Fundamentals of business continuity: the business impact analysis
- Published: Wednesday, 21 September 2016 08:41
One year on from the completion of the ISO Technical Specification for BIAs, ISO/TS 22317:2015 Societal security -- Business continuity management systems -- Guidelines for business impact analysis (BIA), Jayne Howe examines the realities of the standard and combines this with some practical advice on how to conduct BIAs.
The starting point for this article is that practitioners should not believe that every ISO standard must be ‘best in breed’. The reality is that ISO standards are designed to be the broadest common denominator. Literally dozens of country representatives must come to agreement and consensus on every word that makes it to a final ISO release.
To work universally, the ISO process has to deliver generic standards concentrating on standardized processes. Therefore, ISO/TS 22317 is not a recipe or cookbook; neither is it a ‘How To’ document for specific types of industries or organizations. Instead, it is an approach allowing for customization as may be necessary/required in each instance. We should take the opportunity to consider the benefit of the ability to add local requirements to the ISO baseline, e.g., corporate culture, laws, regulations, etc.
In common with all ISO standards, ISO/TS 22317 concentrates on program and project process rather than any very specific topic. Company specific details can then be incorporated.
Much of the ISO/TS 22317 standard refers to how the BIA fits into the overall ISO 22301 business continuity standard.
The first part of the document talks about initial setup, such as determining scope and the roles and duties of various groups and teams, etc.
For the purposes of this article, we will concentrate on the BIA document itself; how to gather relevant information, consolidate prioritized information, and present results to management.
For most organizations, determining scope is based on three factors. However, these are not included in the ISO 22317 standard. The three factors are:
The number of existing work products (e.g., Risk Management Program, Risk Severity Scale, Risk Register, etc.) can be helpful. It is usually a given that, the faster you need to recover a process, the more it’s going to cost. In most cases, anything needed within 24 hours must be prearranged. For example, where there may be automatic IT system failover, there may not be consideration of other important factors, e.g., people or location.
The wider the scope, the more the project will include direct and indirect costs. If an outside consultant is hired to lead and manage the BIA project, it is very important to include all the internal costs of employees’ time. No matter which information gathering method you use (e.g., questionnaires, workshops, or one-on-one interviews), it will consume employee time and should be included as a cost in the overall project.
Revenue generating processes
More and more organizations are outsourcing non-revenue generating processes, e.g., mail room, printing, HR, IT, etc. As a result, it is more important to concentrate the BIA on revenue generating departments and processes. Outsourced processes then become supply chain issues, which of course should provide input for internal processes. Concentrating on revenue generating processes will help keep a manageable handle on the project scope, particularly if there are multiple sites.
All relevant information gathered in the BIA is based on measurable timescales associated with functions, processes and tasks, e.g., RTOs (recovery time objectives). No matter which information gathering technique is used the cream will rise to the top. These RTOs must be justified by tying them to the risk severity scale.
One of the most important paragraphs (on page vi) in ISO/TS 22317 reads that the “BIA process consists of a number of individual BIAs, each focusing on a sub-set of the BC program scope. The BIA process PRIORITIZES (emphasis added) products and services, and continues with PRIORITIZING processes and activities that together to cover the entire scope of the BC program.”
There are several different methods commonly used to gather BIA data. Each method varies in effort, cost and useable results that must be consolidated:
Questionnaires are probably the most cost-efficient method and are particularly helpful if there are numbers of remote users. Be careful to observe the following:
- Don’t ask open ended questions. Consolidating such information is problematic.
- Don’t send the questionnaire to every employee. It should only go to those who are accountable for the process or function, not to all their staff.
Beware of this method. Never has the truism ‘Garbage In Garbage Out’ been more applicable.
Workshops take the most pre-planning and the most internal employee time. They are best used to gather information on end-to-end processes with staff who don’t normally work together. If using a workshop strategy for a single department, be sure to include sufficient time when the employees’ supervisors are not in the workshop so you have an opportunity to learn what really goes on!
This approach guarantees the most accurate and complete methodology. It can be done in person or, where this may not be practical, via a conference call. In ‘normal’ situations, it should be possible to carry out three - four interviews per day, then overnight the document is cleaned up, prioritized and sent to the interviewee for sign-off.
Presenting results to management
There will usually be far too much information for management to fully absorb in one presentation. Try to focus a presentation to cover only the first phase or immediate recovery needs. Management will want to know what’s going to hit them the fastest and the hardest; this is best achieved by use of the Risk Severity Scale to justify the functions and activities that have risen to the top.
It is hard to overstate the importance of a good BIA process for a BCM program. In this context, the new ISO/TS 22317 standard has many aspects of great value in addition to being an easily customized global standard, including (1) scope, (2) documentation, (3) information gathering, and (4) presenting results.
Jayne Howe, Associate Partner, FBCI, MRP, CBRM, ISO 22301 Lead Implementer, ISO 22301 Lead Auditor
Chris Alvord, Founder, ISO 22301 Lead Auditor, ISO 27001 Inside Auditor, CBCP, MBCP, OCEG GRC
Bob Draper, Associate Partner, FBCI
Paolo Cannone, Associate Partner, ISO 27001, ISO 22301, ISO 31000, ISO 2000, BS 10012, CSA STAR
Don Stewart, Associate Partner, PMP, MBCP, MBCI
Mohan Menon, Associate Fellow of the BCI, Founder and CEO at Resilient Business Solutions
Austin Risk Consultants uses an award-winning BIA template, easily customizable to fit with any client’s Risk Severity Scale and scope size, with functions including consolidation and prioritization. The two sections of the tool functionality are as follows:
- Name of Business Function
- Description of Component Processes
- Recovery Time Objective
- Recovery Point Objective
- Operational Impact Factors
- Financial Impact Factors
- Regulatory Reporting Requirements
- Staff Impact Factors
- Intangible Losses
- Backlog Issues
- Work Inflows - Contributions
- Work Outflows - Contributions
- Temporary Operating Procedures (TOPs)
- Applications and Data
- Standalone/Unique Equipment
- Impact Value Table (from RM)
- Terms and Definitions