Nearly all business continuity professionals understand the importance of the business impact analysis (BIA) as the primary means for laying the foundation of a business continuity program. However, many professionals struggle to receive executive buy-in, as well as the necessary resources and support for the process. This article dispels common myths in attempt to help remove barriers to obtaining support and contributes to the creation of the business case for performing the BIA in any organization.
If you would like to learn more about the purpose and expected outcomes of the BIA, please check out: The Relationship Between the Business Impact Analysis and Risk Assessment.
BIA Myths – Dispelled
In order to build the business case for performing a BIA, we must first dispel the myths associated with the BIA process and its relationship to business continuity planning.
- Business continuity plans can be created without a BIA
Business continuity plans are actionable documents designed to enable organizations to execute their business continuity strategies. Business continuity strategies are developed to meet business requirements during downtime. Business continuity requirements (recovery time and recovery point objectives), quality of output at the recovery time objective, capacity to deliver outputs at the recovery time objective compared to normal operations, and resource needs for the recovery process all must be gathered, analyzed, and agreed to – a process normally referred to as the BIA. In short, realistic and effective business continuity plans cannot – should not – be developed without performing a business impact analysis.
- IT disaster recovery plans can be identified without a BIA
Similarly to business continuity plans, IT disaster recovery plans are technical documents designed to enable organizations to execute IT disaster recovery strategies. IT disaster recovery strategies enable IT to meet business requirements during an IT outage. Without an effective requirements gathering process, IT disaster recovery plans and strategies will not align to business requirements – leaving IT operating in a silo and detached from business objectives.
- BIAs are expensive, time consuming, and require too much effort from the business
When scoped correctly, the BIA actually saves organizations time, effort, and resources. One of the primary outcomes of the BIA is the identification of the resources necessary to deliver the organization’s most important products and services. By focusing on protecting against the loss of key resources, or investing in strategies to enable recovery following the loss of key resources, organizations can ensure that the right resources are protected and the organization invests in the right level of planning.
- Identifying the impact of downtime provides no guidance to the organization
This argument could not be further from the truth; however, it has been made in a few forums following a post regarding the relationship between the BIA and risk assessment, so I will address it. Because organizations cannot “boil the ocean” and spend endless resources to protect every business activity and dependent resource, understanding downtime implications assist the organization in prioritizing risk mitigation activities and business continuity strategies and capabilities. Again, this ensures the right level of preparedness.
- The BIA is a flawed process because questionnaires rarely enable the collection of good data
Many business continuity professionals equate a BIA with a series of questionnaires. Although questionnaires can be an appropriate method to collect discrete BIA data, it is often an insufficient method for gathering the entire gamut of business information necessary to enable business continuity planning. Instead, we recommend using data gathering interviews or a hybrid approach (where interviews and questionnaires are both used) in order to deliver actionable results in a cost-effective manner.
The Real Value Proposition
Having addressed some of the myths and objections associated with performing the BIA, we can focus on the true value that the BIA provides.
- Enable proper spend on business continuity strategies and capabilities
One of the most valuable aspects associated with the BIA is the estimation of impacts tied to downtime. Understanding financial, reputational, contractual, legal/regulatory, operational, and other impacts of downtime enables the organization to develop the business case and appropriate justification for the prioritization of business activities and supporting resources (which is often expressed by assigning recovery objectives). If recovery objectives are properly vetted and approved by management, the organization is set-up to identify and implement appropriate capabilities needed to meet recovery objectives – resulting in appropriate spend.
- Identification of legal, regulatory, and contractual requirements and obligations
Many organizations do not have a clear, unified understanding of external stakeholder business continuity requirements. In fact, it is very rare to see any entity within an organization that has a grasp of what is required of the organization during a disruptive incident, and what the implications are if the organization cannot meet those obligations. The BIA enables the organization to have a thorough understanding of these requirements and to enable the appropriate level of business continuity planning.
- Confirmation or modification of business continuity program scope
As mentioned, the BIA identifies the business activities and resources necessary to deliver the organization’s most important products and services. By understanding the organization’s dependencies and interdependencies, the BIA process may uncover activities or resources that were not originally in the program’s scope. Also, by understanding the impacts of downtime of those activities and resources, the organization can identify which critical activities need to be performed, regardless of circumstance, which may have an impact on the program’s scope.
- Capture preliminary business continuity plan content
The BIA can be leveraged as a tool to begin the data collection effort for business continuity plans. When performing the BIA, the organization can begin to understand key plan components, such as existing controls and recovery strategies, key teams and staffing requirements, internal and external contact information, and other resource-specific information required for the business continuity plan. Once this information is collected, the organization can begin to populate the business continuity plan and present a starting point to key stakeholders (as opposed to starting with a blank template).
Implications of Not Performing a BIA
When organizations choose not to perform a BIA, a few common performance issues occur which have widespread implications on the effectiveness of the business continuity planning effort as a whole.
- Subjective recovery objectives and confusion regarding recovery priorities
Without a formal BIA process, the organization will lack focus and objectivity in assigning priorities and recovery objectives. Without management-approved recovery objectives, different organizational entities will have different priorities, leading to confusion regarding what capabilities to invest in and prioritize for implementation. For example, IT will lack necessary data and justification for assigning recovery objectives and investing in disaster recovery capabilities.
- Capability gaps and inaccurate program scope
Lack of a top-down program scoping and BIA process leads to misalignment between management’s expectations and program performance. Implementing strategies and plans without approved requirements can lead to under preparing and/or over spending, which could lead to gaps in business continuity capabilities. In addition, without fully understanding the business before implementing strategies, the organization may become aware of risks and gaps as the program matures, leading to steady, ad hoc scope increases – ultimately resulting in inefficiencies and over or under spending in capabilities.
- Lack of justification for investment in preparedness
Many organizations attempt to implement business continuity programs, but cannot connect with management to gain necessary traction for the program. The BIA begins to answer the questions that management is asking – what are our business continuity requirements and how much do we need to invest to get there? Without the BIA, the organization simply cannot thoroughly answer this question.
Save your organization from wasting time, resources, and effort by performing a business impact analysis. If done properly, the BIA will enable the organization to invest in the right level of preparedness – ultimately protecting the delivery of the organization’s most important products and services.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for assistance with your business impact analysis and risk assessment, we can help! Please contact us today to discuss your unique needs.
Avalution Consulting: Business Continuity Consulting