 |
| John Bartlett CBCI, DBCI |
- Business Impact Analysis (BIA) –identifies the impacts over time that a disruption may have on individual activities and the organisation’s ability to operate and continue;
- Continuity Requirements Analysis (CRA) – resources required by the organisation to continue, restart and bring back to normal essential activities;
- BCM Risk Assessment – a threat assessment which identifies the likelihood and potential impact on specific functions from known and identified threats.
The first step in the BIA is to define how the impacts will be measured and provide guidance to describe each level in each category. This is established using an impact scale, over time, for different types of impact, such as operational, strategic, financial, legal and contractual, regulatory, reputation and market/customer. A matrix consisting of 5 levels for each impact category will normally suffice. Once drafted, this should be agreed with the BCM Sponsor.
Some organisations may already be aware of the importance
of their activities. Undertaking a BIA and formalising this process will validate
such assumptions; rank activity importance; identify missing assumptions and
demonstrate logical reasoning behind the decisions.
The next step is to define over what periods of
time to measure the impact, identify all activities and who is responsible for
them. The periods of time can go from a few hours, to days, weeks and months;
however, some organisations (such as financial or Oil production companies) may
need to measure the impact sooner. The same impact matrix and impact time
periods should be used to collect information across all activities in the
organisation to ensure consistency.
The following should then be identified for each
activity:
- The impact level in each impact category, for each of the time periods;
- The point in time whereby failure to perform the activity results in a product or service failure and causes irreparable damage to the organisations viability (e.g. through financial loss or reputation damage); this is known as the Maximum Tolerable Period of Disruption (or MTPD); and
- Dependencies with other activities in the organisation, or with external organisations (such as consultancies, raw material providers, distributors, etc.).
A number of different techniques are available to
collect this information such as interviews, workshops, questionnaires and the
use of Business Continuity software. The most appropriate technique for the
organisation should be chosen. Once collected the BIA information should be
documented and presented back to the individual(s) for them to verify accuracy
and agreement.
Some activities may only be conducted at specific times
of the year or may vary during times of the month or year, such as year-end
processing, or where the production of products/services relate to particular
seasons. In these circumstances, the BIA should focus on assessing the
disruption and impact during the peak period, when it is most disruptive to the
organisation. The secret to a good BIA is not to collect too much information,
over analyse or make the process too complicated and time consuming. A balance
has to be struck to gather and analyse the right level of information.
The BIA is a documented understanding at a
particular point in time, therefore it is beneficial to document other key
aspects for activities and functions for reference, such as description or overview
of the function or activity and key metrics such as number of people, number of
products produced per day, activity frequency each day, number or value of
transactions, output volumes, etc. This information can then be used for other
purposes, such as providing an introduction and overview for new recruits.
Summary of Analysis
Once all the BIA information has been collected (and
verified), the information should be collated and presented to the BCM sponsor for
verification and approval. It is not unusual for each function within an
organisation to believe that their own activities are the most important; in
such instances it is the role of the BCM sponsor to verify the impact
information, provide a Top Management view to distinguish the most important
activities and resolve any conflicts or discrepancies.
Continuity Requirements analysis
At the same time as collecting the BIA information,
it often makes sense to collect information on resources used to perform the activities
or functions, and minimum resources essential to continue or resume the
activity, detailed across the individual time periods used in the BIA.
Resources can be broken down into the same four groups defined for risks in the
first article, which are people; infrastructure; information; and
suppliers.
When defining information and application data requirements, it is
important to define how up-to-date this must be, how much loss is acceptable
because it can be recovered or re-entered, and the threshold whereby recovery
becomes impossible due to the data being too old or the value being too high.
This is known as the Maximum Tolerable Data Loss (MTDL).
The CRA information should be summarised, verified
with the information provider and presented to the BCM sponsor for agreement. It
is essential that the CRA information is realistic and practical; the quicker
resources are needed and the larger the quantity, the greater the potential
cost to the organisation. Therefore often a balance has to be struck between
what would ideally be preferred and what can be afforded.
Management and Maintenance
It is accepted that all organisations evolve and
change; therefore so do the products/services they offer, the resources they
use and their people. Therefore the BIA and CRA will become ‘out of date’ as these
changes take effect. Given the investment in BCM, it would be sensible (and is
recognised good practice) to review the BIA and CRA at least annually, or more
frequently if major business changes take place; there is significant change to
business processes, location or technology; or whenever there is significant
external change that affects the organisation, such as market or regulatory
changes.
No comments:
Post a Comment