The Business Impact Analysis (BIA) is one of the fundamental building blocks of a sound business continuity management program. In today’s post, we’ll look at six mistakes companies commonly make in conducting BIAs and explain how to get those areas right.
Related on BCMMETRICS: The Human Side of Conducting BIAs
The Importance of the BIA
The BIA is a foundational element of a quality BCM program and of a resilient organization.
BIAs look at how much it would it harm the company if various critical business processes were interrupted as a result of a negative event.
BIAs are typically carried out department by department. They help us identify which of the department’s business processes are the most critical and time sensitive. They do the same thing for the organization overall.
It’s important to identify which business processes are the most critical because that tells us which ones we should recover first.
Chest Pains vs. Scraped Knees
If a patient were brought into the emergency room with serious chest pains and a scraped knee, the medical team would know to worry about the chest pains first. Everyone understands that proper heart functioning is a critical process in sustaining life. The scraped knee is comparatively minor. The scrape should be tended to prevent infection, but it can wait a little longer.
With an organization, it’s not always obvious which processes are the most vital. BIAs help the organization figure out which processes are its heartbeat and which are its scraped knees. It helps the organization identify the relative criticality and time sensitivity of all of its dozens or hundreds of business and computing processes. This enables it to identify which processes should be recovered first, second, third, and so on. This information forms the basis of the company’s BCM plans and strategies.
6 Common BIA Bundles
The following are six mistakes that I and my team commonly see organizations make when conducting BIAs:
- Not giving the people conducting the BIAs sufficient access to the departmental experts. When the team doing the BIAs doesn’t have enough time with the departmental subject matter experts (SMEs), the result is bad or incomplete data. This undermines the BIA and everything built on it. Ultimately it jeopardizes the recoverability of the whole organization. Solution: Allow 1.5 to 2 hours for each BIA interview. (Read more: A Matter of Time: When SMEs Are Prevented from Helping With BCM.)
- Not establishing a standard set of assumptions. If the different departments have different operating assumptions in responding to the questions from the BIA team, the resulting report will be a comparison between apples and oranges. This will make a valid assessment of the relative criticality of the organization’s business processes impossible. Solution: The team conducting the BIA should instruct all of its interviewees to make the following assumptions: 1) The business process cannot be performed (the reason for this is irrelevant), 2) There is NO continuity plan or solution in place, and 3) The disruption has occurred at the peak time for the process.
- Not aligning their RTO and RPO categories with the organization’s mission. Companies often make the mistake of not aligning their Recovery Time Objective (RTO) and Recovery Point Objective (RPO) categories with their overall mission. This can result in them not being able to recover in time to prevent a crippling impact or alternately in spending more money than necessary on mitigation. Solution: Identify a set of RTO and RPO categories that make sense given the company’s mission. Be precise in identifying the categories and try to keep the number of categories to a manageable number (no more than seven). (Read more: RTO and RPO: Making It Simple.)
- Not calculating the RTO with sufficient rigor. Many BIAs have no rhyme or reason in how they determine the RTO of the various business processes. The participants pick them out of thin air. When this happens, everything based on those RTOs is like a house built on sand. Solution: Be rigorous in determining your RTOs. Identify when the first material impact on the company occurs after the process is interrupted (e.g., 4 hours, 24 hours, 5 days). Identify the impacts (low, medium, high) to the various impact categories (e.g., financial, operations, service delivery, brand/image). These two factors can be used to rationally determine the RTO. (Read more: All About RTOs: What They Are and Why You Have To Get Them Right.)
- Not obtaining formal approval by management of the BIA results. When the results of the BIAs are not documented in a report that is formally approved by management, the chances that the BIAs will lead to constructive change are very small. Solution: Document a report summarizing the results of the BIAs. Review this with management. Incorporate management’s revisions and obtain their formal approval. The report can then be leveraged to build recovery strategies and plans based on the BIA-derived RTOs and RPOs.
- Not aligning the BIA results with IT. Sometimes gaps open up between what the BIA calls for in terms of the RTOs and RPOs of the various computer systems and applications and what the IT team is capable of providing. If these gaps are allowed to persist, the BIA process can get derailed and the company remain unprotected. Solution: The BCM team should work with IT to align computer system and application RTOs and RPOs with IT’s current capabilities. Gaps should be documented and brought to the attention of management for review and mitigation. (Read more: Getting in Sync: Eliminating Recovery Strategy Gaps between BC and IT.)
Improving the BIA Process
BIAs are important because they help an organization identify which of its business processes are the most critical and time-sensitive, hence which ones it should recover first. The BIA process is complicated, and organizations often make mistakes in conducting them. Six common “BIA blunders” are set forth above. By incorporating the solution prescribed for each mistake, organizations can improve their BIA process and strengthen their resiliency.
For more information on avoiding BIA mistakes and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting: