Nearly all business continuity practitioners understand the importance of conducting a business impact analysis (BIA) in order to lay the foundation for a viable business continuity program. Organizations who perform and continually improve effective BIA processes gather essential business information for the activities that support organizational product and service delivery, such as process-related information, justification for business continuity requirements, recovery objectives, and resource requirements necessary to achieve recovery objectives and performance targets following the onset of a disruptive incident. This information drives the selection of organizational business continuity strategies, serves as an input to business continuity plans, and provides insight into potential organizational risks.
While BIAs are such an important component of any business continuity program, many organizations struggle to perform “good” BIAs. This perspective examines the typical root causes of “bad BIAs” and provides suggestions on how organizations can improve their BIA process. If your organization’s existing BIA process is not providing data to drive continuous program evaluation and improvement, then perhaps your BIA approach is suffering from one of the root causes below. If your organization is conducting a BIA for the first time, it is important to take note of these potential downfalls before beginning the BIA.
SYMPTOM: BIA DATA IS TOO OVERWHELMING TO ANALYZE
Root Cause: Incorrect BIA scoping
A key BIA objective is to gather data to answer two primary questions: (1) what business activities are critical to sustaining business operations, and meeting organizational objectives and external obligations (e.g., customer, regulatory), and (2) how quickly do business activities and supporting resources need to be available before the disruption impacts the organization or its customers, and to what performance level? For simplicity sake, many business continuity practitioners choose to use organizational charts or facility lists to determine BIA scope. While it may seem logical to use these resources, practitioners may find that using this method results in too much data that is often difficult to analyze.
The most efficient scoping method is to identify the key organizational products and services —organizational outputs or offerings— and then interview or collect data from the departments that perform business activities delivering – or supporting the delivery of – these products and services. This method helps focus the BIA process’ scope and ensures that BIA participants only provide relevant data that supports critical business activities, making data analysis more straightforward.
SYMPTOM: BIA DATA IS USELESS OR IRRELEVANT
Root Causes: Incorrectly identified BIA participants and ineffective data gathering methods
Incorrectly Identified BIA Participants
Organizations often struggle with useless or irrelevant BIA data either because they incorrectly identified BIA participants (e.g. too detailed or too high-level) or chose ineffective data gathering methods. As a result, the BIA data becomes useless or difficult to use because the collected data does not provide value or may even include conflicting data.
When identifying BIA participants, it is important to identify internal subject matter experts (SME) that can both understand the department’s role and criticality within the broader organization, as well as speak to specific day-to-day departmental activities and supporting resources. Organizations that choose to only interview high-level executives may find that these individuals cannot speak to detailed departmental activities or resources necessary to establish business recovery requirements. Similarly, lower-level support staff usually do not have high-level organizational insight and cannot provide information regarding internal organizational dependencies and impacts, nor can speak to how the department contributes to organizational priorities. To avoid these issues, organizations should consider the following questions when choosing BIA participants:
- Does the SME have general departmental knowledge, including how it performs activities and the department’s role in the context of the larger organization?
- Does the SME have the ability to identify and assign resources, as needed, to assist in the BIA effort?
- Can the SME provide details on departmental activities, such as activity inputs, outputs, and dependencies?
Ineffective Data Gathering Methods
The second root cause of having useless BIA data is ineffective data gathering methods. Many business continuity professionals assume that a BIA is just a series of questionnaires. Although many think this method is the quickest way to complete the task at hand and takes the least amount of effort on the business continuity professional (side note, using questionnaires often takes the same amount of time, if not more), questionnaires do not allow for business continuity awareness-building with department SMEs, guidance regarding BIA data requirements, consistent information, or even the opportunity to collect additional data or ask clarifying questions when necessary.
Organizations also often choose to collect BIA data in an interview or workshop setting by holding department, function, process, or activity-specific sessions with the objective of collecting as much relevant data in the most efficient manner. Using the wrong data gathering approach, the resulting BIA data is often incomplete and shallow, since it is difficult to have enough dedicated time to ask the necessary questions and completely collect data for each department.
