Robin Bucknall MA, MSc reviews various approaches to the business impact analysis, assessing whether it is still fit for purpose, and suggesting how the BIA process could be simplified and refocused to make it more useable.
For predominantly professional service businesses, the ubiquity of laptop computers, advances in video conferencing software and cloud-based applications means that that majority of office-based functions can be replicated or accessed anywhere in the world. In addition, companies’ recent experience of protracted remote working during the COVID-19 pandemic suggests this will become the immediate default response in the event of an adverse circumstance impacting a business. Therefore, busy senior management may conclude that little further ‘box ticking’ analysis in the form of a business impact analysis (BIA) is necessary. As blunt an assessment as this is, there is of course an element of truth in it but, does this mean the days of the business impact analysis are over? And it begs the question whether this applies to all sectors in all circumstances?
In his article What next for the BIA? David Honour, the editor of Continuity Central questioned: “Can the BIA be reengineered to retain its useful aspects but to make it less cumbersome and burdensome for many organizations?“ (1). This article will propose that simplification of the process and a refocus on what is critical presents a way forward.
Is the BIA obsolete?
Among the more vociferous critics of the BIA is Dr David Lindstedt, (2) who argues that attempting to quantify the level of impact is extremely complex, requires a disproportionate level of effort to achieve and is almost impossible to do so with any degree of accuracy. Therefore, the cost is not justified by the output. (3) These criticisms of the utility of the BIA in its current form are not without merit. If a BIA is to be relevant, it needs to be periodically reviewed and revalidated with the under-pinning assumptions tested and key criteria and data updated. The more detailed the demands of the process are, the greater the management and staff overheads/costs become.
The BIA still has utility, but needs simplification and clarification
The Business Continuity Institute’s Good Practice Guidelines 2018 (GPG) overview of the BIA process (4) provides a perfectly logical and methodical way to conduct an analysis. However, the GPG devotes thirteen pages to discussing BIAs in detail, suggesting that each step flows into the next forming a hierarchy of analysis from the strategic to the operational. The GPG sub-divides the BIA into four separate but interrelated BIAs, but also proposes that not all four BIAs need to be conducted. This apparent contradiction is further confused by statements such as: "organisations that are less process driven may decide to skip the Process BIA and more directly onto the Activity BIA" and “the Process BIA will build on the results of the Product & Service BIA” (5).
Dr Robert Heath (6) advocates “the basic process of a BIA is to get each section in each department in each division of the organisation to clearly define their critical [my emphasis] operations.” Graham and Kaye (7) take this idea of criticality one stage further: “the objective of the BIA is to tease out potential for incidents that could totally destroy [my emphasis] the organisation” they go on: “Business continuity managers [need] to understand the critical dependencies of the organisation and ensure these dependencies are managed so that they are available during and after a crisis.”
Given this focus on criticality and what could have such an impact as to ‘destroy’ the organization, it is instructive that both ISO 22301 and the 2019 GPG have steered away from such a strong definition. Instead of ‘critical’ or ‘mission critical’ descriptors, the GPG 2018’s recommendation is to focus on 'prioritised activities.’ (8) Language matters and words have meaning. If we use loose language, then it is perhaps not surprising that the purpose and the output of the BIA becomes disputed. This is an area that should be revisited in the 2023 revised version of the GPG.
One of the justifications for the GPG 2018’s different BIAs is that a single BIA can become too complex and unwieldy for large organizations to manage: an entirely reasonable concern. However, addressing this by sub-dividing into four different BIAs risks further complicating matters as there is no obvious focal point for integrating the conclusions of the different BIAs or mechanism for elevating what is critical to top management. If the purpose of a BIA is to determine what will threaten the continued longevity of a business or threaten bankruptcy, then it could be argued that only a Strategic BIA is necessary: everything else would be refined in the Design Stage of the business continuity lifecycle. This though does not complete the full picture, as issues that may threaten the existence of the organization may not originate at the strategic level and therefore some form of structured holistic analysis of the whole organization is still needed.
In the 2013 version of the GPG, BIAs were described as Strategic, Tactical and Operational. These levels were then correlated with Product & Service, Process and Activity analysis. This incomplete leap of logic was addressed in the 2018 GPG and the Strategic Tactical and Operational BIAs replaced with Initial, Product & Service, Process and Activity BIAs. However, the 2013 GPG was on to something. All organizations tend toward some form of hierarchy. Most will have top management (strategic), middle management (tactical) and those making or doing things (operational). It would make more sense to have one BIA process, with a series of analytical steps which can be conducted to a level of detail appropriate for the needs of the organization. For instance, Step 1 would be an analysis of products and services to arrive at what must be preserved and at what level for the organization to survive. Step 2 thus becomes an analysis of critical supporting processes and Step 3 the analysis of critical supporting activities. This is consistent with the approach advocated in ISO 22317: Figure 3, (9) the GPG Initial BIA and Timothé Graziani’s recommendation that “to identify the business continuity strategies, we need the following inputs: a list of all services in our organization; mapping process for each service and the resource requirements for each service (IT, people, location, data, third parties).” (10).
Whilst the pandemic has been a very useful experience in highlighting existential threats to senior management, the uniqueness of COVID-19 and our responses to it cannot be seen as a panacea to all potential crises and that there remains a requirement for all businesses to conduct a disciplined objective analysis of where value is derived and how best to assure its continued function irrespective of the nature or cause of the disruption.
This provides a timely and apposite opportunity to refocus the BIA around what is critical to the continued survival of an organization and simplify it into one process of deductive logic that can be adapted the needs of all organizations.
Robin Bucknall MA, MSc, is Senior Consultant, Needhams 1834 Ltd.
(1) David Honour, https://www.continuitycentral.com/index.php/news/business-continuity-news/4259-where- next-for-the-bia, accessed 14 Dec 21.
(2) David Linstedt, https://www.adaptivebcp.org/manifesto.html, accessed 1 October 21.
(3) Of note, ISO 22301 and GPG 2019 do not offer any guidance on how to calculate impact only to advocate it should be done.
(4) Business Continuity Institute, Good Practice Guidelines (Business Continuity Institute, 2018) pp40.
(5) Ibid pp46.
(6) Robert Heath, Crisis Management for Managers and Executives (FT Pitman Publishing, 1998), pp55.
(7) Julia Graham and David Kaye, A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance (Rothstein Associates, 2006), pp93.
(8) Business Continuity Institute, Good Practice Guidelines (Business Continuity Institute, 2008) pp39.
(9) ISO, Societal security – Business continuity management systems – Business impact analysis (ISO, 2014). para 136-150.
(10) Timothé Graziani, ‘No More BIA,’ Continuity Central.Com, 01 August 2017 https://www.continuitycentral.com/index.php/news/business-continuity-news/2197-no-more-bia , accessed 01 October 2021.