot of confusion regarding the definitions, relationship, and expected outcomes between the two processes. This confusion often results in outcomes that fail to drive preparedness.
Avalution acknowledges that there are many different ways to design and execute BIA and risk assessment processes, depending on the objectives for each. We also know that many experienced business continuity professionals have strong opinions on this topic, which may not fully align with our view. This article simply aims to provide Avalution’s perspective on how to best design and execute the BIA and risk assessment processes to achieve results that align with how management views business continuity risk.
Business Impact Analysis and Risk Assessment: Defined
To understand the relationship between the BIA and risk assessment, we must first have a common understanding and definition of the two processes.
Business Impact Analysis
Avalution defines the BIA as an identification and analysis of business processes/activities (including required resources), with the objective of understanding the impact of downtime, which drives the assignment of recovery objectives and prioritization.
Avalution defines the risk assessment as an identification and analysis of business risks that may affect an organization’s ability to deliver its most important products and services, with the objective of understanding the effectiveness of existing controls, as well as additional controls to decrease the likelihood or severity of a disruption.
On its surface, this definition may not appear to be controversial or even different from other professionals’ views; however, the difference lies in the term and definition of “business risk”. A business risk is not a threat (e.g. fire, flood, or hurricane); rather, a business risk is a situation that leads to a disruption in an organization’s ability to deliver products and services. Typically, these risks take the form of a loss of required resources, including personnel, facilities, equipment, suppliers, and technology. Said another way, a threat can lead to a business risk (e.g. a hurricane can cause a loss of facility access, or a pandemic can result in high absenteeism), but the business risk is not synonymous with the threat.
Why does it matter? We’ll explain.
Avalution believes that there is a major difference between a risk assessment and a threat assessment. Both serve beneficial purposes, but the terms should not be used interchangeably. A threat assessment is typically an inventory of all threats that may impact the organization. The conclusions drawn from a threat assessment may be beneficial during the planning process in order to highlight where threat-specific response and recovery procedures are warranted; however, when connecting with management, executives do not necessarily need or want a list of threats that could impact them. Based on feedback, executive managers typically already feel comfortable with their understanding of the potential threats that could impact them and their organizations, or they recognize that they cannot predict all threats (e.g. no one could have predicted or imagined the events on September 11th).
Business Impact Analysis and Risk Assessment: Outcomes
Now that we have defined the terms BIA and risk assessment (as well as threat assessment), the next section of this perspective outlines what Avalution views are the expected outcomes from these analytic efforts.
Business Impact Analysis
The major outcomes associated with the BIA, include (but are not necessarily limited to):
- Understanding of business processes/activities, including the business processes’:
- Customers (internal and external)
- Inputs (which enable the process to function, including resources and other internal and third-party dependencies)
- Understanding an estimation of the impact of downtime, which serves as business justification for establishing recovery objectives
- Identification of recovery objectives and a prioritized order of recovery for business processes and resources
- Collection of information that may help identify appropriate recovery strategies and document future plans (perhaps a secondary objective associated with the BIA)
Following the BIA, the organization should be positioned to identify the critical activities that contribute to the delivery of its most important products and services, list all resources needed for recovery, and prioritize activities and resources by recovery objective.
The major outcomes associated with the risk assessment include:
- Understanding of potential business risks, including their likelihood and impact
- Identification of existing controls, and potential control enhancements or new strategies to mitigate business risk by protecting resources (as to decrease the likelihood or severity associated with a disruptive incident)
Following the risk assessment, the organization should be able to list all business risks (prioritized by those that would have high impact and have a high probability of occurring), and a list of mitigating control options to address the business risks. For example, if a business activity is only performed in one location by a certain sub-set of personnel, the business risk would be an unavailability of that location or those personnel. Then, management would have the option of identifying an alternate location and/or alternate personnel to perform the business activity if the primary location and/or personnel were unavailable. Management can only protect necessary resources from disruption in order to lessen the impact of disruption; management cannot, in many circumstances, control the likelihood of a threat occurring.
Relationship Between the BIA and Risk Assessment (Order of Execution)
In addition to some disagreement among business continuity professionals regarding the BIA and risk assessment definitions and outcomes, disagreement also exists regarding the order of execution: whether it is best to perform the risk assessment before, during, or after the BIA. While many professionals argue that it is best to perform the risk assessment before the BIA to establish the risk landscape in which the organization operates, Avalution argues the opposite. First, we must agree on what has been stated:
- The outcomes of the BIA are:
- The identification of resources needed to perform business activities
- The understanding/estimation of impact of downtime
- The inputs into the risk assessment are:
- The identification of required resources that may be impacted by a wide variety of threats (known and unknown)
- An understanding of business impact, which contributes to the prioritization of future control enhancements and risk mitigation strategies
If those inputs and outputs are true, then performing a risk assessment before understanding impact or the identification of necessary resources would prove to be quite difficult. Thus, Avalution argues that risk assessments should be performed after the BIA (or at the very least, at the same time).
Nearly all business continuity professionals agree on the importance of the business impact analysis and risk assessment as foundational elements of all business continuity planning processes; however, this article presents Avalution’s view of the relationship between the BIA and risk assessment. Implementing an effective business continuity program enables organizations to mitigate business risk associated with disruptive incidents and thus be better prepared to respond to and recover from a loss of necessary resources. Without an understanding of potential impacts and resources established by the BIA, it would be difficult to understand the business risk of a loss of resources or identify mitigating controls to protect those resources from disruption. Avalution believes that performing a BIA and risk assessment using the approach discussed in this article enables organizations to prioritize the identification and implementation of business continuity strategies based on business strategy, obligations, and priorities.
Jacque Rupert, Managing Consultant
Avalution Consulting: Business Continuity Consulting