A response to ‘Where next for the BIA?’
- Published: Friday, 09 August 2019 13:05
Alberto Mattia, chief executive officer of PANTA RAY, gives a detailed response to Continuity Central’s recent article discussing what the future direction of the business impact analysis could be.
First of all, in the interest of an open and transparent exchange of thoughts, I must say I disagree with a couple of premises in your article:
1. I do not really believe there is a bipolar state between practitioners saying 'keep the BIA as it is' and others that propose to 'ditch the BIA'. Whether it is true that a small group of people is questioning the BIA, we must recognize that business continuity management has progressed significantly over the years and it will continue evolving to keep up with an ever changing world. BIA makes no exception. In fact, the ISO/TC 292 commission has already started working on the review and update of ISO/TS 22317:2015.
2. Those sceptical of the BIA do criticise the aim of the BIA. In fact – and I am quoting their ‘Manifesto’ – they think ‘the discipline should eliminate the BIA because the proper sequence to restore services at time of disaster will depend on the exact nature of the post-disaster situation, a situation that cannot be predicted ahead of time’. This in itself is a clear demonstration that they are not even familiar with the core (basic) principles of modern business continuity methodology. I will not explain further, because I have already written a lot about it here and here.
Then, I believe the BCI Good Practice Guidelines have already addressed successfully the issue related to the difficulties in collecting all the information a business continuity manager ideally needs through a BIA process by stating the following: ‘Not having this information should not stop the BIA being undertaken but could affect the accuracy of the end results and therefore should be noted in the conclusions’. What is more pragmatic than this?
According to my experience as a consultant, the BIA is definitely one of the steps of the BCM lifecycle that generates more concerns to business continuity managers. It requires experienced practitioners and pro-active collaboration from the business to be performed effectively. Under this perspective, thorough embedding of business continuity principles across different levels of the organization is fundamental and this is something we should focus on more and more.
Speaking of the future of the BIA, which is still an under-researched topic, please allow me to mention that PANTA RAY has recently issued a report on the role of the BIA (here) with the contribution of Gloria Bakakunda, Sarah Armstrong-Smith, Jean Rowe, Saul Midler and Scott Baldwin, who are industry thought-leaders working in different regions. Our aim was not only to provide tips and suggestions to industry professionals by tapping into the experience of well-established practitioners, but also to foster the debate around this topic. More reports will follow.
As far as your questions are concerned, here are my thoughts (in no particular order):
- Technology and BCM software in particular are already helping in reengineering the BIA process to make it easier and quicker, without dropping any information or methodological step behind.
- There is no competition between ‘Agile project management techniques’ and business continuity management as proposed by industry standards and best practices. And a BIA can be performed effectively also in smaller businesses.
- Risk assessment is still a fundamental element of any business continuity management system, and I do not expect this will change in the near future. I have discussed about this here.
- Machine learning can definitely be useful, but human assessment will always have a role in the BIA.
- The continuity requirements analysis, which is part of the BIA at activities level, and risk and threat assessment support the organizations in moving towards organizational resilience. I do not see moving towards resilience as a threat to the existence of the BIA.
- A BIA taking ‘months’ (or even years, as I read sometimes) is pure fantasy, when the analysis is implemented according to common sense and in compliance with international standards and best practices.
In conclusion, I believe that there is definitely room for improvements in how we deal with the BIA. Still, I also think it is more a social media / web trend than a practitioners’ industry concern to spend so much time in questioning the ‘BIA as it is’, rather than understanding what a BIA truly is and entails. Experts have worked hard for years to develop guidelines and standards the community can refer to, and these have proven to be very effective so far.
Thanks for the great work Continuity Central is doing.