Lessons learned from 15 years of conducting BIAs
- Published: Thursday, 27 August 2015 07:33
By Samuel Shanthan
After working in consultancy and industry for over 15 years, one of the initial challenges I have consistently faced is performing the business impact analysis (BIA), especially in organizations that have a low business continuity maturity level. This article seeks to capture the lessons learned from the many BIAs I have conducted, with the aim of helping other business continuity professionals who are experiencing difficulties with BIAs.
Common problems with the BIA
Difficulties that I have often come across during the BIA process include the following:
1. The business impacts are generally overstated due to:
- Lack of understanding of the BIA concept amongst participants.
- Participants fearing that they could lose their job because of the BIA results. This happens because business unit leaders misunderstand the reasons for conducting the BIA, believing that it is an assessment of the importance of their job or their ability to do their job.
- Employees taking part in BIAs skewing the results by over-stating their own and their business unit’s importance. This is caused by personal pride and staff feeling that their own business unit should take priority during disaster recovery.
- Lack of understanding of organizational priorities and focus.
The above challenges are mostly faced when the organization’s business continuity maturity level is low and staff have no prior exposure to business continuity.
To overcome or reduce these challenges the suggestions below could be used:
- Lack of understanding of the BIA concept: Conduct training programmes using a common business unit that is understood by most participants as an example. HR or Finance processes are often a good choice. The best example includes an equal mix of quantitative and qualitative impacts, however avoid too many different impact types, as this could be confusing.
- Fear of job loss and misunderstanding that BIA is a job role assessment: The objective of the BIA should be clearly stated at the start of the process. The aim being to identify the time criticality and not the job criticality of the process, giving examples such as Audit to be of low time criticality.
- Staff always trying to state and feel that they are important and that their business unit should take priority: Acknowledge the contribution by each department and then explain why they should not be a priority business unit during disaster recovery. Document the impacts with specific criteria and make business units justify their importance against the set criteria, rather than just accepting a given value. To reduce subjectivity it is important to have some guidelines for determining the quantitative and qualitative impacts. Another way to address this is comparing the processes in the business unit being assessed with examples of genuinely critical processes and business units.
- Lack of understanding of organisational priorities and focus: some business unit heads may be focussed on their department and do not understand the organization-wide picture and the needs of customers. Providing examples while acknowledging their contribution is a good way to deal with the problem.
2. Some business unit heads may not completely understand what a process is.
The best way to address this is to look at the organizational procedures or website of the particular business unit and go to the BIA interview or meeting with a prior understanding of the high-level processes. This will make the discussion process-focused.
3. Impacts are not captured properly and priorities are misjudged.
Often the first BIA does not go to plan and it may be a good idea to repeat the BIA at least once soon after the first attempt. After the first round there will be a much better understanding of the processes, applications and other resources; and their interdependencies. This will enable a focused discussion in the second round.
4. Interdependency may not be captured in the first round of BIA.
The best way to address this is to talk about ‘what happens next’ and ‘what happens before’.
5. Common applications and online systems such as the intranet, file storage and email can be easily missed in a BIA where ownership is not defined.
This needs to be captured by asking intelligent questions or with discussion within the IT section.
6. In general, finding impact on revenue or profit is difficult unless it is a retail sales process.
Having financial details and budgetary information and analysing them prior to a BIA discussion will be useful to help the business unit estimate the financial impacts, especially on revenue or profit.
7. Interpolation and extrapolation often causes difficulties.
Simplification is often necessary in this area. For example consider impacts for one day or three days, depending on the overall organizational criticality. If overall impacts are high select a shorter duration such as one day and if impacts are low choose three or five days. It is easier for the business unit to assess what the impacts would be if their unit shuts down for two days than it is for the business unit to estimate the impact as time changes. After assessing the impact for a particular duration then interpolation and extrapolation could be done using mathematical formulae or otherwise. However, such interpolation and extrapolation (linear or non-linear) needs to be realistic and validated by the business unit.
8. Key man dependency is something used by staff as a weapon to address job security.
The BIA should identify this risk, but addressing it may well be challenging in small functional areas.
9. Single points of failure should be identified in the BIA using the resources that are required for a particular process.
