Where next for the BIA?

Published: Wednesday, 31 July 2019 07:46

By David Honour

It seems clear from Continuity Central’s recent ‘To BIA or not to BIA... revisited’ survey that the majority of business continuity professionals see the business impact analysis (BIA) as a vital aspect of the business continuity process… but is that the end of the conversation? Is the current bipolar state of the 'keep the BIA as it is' and 'ditch the BIA' discussion nuanced enough?

I would suggest that the answer to both the above questions is ‘no’.

Those sceptical of the BIA criticise the process rather than the aim. Adaptive BC states that the BIA’s main purpose is ‘to help leadership identify the most critical services and to set a prioritization for continuity planning efforts’; and does not criticise this goal, rather it believes that ‘executive leadership can be trusted to identify critical services based on their experience and knowledge of the organization and therefore can set general direction and prioritization for preparedness planning’.  The premise is that executive leadership will know their own business well enough to provide the information that a BIA sets out to discover. Adaptive BC also points out that mission-creep has resulted in the BIA’s purpose changing, expanding, and becoming indistinct over time.

If we take the BIA back to the basics  with the help of the ISO/TS 22317 ‘Guidelines for business impact analysis’ standard we find that: 'The BIA process analyses the consequences of a disruptive incident on the organization.' The standard says its outcomes include the following:

It is hard to argue against these items being useful information for the organization; but maybe a question needs to be asked about how essential is it that every business continuity management system needs to include all this information to be adequate? Is there a risk that with the BIA we tend to make the best the enemy of the good? For the organization with a highly mature business continuity function it may be appropriate to expect the BIA process to produce all these outputs; but in other organizations maybe focusing on what is pragmatically possible will make the BIA more agile and less onerous. Rather than ‘To BIA or not to BIA’ being the question, could the question for most organizations be ‘How much BIA information can we realistically generate with the resources we have?’ Does your organization have the requirement and resources to produce a BIA exemplar? Or is it more realistic to aim for something more pragmatic?

In Continuity Central’s ‘Business continuity trends and challenges 2019’ survey very few people identified the BIA itself as one of their top challenges. However, the required assistance from the business was a very clear difficulty. 48 percent of business continuity professionals identified  lack of resources as their top issue. Given that this is the case, setting your BIA goals at a realistic level may be the difference between getting bogged down in a long-winded, never-ending process, and a streamlined process that delivers enough information in a realistic timescale.

Future BIA?

The above is about BIA 1.0, its current iteration; but what about the BIA of the future, BIA 2.0? Can the BIA be reengineered to retain its useful aspects but to make it less cumbersome and burdensome for many organizations? Will emerging technologies help take the BIA to the next level? Here are some questions to encourage you to look into your crystal ball:

Your comments?

Continuity Central welcomes your comments on the thoughts in this article as a way of starting a conversation about ‘Where next?’ for the BIA. Simply email your thoughts to editor@continuitycentral.com

The author

David Honour is editor of Continuity Central.

Reader responses

Alberto Mattia, chief executive officer of PANTA RAY, gives a detailed response here