Instead, Avalution recommends using data gathering interviews or a hybrid approach (where interviews and questionnaires are both used) in order to deliver actionable results in a time-efficient manner. In addition to following the recommended interview approach, organizations should ensure that BIA facilitators, or those who will be collecting BIA data and driving analysis and reporting efforts, are capable and knowledgeable in the organization and the BIA process (together with an understanding of the BIA outcomes). A knowledgeable BIA facilitator should not only be able to ask the right questions and capture data, but should also understand when to go “off the script” to guide discussion and draw indirect information from the SMEs.
SYMPTOM: INACCURATE OR UNREALISTIC RECOVERY TIME OBJECTIVES
Root Cause: Recovery time objectives are assigned without adequate business justification
An important BIA output is establishing business continuity requirements, which means activity and resource recovery priorities, objectives, and targets (which includes, but is not limited to, recovery time objectives, or RTOs, and recovery point objectives, or RPOs). Establishing recovery objectives helps to identify the most critical business activities and resources, which ultimately leads to an appropriate order of recovery. However, organizations often assign department RTOs without adequate business justification, such as by asking SMEs or middle level managers their subjective opinion based on limited understanding of their department’s capabilities or priorities, undermining the data’s accuracy.
To ensure accurate and realistic department RTOs, business continuity practitioners should confirm that:
- Department SMEs provide financial, operational, customer/contractual, legal/regulatory, or other relevant impact information that justifies the proposed business continuity requirements.
- The proposed business continuity requirements reflect leadership-defined organizational priorities and align with pre-determined management expectations. For example, business continuity practitioners should ensure that activities not directly supporting organizational priorities also do not have overly aggressive RTOs.
- Any upstream and downstream dependencies validate that the proposed RTOs meet their business requirements.
SYMPTOM: DISENGAGED EXECUTIVES
Root Cause: Business continuity practitioners do not effectively engage top management throughout the BIA process
Top management is critical in driving preparedness and program improvement, providing business continuity strategic direction, and sponsoring organizational changes in ways the business continuity team cannot. Without engaging and building top management business continuity awareness, business continuity practitioners may find that top management is disengaged, resulting in lost opportunity and poor business continuity program performance.
Specific to the BIA process, top management has a role in both endorsing the BIA scope and the final BIA results. Business continuity practitioners should include leadership during the BIA scoping process, particularly to confirm:
- Organizational priorities and the departments that support these priorities
- Management expectations for recovery, such as downtime tolerances for in-scope products and services
- Impact categories
- BIA participants
Once the BIA is complete, practitioners should develop a BIA summary report for top management review and approval. Through the summary report, top management should be able to understand:
- Department, activity, and resource-specific business continuity requirements
- Risks that lead to an increased likelihood of disruption, or risks that may make it difficult for the organization to recovery
- Gaps specific to preparedness (comparing current-state capabilities to approved business continuity requirements)
- Recommendations to address risks and enable successful recovery within approved objectives
To ensure top management engagement, practitioners should avoid:
- Reporting on non-strategic conclusions (for example, the number of BIAs conducted or how many printers are necessary for recovery)
- Providing BIA results without justification, especially communicating unsubstantiated “the sky is falling” results
- Providing a “data dump” of the BIA results that top management will need to analyze themselves
The BIA process is more than just a checkbox in the annual list of business continuity program activities. When done correctly, it can provide useful information to drive continuous business continuity program improvement and ensure a more prepared organization.
Continue to visit avalution.com or our business continuity and IT disaster recovery blog for more posts in Avalution’s Business Continuity Faults & Fixes Series.
In addition, be on the lookout for the ISO 22317 – Societal Security – Business Continuity Management Systems – Business Impact Analysis guidance document, which will provide detailed content and resources to support BIA delivery and developing BIA outcomes.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.
Please contact us today to get started. We look forward to hearing from you!
Avalution Consulting: Business Continuity Consulting