This article provides an overview of GPG Professional Practice 3 (PP3) – Analysis, which is the professional practice that “reviews and assesses an organization in terms of what its objectives are, how it functions, and the constraints of the environment in which it operates”.
PP3 introduces and addresses the business impact analysis (BIA) as a primary means of analysis, leading to appropriate business continuity requirements. PP3 identifies the following beneficial outcomes from the BIA:
- Identify, qualify, and quantify the impacts in a time of loss, interruption, or disruption of business activities.
- Provide the data from which appropriate business continuity strategies can be determined.
PP3 also introduces threat evaluation techniques designed to assist organizations in evaluating the potential impacts from known threats and the likelihood of each specific threat occurring. PP3 recommends identifying threats and conducting a threat assessment as part of the business continuity planning lifecycle, but notes that additional risk assessment activities may be performed at higher levels within an organization. While PP3 and ISO 22301 generally align in terms of the BIA process, ISO 22301 advocates for a business continuity specific “all-hazards” risk assessment approach that requires an organization to identify risks of disruption to prioritized activities and the processes and resources that support them.
The table below illustrates the relationship between PP3 and ISO 22301; the remainder of this section provides an overview of the phases or stages of a BIA, as described in PP3, and also discusses the threat and risk assessments.
STAGES 1 AND 2: THE INITIAL AND STRATEGIC BIAs
PP3 describes the initial BIA as a method to develop an analysis framework for the business and a tool to clarify scope. The minimum objective is to identify the products/services, processes, and activities within the organizational structure; PP3 identifies the initial BIA as an essential activity for organizations that have not previously performed a BIA.
The Strategic BIA expands upon the Initial BIA by prioritizing an organization’s products/services. Essentially, the Strategic BIA identifies and analyzes the impacts to an organization resulting from an interruption to each product/service and establishes a Maximum Tolerable Period of Disruption (MTPD) for each identified product/service.
The MTPD is the time it would take for impacts to become unacceptable and provides a simple metric by which to prioritize an organization’s products/services. The Strategic BIA may also establish a minimum business continuity objective, or the minimum level of product/service delivery that is acceptable during a disruptive incident.
Avalution has found that it is almost always possible (and often the most effective approach) to combine the Initial and Strategic BIAs into a single effort. To gather the data required to complete the initial and strategic BIAs, business continuity practitioners can leverage a number of techniques. Avalution recommends direct engagement with senior-level leaders to identify and validate products/services and engagement with representatives from an organization’s key functional areas or departments to catalog a complete list of processes or business areas involved in the delivery of the identified products/services. Questionnaires can supplement these engagements and are useful for identifying the potential impacts of a disruptive incident and reaching a conclusion regarding the MTPD.
Upon completion of the Initial and Strategic BIAs, an organization should finalize scope for the business continuity planning effort by defining which products/services will be further analyzed as part of the Tactical and Operational BIAs.
STAGES 3 AND 4: THE TACTICAL AND OPERATIONAL BIAs
Note: Throughout the GPGs, “tactical” refers to the level of an organization where operations are coordinated and managed, and “operational” refers to the level of an organization where activities are undertaken.
As with the Initial and Strategic BIAs, Avalution has found that it is possible, and often beneficial, to combine the Tactical and Operational BIAs into a single effort. PP3 describes the Tactical BIA as an analysis of the activities that deliver an organizations products/services and the Operational BIA as an assessment of each activity’s supporting resources.
Avalution recommends that business continuity practitioners engage directly with department (in some organizations, business function) or “tactical” level representatives in an interview format to assess the activities and resources required for product/service delivery. This engagement should be limited by the scope established during the Initial and Strategic BIAs.
In order to effectively assess and prioritize activities and resources, the Tactical and Operational BIAs must go beyond a simple cataloging exercise and should include thorough analysis of the impacts to the organization resulting from an interruption to each activity. Additionally, business continuity practitioners should establish the relationship between each activity and its supporting resources, and establish resource-level recovery objectives.
The output of the Tactical and Operational BIAs is the assignment of recommended recovery objectives for each in-scope activity and resource. Traditionally, recovery objectives take the form of recovery time objectives (RTO) and recovery point objectives (RPO). Additionally, as noted in the GPGs, the recovery objectives assigned during the Tactical and Operational BIAs should align with the MTPD for related products/services (taking into account the time it takes to resume each activity). Said another way, recovery objectives assigned at the activity and resource level may be more aggressive than the associated product/service’s MTPD, due to the time required to resume operations, complete the associated process, and deliver a beneficial output.
ADDITIONAL ANALYSIS – VULNERABILITY ASSESSMENT
As previously outlined, PP3 and ISO 22301 take differing approaches to assessing vulnerability. PP3 uses threats as a basis for assessment while ISO 22301 takes an all-hazards approach to assessing risk. Avalution recommends that organizations use an all-hazards risk assessment approach where possible to avoid unnecessarily restricting the scope of the Analysis phase. To employ this approach, organizations should assemble an inventory or list of the resources identified during the BIA and determine the likelihood of disruption to each resource, as well as the potential impacts to an organization resulting from a disruptive incident. To maximize time and resources, business continuity practitioners can gather some risk assessment data during the BIA process. For more information on this approach, see our perspective on the relationship between the BIA and risk assessment.