The identification of single points of failure can be difficult and asking questions such as “What do you use for this?” or “What are your dependencies?” could be helpful. This should be followed by a risk assessment to further understand single points of failure and their hidden components.
10. The final review of the business impact analysis should have a good distribution of the priority of processes.
Although there is no specific limit defined, and the levels of criticality could vary, I have found it to be ideal to have four-five levels of criticality with the top priorities not exceeding 25 percent. Anything more than that will not result in the processes being effectively restored (or exercised) as the focus will be lost.
11. It is important not to spoil the relationship with the business units as the BIA is only the first step in the business continuity process.
The support of business units is essential in a successful business continuity implementation. In some cases, if an agreement cannot be reached about prioritisation, some tactics need to be used. In one of the organizations that I worked with I found that most of the business units said that their processes were critical. So I classified the processes as Critical-Platinum, Critical-Gold and Critical-Silver and Non-critical. As far as I was concerned Critical-Platinum was the real ‘Critical’ processes whereas the Critical-Silver and Gold terms were used to please the business units. After I got the sign off for the BIA, in the next review I changed the classification names removing the Platinum, Gold and Silver. The changes were accepted with no disagreements…
12. An alternative approach is for the consultant or the head of BCM to understand the business during initial BIA discussion with the business units and to produce the BIA results, asking business to validate these in a group meeting or with the top people of the organization.
This may look contradictory to the fact that BIA should be established by the business units, but if the business units are unable to grasp it there should be someone leading the role, whilst still requesting the business to endorse it. In trying this approach I initially state the organizational objectives and what will keep the organization operational. Then I ask if the whole department goes on a holiday for a week what will happen: and this always leads to a constructive discussion!
The following are some specific BIA challenges I have experienced and how I overcame them:
- In one organization the fraud control section informed me that they have to work 24 hours and they are always critical as a fraud can occur any time and the magnitude of the fraud cannot be estimated. I challenged them by asking whether being operational 24x7 meant that they can prevent all fraud 100 percent of the time. Of course their answer was ‘No, they couldn’t.’ I followed up by pointing out that they were operational only 12x7 until a month previously and then challenging them to explain how their dependency could suddenly have increased to 24x7 in a disaster scenario.
- In many instances the HR department rates the payroll as the most critical process, stating that if salaries are not paid then staff will go on strike. I suggested that, if an interruption occurs close to the salary day, a notice could be sent to staff that the salaries will be paid after one week. I also suggested a work-around where the business would pay staff a cash allowance or make an agreement with the payroll bank to make the same payment as was made the previous month. These compromises remove the need to make payroll as critical.
- Often reporting is claimed as a critical process if it falls on due dates. However, depending on to whom the report goes or on the power of the organization being reported to, this may be delayed and should be treated with the context in mind. For example, board reporting can be delayed by citing the priority to serve customers, as the board exists for that purpose.
- Another challenge I faced was that the audit and compliance departments wanted to be critical, stating that the regulatory compliance and audit controls are important or can impact the operating license. In reality this is probably one of the last processes to commence. The only way to handle this question is whether the customers will be significantly impacted or whether the organization will lose the licence to operate if governed by regulators in the industry. Often by contacting the regulators, the priority of compliance assessments can be officially reduced.
- Supplier payment is another concern. In many cases the supplier relationship is long term and hence, if the suppliers are notified about the incident, the payments can be delayed or an advance can be paid and the balance of the invoices settled later.
The new ISO/PRF TS 22317 technical guidance standard on BIA is a good initiative to complement ISO 22301 but in an organization with less maturity, challenges need to be addressed without spending too much time on the BIA, while the results of priorities of processes and resources need to be accurate to invest in the right business continuity setup.
If major challenges are faced, the best approach is for the consultant to understand each business unit and estimate the business impacts and complete them for each process. He or she should then call for a discussion with the top management to identify the recovery priorities.
About the author:
Samuel Shanthan has over 15 years of business continuity related experience including in large multinationals and fortune 500s. He has managed business continuity setups in Europe, Asia, Africa, Middle East and Australia. While being head of BCM he implemented and certified a bank as the second bank in the world to achieve ISO 22301 certification. Currently he works as a consultant in the public sector and is running his part time consulting practice Grace Risk Advisors.