The latest business continuity news from around the world

Survey: to BIA or not to BIA?

Details

One of the differentiators of the new approach to business continuity advocated by Adaptive BC is the removal of the business impact analysis and risk assessment from the business continuity process. But is that a realistic proposal? This survey seeks the views of business continuity professionals on this issue.

Introduction

Adaptive BC is an alternative approach to traditional business continuity planning. It is ‘based on the belief that the practices of traditional business continuity planning have become increasingly ineffectual’ and
proposes nine principles to found its new approach. Of these the one which had proved to be the most controversial is the principle that Adaptive BC omits risk assessments and business impact analyses.

The rational behind this omission is as follows (verbatim):

The risk assessment (RA) and the business impact analysis (BIA) form the backbone of traditional continuity planning. They are considered fundamental components in virtually every best practice guide and industry standard. Employing these two practices leads practitioners along a trajectory that further entangles their work in the many related techniques of traditional continuity planning, along with the negative outcomes of these techniques. Practitioners should eliminate the use of the risk assessment and business impact analysis.

Risk assessment

The results of a risk assessment may lead the practitioner, leadership, participants, and organization as a whole to prepare for and mitigate threats that never materialize while other non-identified threats materialize instead. Preparing for the wrong threats is a waste of resources and may lead to a false sense of security that further jeopardizes the organization. 

Some threats, such as cyber attacks, disgruntled employees, and utility or infrastructure disruptions, are identified and mitigated but materialize nonetheless. It is precisely because bad things will happen, despite the best efforts of very capable risk managers to prevent them, that continuity planning is so critical. (See additional points in “Prepare for Effects, not Causes.”) There are also significant liabilities for continuity practitioners who do not possess the training and expertise to properly implement and follow through on a risk assessment. Risk assessment is a technique of risk management, a discipline with its own body of knowledge apart from business continuity. Administering a proper risk assessment and implementing the resulting action items may necessitate deep knowledge of actuarial tables, information security, insurance and fraud, state and federal regulations, seismological and meteorological data, and the law. Typical continuity practitioners do not possess such deep knowledge; those who do are most likely specifically trained as risk managers. Adaptive BC practitioners as such should eliminate the risk assessment from their scope of responsibility.

Business impact analysis

The purpose of a formal business impact analysis is to identify an organization’s services along with the potential daily or hourly loss, usually in terms of money, that a disruption of the service would have on the organization. Over time, the purpose of a BIA has changed, expanded, and become indistinct. The term BIA now often includes recovery time objective (RTO) and recovery point objective (RPO) data, response and recovery strategies, upstream and downstream dependencies, and other information.

The BIA as a measure of estimated losses should be abandoned. Its main purpose was to help leadership identify the most critical services and to set a prioritization for continuity planning efforts. The discipline should eliminate the BIA because:
  • The goal of quantifying the impact of disaster is likely a non-starter from the beginning. Numerous commentators have identified numerous deep flaws at the core of the BIA practice. Rainer Hübert’s definitive paper, “Why the Business Impact Analysis Does Not Work,” makes a compelling argument for the industry to abandon the practice of BIA work entirely because of the “very costly and even fatal misinterpretations and misrepresentations” inherent in the process.
  • Executive leadership can be trusted to identify critical services based on their experience and knowledge of the organization (as discussed in “Obtain Incremental Direction from Leadership”) and therefore can set general direction and prioritization for preparedness planning.
  • The proper sequence to restore services at time of disaster will depend on the exact nature of the post-disaster situation, a situation that cannot be predicted ahead of time. Because the organization must be flexible and responsive to the situation as it unfolds in real time, recovery time targets and a prescriptive recovery sequence should not be predetermined.

Due to the increasingly nebulous and confused understanding of the term BIA, along with the many connotations and associations that the term has within traditional continuity planning, both the practice and term itself should be entirely abandoned in Adaptive BC.

If you remove the BIA from the business continuity process, what, if anything, would take it's place? David Lindstedt, one of the founders of the Adaptive BC approach, explains as follows:

"Let's go ahead and assume that the BIA could, in fact, provide an hourly or daily cost in terms of lost revenue or lost market share for each service or department that could be temporarily eliminated due to an incident. (Naturally, I think this is a problematic assumption based on commentators and research, but let's make the assumption anyway.) Shouldn't leadership know what is important without having to conduct a BIA? Don't the Board, executives, and top leadership have clear knowledge of what is most important to the continued functioning of their organization without a BIA? Or, perhaps more precisely, is leadership so inaccurate in their estimations of departmental value that the BIA properly changes these estimations and provides a more accurate picture of value to executives?"

Is it really possible to omit risk assessments and BIAs and still develop a functional business continuity plan? Please give your views in the following survey:

THE SURVEY IS NOW CLOSED


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

Root Cause Analysis
The Impact Tolerance Guide

Additional Resources

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.