Lessons learned from 15 years of conducting BIAs

Published: Thursday, 27 August 2015 07:33

By Samuel Shanthan

After working in consultancy and industry for over 15 years, one of the initial challenges I have consistently faced is performing the business impact analysis (BIA), especially in organizations that have a low business continuity maturity level. This article seeks to capture the lessons learned from the many BIAs I have conducted, with the aim of helping other business continuity professionals who are experiencing difficulties with BIAs.

Common problems with the BIA

Difficulties that I have often come across during the BIA process include the following:

1. The business impacts are generally overstated due to:

The above challenges are mostly faced when the organization’s business continuity maturity level is low and staff have no prior exposure to business continuity.

To overcome or reduce these challenges the suggestions below could be used:

2. Some business unit heads may not completely understand what a process is.

The best way to address this is to look at the organizational procedures or website of the particular business unit and go to the BIA interview or meeting with a prior understanding of the high-level processes. This will make the discussion process-focused.

3. Impacts are not captured properly and priorities are misjudged.

Often the first BIA does not go to plan and it may be a good idea to repeat the BIA at least once soon after the first attempt. After the first round there will be a much better understanding of the processes, applications and other resources; and their interdependencies. This will enable a focused discussion in the second round.

4. Interdependency may not be captured in the first round of BIA.

The best way to address this is to talk about ‘what happens next’ and ‘what happens before’.

5. Common applications and online systems such as the intranet, file storage and email can be easily missed in a BIA where ownership is not defined.

This needs to be captured by asking intelligent questions or with discussion within the IT section.

6. In general, finding impact on revenue or profit is difficult unless it is a retail sales process.

Having financial details and budgetary information and analysing them prior to a BIA discussion will be useful to help the business unit estimate the financial impacts, especially on revenue or profit.

7. Interpolation and extrapolation often causes difficulties.

Simplification is often necessary in this area. For example consider impacts for one day or three days, depending on the overall organizational criticality. If overall impacts are high select a shorter duration such as one day and if impacts are low choose three or five days. It is easier for the business unit to assess what the impacts would be if their unit shuts down for two days than it is for the business unit to estimate the impact as time changes. After assessing the impact for a particular duration then interpolation and extrapolation could be done using mathematical formulae or otherwise. However, such interpolation and extrapolation (linear or non-linear) needs to be realistic and validated by the business unit.

8. Key man dependency is something used by staff as a weapon to address job security.

The BIA should identify this risk, but addressing it may well be challenging in small functional areas.

9. Single points of failure should be identified in the BIA using the resources that are required for a particular process.

The identification of single points of failure can be difficult and asking questions such as “What do you use for this?” or “What are your dependencies?” could be helpful. This should be followed by a risk assessment to further understand single points of failure and their hidden components.

10. The final review of the business impact analysis should have a good distribution of the priority of processes.

Although there is no specific limit defined, and the levels of criticality could vary, I have found it to be ideal to have four-five levels of criticality with the top priorities not exceeding 25 percent. Anything more than that will not result in the processes being effectively restored (or exercised) as the focus will be lost.

11. It is important not to spoil the relationship with the business units as the BIA is only the first step in the business continuity process.

The support of business units is essential in a successful business continuity implementation. In some cases, if an agreement cannot be reached about prioritisation, some tactics need to be used. In one of the organizations that I worked with I found that most of the business units said that their processes were critical. So I classified the processes as Critical-Platinum, Critical-Gold and Critical-Silver and Non-critical. As far as I was concerned Critical-Platinum was the real ‘Critical’ processes whereas the Critical-Silver and Gold terms were used to please the business units. After I got the sign off for the BIA, in the next review I changed the classification names removing the Platinum, Gold and Silver. The changes were accepted with no disagreements…

12. An alternative approach is for the consultant or the head of BCM to understand the business during initial BIA discussion with the business units and to produce the BIA results, asking business to validate these in a group meeting or with the top people of the organization.

This may look contradictory to the fact that BIA should be established by the business units, but if the business units are unable to grasp it there should be someone leading the role, whilst still requesting the business to endorse it. In trying this approach I initially state the organizational objectives and what will keep the organization operational. Then I ask if the whole department goes on a holiday for a week what will happen: and this always leads to a constructive discussion!

Overcoming challenges

The following are some specific BIA challenges I have experienced and how I overcame them:

Conclusion

The new ISO/PRF TS 22317 technical guidance standard on BIA is a good initiative to complement ISO 22301 but in an organization with less maturity, challenges need to be addressed without spending too much time on the BIA, while the results of priorities of processes and resources need to be accurate to invest in the right business continuity setup.

If major challenges are faced, the best approach is for the consultant to understand each business unit and estimate the business impacts and complete them for each process. He or she should then call for a discussion with the top management to identify the recovery priorities.

About the author:

Samuel Shanthan has over 15 years of business continuity related experience including in large multinationals and fortune 500s. He has managed business continuity setups in Europe, Asia, Africa, Middle East and Australia. While being head of BCM he implemented and certified a bank as the second bank in the world to achieve ISO 22301 certification. Currently he works as a consultant in the public sector and is running his part time consulting practice Grace Risk Advisors.