Using the Business Impact Analysis to Understand Relationships Between Resources and the Business
The business impact analysis (BIA) establishes the foundation of an organization’s business continuity program by establishing business continuity requirements. As a result, a significant part of Avalution’s work involves helping organizations design and execute the BIA process. Furthermore, a well-executed BIA can deliver so much more than just a list of recovery time objectives (RTOs) and recovery point objectives (RPOs)! Continue reading
This article provides an overview of GPG Professional Practice 3 (PP3) – Analysis, which is the professional practice that “reviews and assesses an organization in terms of what its objectives are, how it functions, and the constraints of the environment in which it operates”.
PP3 introduces and addresses the business impact analysis (BIA) as a primary means of analysis, leading to appropriate business continuity requirements. PP3 identifies the following beneficial outcomes from the BIA: Continue reading
WHAT IS ISO 22317?
The International Organization for Standardization (ISO) Technical Committee (TC) 292, the committee responsible for writing security, resilience, and business continuity standards, has released its latest document: ISO 22317 – Societal Security – Business Continuity Management Systems – Business Impact Analysis, the first and only international standard solely addressing the business impact analysis (BIA).
ISO 22317 was officially published on September 17, 2015.
There are a few important points to understand before reading ISO 22317: Continue reading
How to Perform an Effective Business Continuity Strategy Identification and Selection Effort
Reader Note: This article is a continuation from Avalution’s November 2014 article titled: We just did a BIA and Risk Assessment … Now What? How to Perform an Effective Business Continuity Gap Analysis. If your organization just finished a business impact analysis (BIA) and risk assessment, but has not yet performed a gap analysis, it may be helpful to read about performing an effective gap analysis before continuing on to this article.
Once an organization understands gaps between business continuity requirements (as defined in the business impact and risk assessment) and current capabilities, management can determine which gaps they wish to address through strategy selection – either through risk mitigation or resource-specific recovery methods. Determining methods to decrease the likelihood of a disruptive incident reduces the potential that a risk will materialize, while identifying methods to respond to and recover from a disruptive incident decreases downtime and protects the organizations’ brand and financial position (among other assets). Continue reading
Faults & Fixes: Bad BIAs
Nearly all business continuity practitioners understand the importance of conducting a business impact analysis (BIA) in order to lay the foundation for a viable business continuity program. Organizations who perform and continually improve effective BIA processes gather essential business information for the activities that support organizational product and service delivery, such as process-related information, justification for business continuity requirements, recovery objectives, and resource requirements necessary to achieve recovery objectives and performance targets following the onset of a disruptive incident. This information drives the selection of organizational business continuity strategies, serves as an input to business continuity plans, and provides insight into potential organizational risks. Continue reading
How to Perform an Effective Business Continuity Gap Analysis
Following a business impact analysis (BIA) and risk assessment, best practices indicate that an organization should identify business continuity strategies that allow the organization to treat risks and recover business activities in accordance with management-approved requirements. This seems like a simple task on paper; however, in practice, many organizations struggle to do this, and instead jump straight to documenting business continuity plans. In doing so, these plans fail to include the resources and strategies already in place, or the organization fails to acknowledge and address coverage gaps. This leads to a lost opportunity to identify new risk treatments or recovery strategies, ultimately resulting in plans with no real capability to respond and recover. Continue reading
Business continuity planning is inherently cross-functional with a necessity to address risks to an organization’s product and service offerings, as well as the resources necessary to meet obligations. As organizations increasingly rely on a global network of suppliers and service providers, business continuity practitioners have the responsibility to understand and analyze these relationships and lead strategy identification efforts to protect their organization when faced with a third-party disruption.
Developing and implementing business continuity strategies and risk treatment options related to third parties can be a difficult endeavor because strategies may seemingly contradict an organization’s strategic efforts to leverage single-source suppliers, make supply chains “lean”, and reduce stored inventory levels. However, business continuity practitioners must provide top management with the information needed to balance strategic initiatives with the need to reduce single points of failure and protect an organization should a resource become unavailable.
This perspective discusses the tools available to identify and document third-party resources and methods by which risks can be presented to top management for review and action. Continue reading
Nearly all business continuity professionals understand the importance of the business impact analysis (BIA) as the primary means for laying the foundation of a business continuity program. However, many professionals struggle to receive executive buy-in, as well as the necessary resources and support for the process. This article dispels common myths in attempt to help remove barriers to obtaining support and contributes to the creation of the business case for performing the BIA in any organization. Continue reading
So you’ve just completed your business impact analysis (BIA) – identifying recovery time objectives for a variety of processes and functions throughout your organization and captured the names of applications and systems that business owners state they just can’t live without. In addition, the IT department heard you were conducting a BIA and mentioned on a few different occasions that they were excited to see what the final results would be to help with their planning. You’ve taken all the applications and their reported recovery time and recovery point objectives and crammed them into a very lengthy spreadsheet, and then the inevitable happens… you realize that everything you have collected is a huge mess.
But, don’t worry, this is a common issue! This perspective will explore the process of taking that seemingly disorganized pile of data and organizing it into something that can be utilized by IT disaster recovery planners to help meet continuity goals. So, let’s get started! Continue reading
Avalution’s Approach to Establish Business Continuity Requirements
The business impact analysis (BIA) and risk assessment are foundational elements of every effective business continuity program; however, in our experience, many business continuity planning participants experience a lot of confusion regarding the definitions, relationship, and expected outcomes between the two processes. This confusion often results in outcomes that fail to drive preparedness.
Avalution acknowledges that there are many different ways to design and execute BIA and risk assessment processes, depending on the objectives for each. We also know that many experienced business continuity professionals have strong opinions on this topic, which may not fully align with our view. This article simply aims to provide Avalution’s perspective on how to best design and execute the BIA and risk assessment processes to achieve results that align with how management views business continuity risk. Continue reading