Regardless of the base methodology chosen (threat or all-hazards), organizations can use a similar approach to calculating an overall risk value and prioritizing risk treatment options. PP3 recommends that organizations determine a risk assessment scoring system for impacts and likelihood – a fairly common approach is to assign numerical values to likelihood and impact categories, assign an impact and likelihood score to each risk based on these categories, and then multiply the scores together to determine an overall risk rating. This approach allows an organization to quantify, qualify, and prioritize risk treatment opportunities.
As the primary process for business continuity analysis, PP3 delivers significant value to an organization. Taken as a whole, the BIA and risk (or threat) assessment sets the strategic direction for all future business continuity planning activities, clarifies and finalizes scope, and defines recovery objectives at various levels of the organization. BIA-defined recovery objectives serve as the basis for future-state strategy identification and plan development efforts, and the risk assessment helps to prioritize risk treatment enhancements. As such, an organization’s analysis process must provide adequate information to identify and select appropriate business continuity strategies, as well as the business justification for these strategies.
Business continuity strategies often require significant financial investment, and management is unlikely to approve these investments without the appropriate business justification.
For organizations with existing business continuity plans, capabilities, and/or procedures, the BIA also enables business continuity practitioners to compare BIA-defined recovery objectives to current business continuity capabilities. This approach, commonly referred to as a gap analysis, illustrates differences between capabilities and requirements and can serve as an effective tool for identifying improvement opportunities and areas of significant risk.
PP3 CASE STUDY
Organizations often initiate business continuity planning efforts due to stakeholder requirements. In this context, stakeholders could include customers, regulators, business partners, and/or investors. In order to meet these requirements and implement appropriate business continuity strategies, it is necessary to analyze the consequences of a disruptive incident on an organization and prioritize products/services, activities, and resources for recovery. In other words, an organization needs to perform a BIA (and potentially a risk or threat assessment).
Organization X is a software vendor that delivers critical on-demand business intelligence and analytics solutions for health-insurance vendors. Due to the regulatory and financial implications of an interruption to Organization X’s services, its customers have requested that Organization X implement a business continuity program that is capable of restoring critical business operations within 24 hours of a disruptive incident. In order to understand the implications of a disruptive incident and the products/services required to meet customer expectations, Organization X performed a BIA and risk assessment. First, the organization identified the products/services required to maintain customer-facing operations and assigned a MTPD to each. Products/services not required to maintain existing services were eliminated from the “year one” scope.
Based on the scope established during this Initial/Strategic BIA, Organization X engaged with in-scope department leaders from across the enterprise to assess and prioritize activities and resources for recovery. This approach enabled Organization X to make recommendations to management regarding the business continuity strategies required to meet customer expectations and contractual obligations following the onset of a disruptive incident. Following the completion of the BIA, Organization X’s management provided funding for key employees to work remotely (procured additional laptops and expanded VPN capacity), tentatively approved plans to build a secondary call center in a different geographic region (instead of expanding the existing call center), and made plans to implement a more aggressive IT disaster recovery strategy. Organization X also used the structure from the BIA to implement a response and recovery framework and document business continuity plans for in-scope departments.
Organization X’s management had previously been reluctant to invest in business continuity strategies; however, the BIA provided sufficient business justification for the investment. Additionally, by leveraging principles from the GPG’s Initial and Strategic BIAs, Organization X was able to limit the scope of the business continuity planning effort appropriately. If Organization X wishes to expand business continuity planning to other areas of the organization over-time, the framework is in place to do so.
Based on the outputs of the BIA, Organization X is now capable of meeting stakeholder expectations leading up to, during, and after a disruptive incident. Additionally, Organization X has seen an increase in new contracts due to their ability to more effectively meet customers’ business continuity expectations and requirements.
PP3 – Analysis is a foundational business continuity activity because it clarifies the scope of the business continuity planning effort and seeks to prioritize the products/services, activities, and resources required for an organization to continue business operations following the onset of a disruptive incident. The Analysis phase, which primarily consists of the BIA, serves as the primary input and provides appropriate justification for future-state business continuity strategy identification efforts.
PP3 expands on the requirements defined in ISO 22301 and provides business continuity practitioners with a “how-to” guide for the Analysis phase of the business continuity planning effort. Applying the principles found in these documents enables business continuity practitioners to effectively define recovery requirements and implement appropriate and effective business continuity solutions.
If you’d like to discuss the GPGs, or aligning to ISO 22301 or pursuing certification, please reach out to us. We look forward to hearing from you!
- The BCI’s Good Practice Guidelines
- ISO 22301: 2012
- Implementing ISO 22301: The Business Continuity Management Systems Standard
ISO/TS 22317 (the first and only international standard solely addressing the business impact analysis) was officially released on September 17, 2015. Check out the following resources to learn more:
- Introducing ISO 22317 – The Business Impact Analysis Standard
- ISO 22317 – Societal Security – Business Continuity Management Systems – Business Impact Analysis
- Introduction: BCI Good Practice Guidelines Series
- The Need to Establish Business Continuity Governance: An Overview of BCI Professional Practice 1
- The Importance of Embedding Business Continuity: An Overview of BCI Professional Practice 2
- Business Continuity Strategy Design: An Overview of BCI Professional Practice 4
- Business Continuity Implementation: An Overview of BCI Professional Practice 5
- Business Continuity Program Validation: An Overview of BCI Professional Practice 6
Avalution Consulting: Business Continuity Consulting