BCM Basics: BIAs vs. Risk Assessments
This post is part of BCM Basics, a series of occasional, entry-level blogs on some of the key concepts in business continuity management.
The business impact analysis (BIA) and the threat and risk assessment (TRA) are two of the cornerstones of a sound business continuity program. In this installment of BCM Basics, we’re going to look at what BIAs and TRAs have in common, how they’re different, and the part each plays in the development of an organization’s recovery strategies, plans, and actions.
Related on MHA Consulting: All About BIAs: A Guide to MHA Consulting’s Best BIA Resources
What BIAs and Risk Assessments Have in Common
Today’s subject is BIAs and risk assessments. We’re going to break down what these two studies are, how they are similar and how different, what they help us do, and why each is important for organizations intent on reducing their likelihood of being struck by a disaster and reducing the impact of any disasters that do occur.
Let’s start with what the two types of evaluation have in common.
Both BIAs and risk assessments require the business continuity (BC) office to approach in-house subject matter experts, asking to meet with them for a couple of hours and seeking their input and expertise.
Both are frequently viewed as a goal when in fact they are a means to an end, and both can cause confusion for SMEs, who often don’t understand the reason for them.
Most importantly, both BIAs and risk assessments play a key role in influencing the development of the organization’s recovery strategies, plans, and actions, something that will be explored more fully below.
Let’s look at them one by one.
A Closer Look at the BIA
In the words of Strong Language: The MHA Glossary of Essential Business Continuity Terminology (free download with registration), a BIA is “an assessment that determines the relative criticality of an organization’s business processes” with the purpose of providing “critical guidance in developing recovery plans and allocating BC resources.”
The BIA identifies which of your organization’s business processes, if they were down for an extended period, would cause the most impact. Is the call center one? Shipping? Manufacturing? Payroll? The website? The retail operations?
The BIA—after a process of gathering, validating, and comparing information from subject matter experts and senior managers—will tell you.
Here are some additional key points about BIAs:
• They look at both financial and non-financial impacts.
• They will arrive at different results depending on the industry and company.
• They weight the various impacts based on what management believes is most important.
• They look at dependencies for the processes.
• They establish the timeframes by which key processes must be recovered in order to prevent an unacceptable level of damage. (These timeframes are known as Recovery Time Objectives or RTOs).
• They are not concerned with why a process is unavailable, only when it needs to be available.
• Finally, and most importantly, BIAs provide critical guidance to the organization by showing which processes merit the greatest protection in the organization’s recovery strategy and plans (i.e., which ones should be made recoverable in the shortest amount of time).
To sum up, BIAs help you identify which of your business processes need to be recoverable soonest based on the impact if they were down—and hence which ones you should prioritize in your recovery planning.
Reviewing the Risk Assessment
The risk assessment is a very different kettle of fish.
According to Strong Language, the TRA is “A written evaluation of the hazards facing an organization.”
The risk assessment looks at the threats in the environment that could the organization, evaluating them in terms of the likelihood of occurrence and the severity of impact if they did occur.
The risks considered might range from a cyberattack to the possibility of a gas leak at the chemical plant across the street and everything in between.
Here are some key facts about risk assessments:
• They identify conditions or situations that might cause a business process outage.
• They determine the probability of the risk occurring and the severity if it did occur.
• They pinpoint threats and hazards across all areas: human, natural, technological, chemical, etc.
• Finally, the most important thing about risk assessments is that they provide guidance to the organization’s efforts to mitigate risk and prevent outages.
In short, the risk assessment seeks to understand the bad things that could happen to yourcompany, and its purpose is to give you a chance to take steps to reduce the chances that they will happen and to lessen the impact if they do.
Two Assessments Serving One Goal
Here are a few more points that apply to both BIAs and risk assessments:
• Both need to be reviewed and updated periodically.
• BIAs are concerned with what is impacted, risk assessments focus on how impacts occur.
• The two evaluations work in tandem, giving you powerful tools for reducing your vulnerability to outages and protecting your most critically time sensitive business processes and their dependencies.
In a perfect world, every organization would conduct both of the evaluations we’ve been discussing. Which should you perform if you only have the time and resources to do one of them? Make it the BIA. Being able to mitigate the risks of potential threats is important. Being able to restore vital processes quickly is essential.
But why choose? Drivers today enjoy the protections of airbags and safety belts. Wise organizations will avail themselves of the safeguards provided by both BIAs and risk assessments.
Achieving the Highest Level of Resilience
BIAs and risk assessments are both crucial elements of a comprehensive business continuity program. While BIAs focus on identifying and prioritizing critical business processes for recovery, risk assessments evaluate potential threats and their likelihood.
The two assessments complement each other, providing a robust framework for mitigating risks and ensuring swift recovery in the event of a disruption. Organizations should strive to conduct both evaluations to achieve the highest level of resilience and protection against unforeseen events.
Further Reading
For more detailed information on BIAs and risk assessments, see the MHA blog posts linked to above. We’ve written numerous posts on BIAs and almost as many on performing risk assessments. “All About BIAs: A Guide to MHA Consulting’s Best BIA Resources” is a one-stop shop containing links to and descriptions of some of our best BIA blogs. To learn more about risk assessments, check out, “Risk Assessment: The Best Way to Identify Your Biggest Threats,” “Driving Blind: The Problem with Skipping the Threat and Risk Assessment,” and “Weighing the Danger: The Continuing Value of the Threat and Risk Assessment.” To see what a risk assessment looks like, check out, “A Sample Threat and Risk Assessment: The Case of Acme Widget Corp.”
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
