BIA and Risk Assessment: Why Both Are Important
Can you describe the differences and benefits of the BIA and Risk Assessment? Today’s short blog may help you provide answers when the questions arise.
You just spent time completing a Business Impact Analysis (BIA), taking 2 to 3 hours per department. Now you are asking for another hour or more to interview the same team for a risk assessment. “We just did this, why are we doing it again?” is the response from department leaders. Even BC program stakeholders ask why time and resources are being spent on the same activities. The Risk Assessment and BIA are both risk-based assessments but have different purposes. BIAs are the “what” is impacted and Risk Assessments are the “how” impacts occur.
BIAs are the “what” is impacted and Risk Assessments are the “how” impacts occur.
A Business Impact Analysis
-
-
- identifies business impact when processes are not functional or available;
- is based on an inability to perform a process;
- is used to identify how quickly the process must be available;
- is not concerned with why a process is unavailable, only when it needs to be available; and
- helps determine what technology or planning is needed for functional recovery.
-
A Risk Assessment
-
-
- identifies conditions or situations that may cause a business process outage;
- determines the probability of the risk occurring;
- pinpoints threats and hazards across all areas – human, natural, technology, chemical/biological, etc.;
- assists in determining how to prevent impact/outages; and
- can be referred to as a Threat and Risk Assessment (TRA).
-
These differences make it clear that it is not possible to have a complete business continuity (business function and IT/technology) strategy and implementation without conducting both a BIA and Risk Assessment.
When only a BIA is performed, recovery focus is on IT. They are expected to have a disaster recovery strategy in place to allow for application and processing recovery even when the probability of a business impacting event may not be data center-related. Risk Assessments provide an overall view of risks to the organization, including those to the processing environment.
When only a Risk Assessment is performed, the financial and non-financial business impacts are not understood, so appropriate remediation may not be implemented. An example: a high-risk building housing a call center may be impacted by weather, even though the call center applications are in the data center in another state. Though loss of the physical call center may not have a large financial impact, it may have a significant impact on customer service and retention. Without a clear understanding of the business impact of the loss of the call center facility, an alternate call center may not be part of the recovery strategy.
BIAs and Risk Assessments should be performed and updated on a regular basis and one cannot replace the other. Like our children, neither can be the favorite or is more important. We recommend that you integrate the two, sharing information whenever possible, and presenting management with a single view that enables them to make more informed business decisions.
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
