Skip the BIA: Four Cases Where a Formal BIA Is Optional
One of the most common complaints from my consulting clients is that doing a formal business impact analysis, or BIA, is a waste of time. In today’s post, written with BIA doubters in mind, I’ll lay out four cases where conducting a formal BIA is unnecessary.
Related on MHA Consulting: All About BIAs: A Guide to MHA Consulting’s Best BIA Resources
Purpose and Methodology of the BIA
The BIA, as all business continuity professionals know, is the study you conduct to determine which of the organization’s business processes are the most critically time sensitive and hence most in need of protection.
It is conducted by gathering preliminary information from the various departments, interviewing representatives from the departments to quantify risks, and assessing and consolidating the findings in collaboration with senior management. At least, that’s how we do them at MHA.
(We also use BIA On-Demand, the BIA component of our proprietary software suite BCMMETRICS, to conduct, store, analyze, and aggregate the data and help prepare the final report.)
Negative Aspects of the BIA
If all that strikes you as a pain in the neck, you are not alone. Many BC professionals groan at the thought of conducting BIAs. They especially groan at the thought of trying to get the various business departments to answer detailed questionnaires and sit for interviews.
The departments themselves also tend to dislike BIAs. They hate being taken away from their regular duties to do them.
Finally, the dim view of BIAs held by the BC office and the business departments is often shared by senior management. This is because they are loath to pull the departments away from doing revenue-producing work.
Four Cases Where the BIA Is Optional
For the reasons mentioned above, many people feel about BIAs the way most people feel about having a root canal.
Today’s post is dedicated to everyone who shares those sentiments. In it, I’ll lay out four situations where doing a formal BIA can be regarded as optional—even completely unnecessary.
Let’s begin:
- Your company is very small. If your organization occupies only a few rooms, has just a few employees, and sells only a few products or services, you can probably get away with doing your BIA informally.
- You believe that only identifying 60 or 70 percent of your critical business process is good enough. In my experience, most companies that use an informal, back-of-the-envelope method to identify their critical business processes usually catch around 60 or 70 percent of them. They miss 30 to 40 percent. I know this because we are often called in to do a formal BIA at companies that previously did an informal BIA. Thirty to 40 percent is the proportion of missed criticalities we typically identify. The items missed commonly include a wide range of dependencies, including systems, apps, and records, internal and external. However, as I say, if you are okay with identifying and protecting 60 to 70 percent of your critical business processes (and leaving the others to fend for themselves), you can safely skip doing a formal BIA.
- You do not mind if your company is down for an extended period of time. If you and your colleagues and managers have no objection to your organization’s suffering lengthy downtimes and any associated impacts (to revenue, reputation, or what have you), then you will be fine conducting your BIA by the seat-of-the-pants method.
- You don’t mind if your business continuity management (BCM) program is built on sand. The BIA is often referred to as the foundation of BCM program. This is because the plans and strategies that make up the visible part of the program are based on the information unearthed by the BCM. They are only as strong as the BIA. If your BIA is rock-solid (complete, accurate), you have a good chance of developing valid plans and strategies. If your BIA is mushy, your plans and strategies are probably not protecting everything they should be. If this doesn’t bother you, you should have no qualms about skipping a formal BIA and trusting your organization’s well-being to your back-of-the-envelope version.
You see what I’m getting at: Accurately identifying which of the organization’s business process are critically time sensitive—and thus need robust protection—is of vital importance for the company’s well-being. And the absolute best way we have of making sure these types of processes and dependencies are identified is the formal BIA.
The Truth About BIAs
Yes, for smaller, simpler organizations, maybe it is sufficient to gather a few knowledgeable people for a brainstorming session and identify the processes that matter most.
However, for companies of any size or complexity, doing it that way is akin to asking for trouble.
And I say all that without disagreeing in the least with anyone who says doing BIAs is not fun. It isn’t fun. It could even be described as a pain in the neck. It does require asking people for their time. It is something management is generally less than excited to support. (For tips on how to manage these challenges, see the articles mentioned in Further Reading below.)
The formal BIA is also—at least for any organization that doesn’t fit into one of the cases mentioned above—of critical importance for the protection of the organization and its stakeholders.
The BIA Is a Strong Foundation
It is understandable that many BC professionals, business departments, and senior executives dislike doing formal BIAs because they are disruptive and time-consuming. However, the BIA is the best way to accurately identify critical business processes and dependencies, making it an essential foundation for developing recovery strategies and plans.
Smaller organizations or those willing to accept the risk of extended downtimes may be able to rely on informal methods. However, larger and more complex organizations—and any company that wants to be sure of protecting its critical operations and its stakeholders—should not skip the formal BIA process.
Further Reading
For more information on BIAs and other hot topics in BCM and IT/disaster recovery, check out these recent posts from MHA Consulting:
- All About BIAs: A Guide to MHA Consulting’s Best BIA Resources
- BIA Blunders: 6 Common Mistakes Organizations Make When Conducting BIAs
- The Big Decision: Choosing What Software to Use for Your BIAs
- Top 5 Reasons Why Most BIAs Are DOA
- The Secret to a Successful BIA Interview: Get Their Information Ahead of Time
- BIA Interviews: 5 Tips for Streamlining the BIA
- The Human Side of Conducting BIAs
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
