Where next for the BIA?
- Published: Wednesday, 31 July 2019 07:46
By David Honour
It seems clear from Continuity Central’s recent ‘To BIA or not to BIA... revisited’ survey that the majority of business continuity professionals see the business impact analysis (BIA) as a vital aspect of the business continuity process… but is that the end of the conversation? Is the current bipolar state of the 'keep the BIA as it is' and 'ditch the BIA' discussion nuanced enough?
I would suggest that the answer to both the above questions is ‘no’.
Those sceptical of the BIA criticise the process rather than the aim. Adaptive BC states that the BIA’s main purpose is ‘to help leadership identify the most critical services and to set a prioritization for continuity planning efforts’; and does not criticise this goal, rather it believes that ‘executive leadership can be trusted to identify critical services based on their experience and knowledge of the organization and therefore can set general direction and prioritization for preparedness planning’. The premise is that executive leadership will know their own business well enough to provide the information that a BIA sets out to discover. Adaptive BC also points out that mission-creep has resulted in the BIA’s purpose changing, expanding, and becoming indistinct over time.
If we take the BIA back to the basics with the help of the ISO/TS 22317 ‘Guidelines for business impact analysis’ standard we find that: 'The BIA process analyses the consequences of a disruptive incident on the organization.' The standard says its outcomes include the following:
- Endorsement or modification of the organization's business continuity programme scope;
- Evaluation of impacts on the organization over time, which serves as the justification for business continuity requirements (time and capability);
- Identification and confirmation of product/service delivery requirements following a disruptive incident, which then sets the prioritized timeframes for activities and resources;
- Identification and establishment of the relationships between products/services, processes, activities, and resources;
- Determination of the resources needed to perform prioritized activities;
- Understanding of the dependencies on other activities, supply chains, partners, and other interested parties;
- Determination of how up to date the information needs to be.
It is hard to argue against these items being useful information for the organization; but maybe a question needs to be asked about how essential is it that every business continuity management system needs to include all this information to be adequate? Is there a risk that with the BIA we tend to make the best the enemy of the good? For the organization with a highly mature business continuity function it may be appropriate to expect the BIA process to produce all these outputs; but in other organizations maybe focusing on what is pragmatically possible will make the BIA more agile and less onerous. Rather than ‘To BIA or not to BIA’ being the question, could the question for most organizations be ‘How much BIA information can we realistically generate with the resources we have?’ Does your organization have the requirement and resources to produce a BIA exemplar? Or is it more realistic to aim for something more pragmatic?
In Continuity Central’s ‘Business continuity trends and challenges 2019’ survey very few people identified the BIA itself as one of their top challenges. However, the required assistance from the business was a very clear difficulty. 48 percent of business continuity professionals identified lack of resources as their top issue. Given that this is the case, setting your BIA goals at a realistic level may be the difference between getting bogged down in a long-winded, never-ending process, and a streamlined process that delivers enough information in a realistic timescale.
The above is about BIA 1.0, its current iteration; but what about the BIA of the future, BIA 2.0? Can the BIA be reengineered to retain its useful aspects but to make it less cumbersome and burdensome for many organizations? Will emerging technologies help take the BIA to the next level? Here are some questions to encourage you to look into your crystal ball:
- Can we use Agile project management techniques to break the BIA into deliverable iterations? What would this look like in practice?
- Could vulnerability assessments effectively replace risk assessments? If a process has a vulnerability does it matter what risks cause that vulnerability to be triggered?
- Is it possible to use software dashboards to make the BIA genuinely real time?
- Could emerging technologies such as Digital Twins combined with Machine Learning take human assessment out of the BIA process in future?
- What implications does the move towards resilience have for the BIA? Do we need to include assessments of what processes need 'hardening' to minimise the risk of any downtime; and do we need to assess what processes need adapting rather than protecting?
- Can taking a maturity approach drive the BIA? Are quick wins today for organizations that are immature when it comes to business continuity better than slowly developing a comprehensive BIA and having to wait months to start to implement business continuity strategies?
- What could Chaos Engineering bring to the BIA?
- Can the risk appetite concept be adapted to set the vision for the BIA using ‘resiliency appetite’? This would provide guidance on how resilient your organization needs to be and would drive the budget provided. Could determining your resiliency appetite also determine the depth that you need to go to within the BIA?
Continuity Central welcomes your comments on the thoughts in this article as a way of starting a conversation about ‘Where next?’ for the BIA. Simply email your thoughts to firstname.lastname@example.org
David Honour is editor of Continuity Central.
Alberto Mattia, chief executive officer of PANTA RAY, gives a detailed response here