|John Bartlett CBCI, DBCI|
- Business Impact Analysis (BIA) –identifies the impacts over time that a disruption may have on individual activities and the organisation’s ability to operate and continue;
- Continuity Requirements Analysis (CRA) – resources required by the organisation to continue, restart and bring back to normal essential activities;
- BCM Risk Assessment – a threat assessment which identifies the likelihood and potential impact on specific functions from known and identified threats.
The first step in the BIA is to define how the impacts will be measured and provide guidance to describe each level in each category. This is established using an impact scale, over time, for different types of impact, such as operational, strategic, financial, legal and contractual, regulatory, reputation and market/customer. A matrix consisting of 5 levels for each impact category will normally suffice. Once drafted, this should be agreed with the BCM Sponsor.
Some organisations may already be aware of the importance of their activities. Undertaking a BIA and formalising this process will validate such assumptions; rank activity importance; identify missing assumptions and demonstrate logical reasoning behind the decisions.
The next step is to define over what periods of time to measure the impact, identify all activities and who is responsible for them. The periods of time can go from a few hours, to days, weeks and months; however, some organisations (such as financial or Oil production companies) may need to measure the impact sooner. The same impact matrix and impact time periods should be used to collect information across all activities in the organisation to ensure consistency.
The following should then be identified for each activity:
- The impact level in each impact category, for each of the time periods;
- The point in time whereby failure to perform the activity results in a product or service failure and causes irreparable damage to the organisations viability (e.g. through financial loss or reputation damage); this is known as the Maximum Tolerable Period of Disruption (or MTPD); and
- Dependencies with other activities in the organisation, or with external organisations (such as consultancies, raw material providers, distributors, etc.).
A number of different techniques are available to collect this information such as interviews, workshops, questionnaires and the use of Business Continuity software. The most appropriate technique for the organisation should be chosen. Once collected the BIA information should be documented and presented back to the individual(s) for them to verify accuracy and agreement.
Some activities may only be conducted at specific times of the year or may vary during times of the month or year, such as year-end processing, or where the production of products/services relate to particular seasons. In these circumstances, the BIA should focus on assessing the disruption and impact during the peak period, when it is most disruptive to the organisation. The secret to a good BIA is not to collect too much information, over analyse or make the process too complicated and time consuming. A balance has to be struck to gather and analyse the right level of information.
The BIA is a documented understanding at a particular point in time, therefore it is beneficial to document other key aspects for activities and functions for reference, such as description or overview of the function or activity and key metrics such as number of people, number of products produced per day, activity frequency each day, number or value of transactions, output volumes, etc. This information can then be used for other purposes, such as providing an introduction and overview for new recruits.
Summary of Analysis
Once all the BIA information has been collected (and verified), the information should be collated and presented to the BCM sponsor for verification and approval. It is not unusual for each function within an organisation to believe that their own activities are the most important; in such instances it is the role of the BCM sponsor to verify the impact information, provide a Top Management view to distinguish the most important activities and resolve any conflicts or discrepancies.
Continuity Requirements analysis
At the same time as collecting the BIA information, it often makes sense to collect information on resources used to perform the activities or functions, and minimum resources essential to continue or resume the activity, detailed across the individual time periods used in the BIA. Resources can be broken down into the same four groups defined for risks in the first article, which are people; infrastructure; information; and suppliers.
When defining information and application data requirements, it is important to define how up-to-date this must be, how much loss is acceptable because it can be recovered or re-entered, and the threshold whereby recovery becomes impossible due to the data being too old or the value being too high. This is known as the Maximum Tolerable Data Loss (MTDL).
The CRA information should be summarised, verified with the information provider and presented to the BCM sponsor for agreement. It is essential that the CRA information is realistic and practical; the quicker resources are needed and the larger the quantity, the greater the potential cost to the organisation. Therefore often a balance has to be struck between what would ideally be preferred and what can be afforded.
Management and Maintenance
It is accepted that all organisations evolve and change; therefore so do the products/services they offer, the resources they use and their people. Therefore the BIA and CRA will become ‘out of date’ as these changes take effect. Given the investment in BCM, it would be sensible (and is recognised good practice) to review the BIA and CRA at least annually, or more frequently if major business changes take place; there is significant change to business processes, location or technology; or whenever there is significant external change that affects the organisation, such as market or regulatory changes.