Introducing ISO 22317 – The Business Impact Analysis Standard

ISO 22317WHAT IS ISO 22317?

The International Organization for Standardization (ISO) Technical Committee (TC) 292, the committee responsible for writing security, resilience, and business continuity standards, has released its latest document: ISO 22317 – Societal Security – Business Continuity Management Systems – Business Impact Analysis, the first and only international standard solely addressing the business impact analysis (BIA).

ISO 22317 was officially published on September 17, 2015.

There are a few important points to understand before reading ISO 22317: Continue reading

We Just Did a BIA and Gap Analysis… Now What?

Sketch successful businessman concept, idea light bulbHow to Perform an Effective Business Continuity Strategy Identification and Selection Effort

Reader Note: This article is a continuation from Avalution’s November 2014 article titled: We just did a BIA and Risk Assessment … Now What? How to Perform an Effective Business Continuity Gap AnalysisIf your organization just finished a business impact analysis (BIA) and risk assessment, but has not yet performed a gap analysis, it may be helpful to read about performing an effective gap analysis before continuing on to this article.

Once an organization understands gaps between business continuity requirements (as defined in the business impact and risk assessment) and current capabilities, management can determine which gaps they wish to address through strategy selection – either through risk mitigation or resource-specific recovery methods.  Determining methods to decrease the likelihood of a disruptive incident reduces the potential that a risk will materialize, while identifying methods to respond to and recover from a disruptive incident decreases downtime and protects the organizations’ brand and financial position (among other assets). Continue reading

We Just Did a BIA and Risk Assessment… Now What?

How to Perform an Effective Business Continuity Gap Analysis

Following a business impact analysis (BIA) and risk assessment, best practices indicate that an organization should identify business continuity strategies that allow the organization to treat risks and recover business activities in accordance with management-approved requirements. This seems like a simple task on paper; however, in practice, many organizations struggle to do this, and instead jump straight to documenting business continuity plans. In doing so, these plans fail to include the resources and strategies already in place, or the organization fails to acknowledge and address coverage gaps. This leads to a lost opportunity to identify new risk treatments or recovery strategies, ultimately resulting in plans with no real capability to respond and recoverContinue reading

Establishing the Business Case for the Business Impact Analysis

Nearly all business continuity professionals understand the importance of the business impact analysis (BIA) as the primary means for laying the foundation of a business continuity program. However, many professionals struggle to receive executive buy-in, as well as the necessary resources and support for the process. This article dispels common myths in attempt to help remove barriers to obtaining support and contributes to the creation of the business case for performing the BIA in any organization. Continue reading

The Relationship Between the Business Impact Analysis and Risk Assessment

Avalution’s Approach to Establish Business Continuity Requirements

The business impact analysis (BIA) and risk assessment are foundational elements of every effective business continuity program; however, in our experience, many business continuity planning participants experience a lot of confusion regarding the definitions, relationship, and expected outcomes between the two processes.  This confusion often results in outcomes that fail to drive preparedness.

Avalution acknowledges that there are many different ways to design and execute BIA and risk assessment processes, depending on the objectives for each.  We also know that many experienced business continuity professionals have strong opinions on this topic, which may not fully align with our view. This article simply aims to provide Avalution’s perspective on how to best design and execute the BIA and risk assessment processes to achieve results that align with how management views business continuity risk. Continue reading

Bridging the Business Continuity and IT Disaster Recovery Gap

Increasing Coordination Between the Business and IT in Preparedness Activities

One of the most common questions we receive at Avalution is, “How can my organization increase coordination between different groups performing preparedness activities, specifically ‘the business’ and IT?”  We have seen many organizations’ business and IT teams struggle to come to an agreement on common requirements, such as application recovery time objectives (RTOs) and data loss tolerances (RPOs).  The business tends to complain that IT does not listen to their recovery requirements, while IT tends to complain that the business is far too aggressive and unrealistic on recovery requirements.  This article provides recommendations on how the business and IT can work more seamlessly toward the “right” level of preparedness for your organization. Continue reading

Hospital Response and Recovery During Disasters: Extending Emergency Management’s Role in the Response and Recovery Effort

Avalution’s March 2012 hospital perspective (Hospital Preparedness: The Intersection of HICS, Business Continuity and IT Disaster Recovery) discussed how hospitals can integrate siloed preparedness activities into a single, unified preparedness program.  Since the article’s publication, Avalution received a number of questions regarding how those involved in preparedness (emergency management, business continuity, and IT disaster recovery) should interact during a response and recovery effort, and who is responsible for responding to each type of event.  This article aims to answer these questions. Continue reading

Hospital Preparedness: The Intersection of HICS, Business Continuity and IT Disaster Recovery

The number one priority for hospitals is to provide continuous, superior care to patients, regardless of circumstance. This principle results in the need to invest time and resources in preparing for disruptive events. In addition, a number of external parties require hospitals to invest in preparedness measures: Continue reading

Force Majeure: What is it and How Does it Relate to Business Continuity?

We see a lot of confusion specific to the topic of force majeure. Often, executive management has the belief that force majeure clauses in their contracts protect them from a wide variety of disruptive events, and thus they may not invest appropriately in business continuity plans and strategies. However, the concept of force majeure is somewhat convoluted and often includes many variables. As a result, if an organization does not plan appropriately, it may actually be left unprotected and vulnerable to claims of breach of contract in the event of a disruption.

This article explores the history of force majeure and its current state application in contract law. Continue reading

Business Continuity Scoping: Why Products and Services?

A Business Continuity Scoping Approach That Contributes to Better Management Engagement and Prioritization of Risk Management Efforts

fact or myth perspective (1)One of the most common questions business continuity professionals ask is how to keep management involved in the ongoing preparedness effort and prioritize the implementation of business continuity strategies with limited resources. Business continuity professionals strive to have engaged, interested management teams, but often struggle to achieve this goal. Whether management disinterest has been present from the beginning of the preparedness effort, or whether interest has waned over time, there is one key strategy that Avalution strongly suggests organizations implement in order to achieve greater levels of both management involvement and input regarding business continuity planning: scoping and planning based on the recovery of products and services. Continue reading