To BIA or not to BIA... revisited: final survey results
- Details
- Published: Friday, 28 June 2019 07:32
In June 2017 Continuity Central published the results of a survey which looked at whether attitudes to the business impact analysis (BIA) and risk assessment were changing. Two years on, we repeated the survey to determine whether there has been any development in thinking across the business continuity profession. The final results are now available.
The original survey was carried out in response to calls by Adaptive BC for the removal of the business impact analysis and risk assessment from the business continuity process.
Respondents
There were 267 respondents to the survey, which was conducted online during the Spring of 2019 using Survey Monkey. The majority of responses came from larger organizations (77.44 percent were from organizations with more than 250 employees). 16.54 percent were from small organizations (less than 50 employees) and 6.02 percent were from medium sized organizations (51 to 250 employees).
Respondents came from many different countries with the top four being:
- United States: 33.33 percent
- United Kingdom: 20.83 percent
- Canada: 5.68 percent
- Australia: 4.92 percent.
Omitting the risk assessment?
The first question asked in the survey was ‘Do you think that it is possible to omit the risk assessment from the business continuity process?’ Overall responses were as follows:
- Yes: and the resulting business continuity plan would be fully functional: 22.18 percent
- Yes: but the resulting business continuity plan would be weakened: 13.16 percent
- No: the risk assessment is a vital part of the business continuity process: 58.27 percent
- I'm not sure: 6.39 percent
When compared to the previous survey in 2017, it appears that respondents have somewhat moved away from the Adaptive BC position. In 2017 a minority (46.48 percent) thought that the risk assessment is a vital part of the business continuity process; this has increased in this year’s survey to a majority (58.27 percent). In 2017, 33.33 percent said that the risk assessment could be omitted from the business continuity process and the business continuity plan would be fully functional. In the 2019 survey this figure was reduced to 22.18 percent. The number of respondents believing that the risk assessment could be omitted but the resulting business continuity plan would be weakened remained virtually the same: 13.62 percent in 2017 and 13.16 percent in 2019.
When broken down by organizational size, some significant differences can be seen, as shown in the following table (2017 survey results are in brackets):
Organizational size | Yes: and the resulting business continuity plan would be fully functional | Yes: but the resulting business continuity plan would be weakened | No: the risk assessment is a vital part of the business continuity process | Not sure |
Small | 13.95 percent | 9.30 percent | 76.74 percent | 0 percent |
Medium | 12.50 percent | 0 percent | 87.50 percent | 0 percent |
Large | 24.15 percent | 14.98 percent | 52.66 percent | 8.21 percent |
Comparing results from the four countries with the most respondents there were again significant differences:
Country | Yes: and the resulting business continuity plan would be fully functional | Yes: but the resulting business continuity plan would be weakened | No: the risk assessment is a vital part of the business continuity process | Not sure |
US | 25.29 percent | 12.64 percent | 56.32 percent | 5.75 percent |
UK | 23.64 percent | 18.18 percent | 45.45 percent | 12.73 percent |
Canada | 33.33 percent | 20.00 percent | 26.67 percent | 20.00 percent |
Australia | 46.15 percent | 15.38 percent | 38.46 percent | 0 percent |
Respondents were invited to make a comment about their response to this question. 118 comments were received and can be read here (PDF).
Omitting the business impact analysis?
The second question asked by the survey was 'Do you think that it is possible to omit the business impact analysis from the business continuity process?' Total responses to this question were:
- Yes: and the resulting business continuity plan would be fully functional: 15.04 percent
- Yes: but the resulting business continuity plan would be weakened: 6.77 percent
- No: the BIA is a vital part of the business continuity process: 75.19 percent
- I'm not sure: 3.01 percent.
Again, there does seem to have been a move away from the Adaptive BC position. In 2017, 19.25 percent of respondents said that the BIA could be omitted and the resulting business continuity plan would be fully functional: in 2019 this reduced to 15.04 percent. The percentage of respondents believing that the BIA can be omitted but the resulting business continuity plan would be weakened also reduced: from 9.86 percent in 2017 to 6.77 percent in 2019. Those stating that the BIA is a vital part of the business continuity process and cannot be omitted increased from 64.79 percent in 2017 to 75.19 percent in 2019.
When broken down by organizational size, some significant differences can be seen, as shown in the following table (2017 survey results are in brackets):
Organizational size | Yes: and the resulting business continuity plan would be fully functional | Yes: but the resulting business continuity plan would be weakened | No: the BIA is a vital part of the business continuity process | Not sure |
Small | 11.63 percent | 4.65 percent | 83.72 percent | 0 percent (0 percent) |
Medium | 12.50 percent | 0 percent | 87.50 percent | 0 percent (0 percent) |
Large | 16.02 percent | 7.28 percent | 72.82 percent | 3.88 percent |
Results from the four countries with the most respondents showed significant differences:
Country | Yes: and the resulting business continuity plan would be fully functional | Yes: but the resulting business continuity plan would be weakened | No: the BIA is a vital part of the business continuity process | Not sure |
US | 21.59 percent | 7.95 percent | 68.18 percent | 2.27 percent |
UK | 12.73 percent | 12.73 percent | 72.73 percent | 1.82 percent |
Canada | 20 percent | 0 percent | 80 percent | 0 percent |
Australia | 30.77 percent | 0 percent | 61.54 percent | 7.69 percent |
Respondents were invited to make a comment about their response to this question. 118 comments were received and can be read here (PDF).
Influence of standards
Respondents were asked to identify the business continuity standard which they are most familiar with and then were asked the following question: Thinking about compliance with the business continuity standard, which comes closest to your view. The results follow, showing that in this year’s survey more than three-quarters of respondents believe that a risk assessment and a BIA are both essential for compliance with the standard they are most familiar with.
- A risk assessment and a BIA are both essential for compliance with this standard. 77.69 percent (71.36 percent in 2017) of respondents chose this option
- A risk assessment is essential for compliance with this standard but not a BIA. 2.69 percent (4.37 percent) of respondents chose this option
- A BIA is essential for compliance with this standard but not a risk assessment. 10.77 percent (14.56 percent) of respondents chose this option
- Neither a risk assessment nor a BIA are essential for compliance with this standard. 8.85 percent (9.71 percent) of respondents chose this option.
63 comments were received about this question and these can be read here (PDF).
Continuity Central would like to thank everyone who took part in this survey. If you would like to submit a comment or an analysis of the results please email editor@continuitycentral.com
