Sometimes MHA is tasked with picking up the pieces after Business Impact Analyses (BIAs) conducted by companies or other consulting firms go off-track. These incidents can be painful for the client and challenging for us, but they offer valuable lessons to other companies.
Related on MHA Consulting: All About BIAs: A Guide to MHA Consulting’s Best BIA Resources
The BIA Is the Cornerstone
As every business continuity (BC) professional knows, the BIA is the cornerstone of a sound BC program. It helps us identify which business processes, if they were down for a period of time, would have the greatest negative impact on the organization’s ability to carry out its mission—and thus which are deserving of the most protection. A sound BIA is a prerequisite of any company that wants to attain true resilience. Erecting a BC program on the findings of a poorly executed BIA is like building a mansion on the sand.
Common BIA Mistakes
Every now and then, MHA is called in to troubleshoot a situation in which a company has tried to do a BIA on its own or with another consultant and gotten itself into trouble. In these situations we tend to see the same types of errors over and over again. Among the most common mistakes we find are:
- Not differentiating between essential processes (e.g., accounts payable, payroll) and activities (running reports, uploading data). A common result of this oversight is, the few bits of important, relevant data get buried under a mountain of information that is of little to no value.
- Not using a consistent framework or an informed BC methodology in interviewing the departments. This makes it impossible to conduct valid comparisons of data across departments. It also undercuts the usefulness of the data as a means of assessing the criticality of the various business processes.
- Using highly inappropriate RTOs (recovery time objectives). For inexperienced people, one of the most common mistakes they make in conducting BIAs is to pick RTOs that are unnecessarily (and unrealistically) short.
- Not aligning the BIA with the capabilities of the IT department. A BIA that sets unnecessarily strict (and expensive) RTOs and makes no attempt to fit them to reality or close the gaps between the two is of little value.
Learning from Other Companies’ Mistakes
Sorting out a troubled BIA can be difficult for the company and a challenge for us, but for BC professionals at other organizations these situations offer some valuable lessons. Here are a few of them:
- Before embarking on a BIA, make sure you understand what one is and does. Learn the basics of BIA methodology.
- In hiring a BC consultant, make sure they have experience in your specific industry.
- Make sure the BIA focuses on each department’s mission critical processes. Avoid turning your BIA into a laundry list.
- Frame your BIA interviews consistently. Ensure that your data is in standard terms across departments so it can be legitimately compared. At MHA, we always implement a few standard assumptions in doing BIAs. For example, we always exclude the effects of any mitigation tools in assessing the impact of the process being offline and we always tell people to answer as though the disruption occurs at the worst possible time.
- Make sure your RTOs are industry-appropriate (e.g., hospitals must have very short RTOs; educational institutions can have longer ones).
- Find out when the IT department can actually recover critical applications. The gap between the (appropriate) RTO and the actual recovery time is what you build your recovery plans on.
- A good, knowledgeable consultant should lead and work with the client, helping them understand what the core business processes and appropriate RTOs for their industry are.
- The consultant should also be able to help the client select and weight the appropriate quantitative and qualitative impact categories.
Ensuring Your BIA Is Rock-Solid
Avoid building your BC program on sand by ensuring that you BIA is rock-solid. Our clients’ experiences provide valuable lessons to BC professionals who wish to do better.
These lessons include the importance of understanding the fundamentals of BIA methodology, hiring consultants with industry-specific experience, and focusing on the mission critical processes. It’s also essential to frame BIA interviews consistently, set industry-appropriate RTOs, and align with the capabilities of the IT department.
For more information on avoiding bad BIAs and other hot topics in business continuity and IT disaster recovery, check out the following recent posts from MHA Consulting:
- All About BIAs: A Guide to MHA Consulting’s Best BIA Resources
- A Little Help: How to Select a BCM Consultant
- Getting the Most Out of Your BCM Consultant: Do’s and Don’ts
- Client’s Guide to Hiring a BC Consultant
- Dancing the Tango with Your Business Continuity Consultant
- Help, I Need Somebody: 4 Times When You Should Hire a BC Consultant