Yesterday, I touched on the BCM program and I cautioned about holding the IT department responsible for BCM. Lets pause for a while and zoom into why that is the case.
One of the most important activity in the Business Continuity planning process is the Business Impact Analysis (BIA). Typically, BIA is used to identify, qualify and quantify the exposure and impact of threats to your business. With these impact analyzed and quantified, forming the output of the BIA, you will then be able to justify the reasons and case for a business continuity plan. In a nut shell, BIA can be used to:
- Determine the extent to which critical functional and operational dependencies exists within the organization and how important are these functions to the business,
- Assess the impact of a disruption to identified critical functional area or business operations within the organization,
- Establish the priorities and sequence in which critical data processing applications and key business functions should be restored.
If the BIA is used to determine critical business functions, then it wouldn’t make sense to just let IT handle this on their own. It needs to involve the business units and the rest of the organization, especially with the Executive Management support.
How do you conduct a BIA? Well, the process entails the following steps:
- Information discovery
- Gather initial information about the critical business functions, support systems, processes, inter-dependencies and business applications through the use of BIA questionnaires and/or workshops
- Verify and Analyze information
- Conduct face-to-face interviews with Business Unit BCP coordinators to verify the accuracy of the information submitted,
- Analyze the information to determine priorities for recovery of business operations, systems and applications,
- For each critical business function, establish a Recovery Time Objective (RTO) for each critical business function, i.e. time taken from disruption until recovery of operations,
- For each critical business function, establish a Recovery Point Objective (RPO) for each critical business application data, i.e. tolerance for loss of data for the business.
- For each critical business function, to analyze, qualify and quantify the potential impact to the business from a disruption.
- Document and Present to Management
- Prepare the executive summary and BIA report
- Obtain agreement and approval of the identified RTOs and RPOs.
- Include recovery priorities supported by graphs, charts, visual aids,
- Present findings and recommendations to the Executive Management in written and oral reports,
- Update management on the subsequent steps in the BCM planning process
In the information discovery activity, what exactly are the information that we should be collecting? As we will need to analyze the impact of a disruption to critical business functions, then we should be soliciting information pertaining to these critical business functions. These could be:
- Identifying what are the Critical Business Functions (CBFs) to the business?
- Understanding what does the critical business function (CBF) do?
- Understanding whether the business function have significant impact on cash-flow or on another critical business function (CBF)?
- Understanding what are the resources used to carry out CBFs? Number of staff, office equipment, machinery, facility, IT equipment, software, etc., needed to support the CBFs?
- Description of the timeliness of the CBF, i.e. time-frame within which the functions have to be performed, during normal time as well as in a crisis. This will identify the impact of disruption over times. Also to identify the times during which the functions are most vulnerable and most critical.
- Identifying the inter-dependencies, i.e. extent of which key functional and operational dependencies within the organization.
- Probing what alternative methods could be used to continue the business function during recovery period, ignoring the inefficiency of these alternative methods?
- Understanding what are the vital records for the CBFs, i.e. developing a list of essential documentation needed by the CBF to operate. Then, conducting a review to determine the criticality of each vital record and whether an off-site backup is necessary.
- Quantifying the potential loss to the organization if a CBF fails.
Next, how do we measure (qualitatively or quantitatively) the impact of disruptions to the Business? There are always two sides to the measurement – one side is where we can quantify in financial terms (dollars and cents) the potential impact, while the other side are the intangible or soft impact which we can’t really quantify. Some people refer to these as Hard and Soft Impact.
- Hard Impact
- Quantifiable in financial value and are often referred to as direct financial losses. These could be in terms of:
- Financial losses from loss of sales, customers churn, market share, etc.
- Reduced income from inability to continue service delivery, or billing, etc.
- Increased cost of work, due to inefficiencies or lower productivity from operating off recovered functions.
- Financial penalties.
- Quantifiable in financial value and are often referred to as direct financial losses. These could be in terms of:
- Soft Impact
- Qualitative impact or non-financial impact, i.e. no immediate financial losses / payment following a disaster. These could be in the form of the following (non-exhaustive):
- Loss of goodwill
- Loss of credibility
- Loss stemming from a disruption of quality assurance
- Political, corporate or personal embarassment and breach of law
- Risk to personal safety
- Loss of operational capability, e.g. in a command and control environment
- Loss of management visibility and control
- Loss of efficiency and customer satisfaction
- Reduction in quality of service to customers
- Loss of market share
- Qualitative impact or non-financial impact, i.e. no immediate financial losses / payment following a disaster. These could be in the form of the following (non-exhaustive):
BIA, although considered the most important activity in the BCM program and looks easy, it should not be under-estimated in effort and attention. There are often far too many challenges. Sometimes, it is due to business units operating in “silos”, or due to politics, or ambiguity in clearly defining the business mission and vision. Some of these challenges to watch out for are as follows:
- BIA should focus on impact to the business from disruption and not the root cause of the disruption. When conducting the workshop, always steer and lead the discussion to the impact to the business and avoid debating what are the possible causes of the disasters.
- What process is “mission critical”? What processes contribute most to the corporate mission?
- Regardless of what the business units tells you, not ALL business functions are critical. Always review why is the business function considered critical? Just because it is critical to one person, it may not be critical to the business. You will need to help them prioritize.
- Every organization is different, both in size as well as in context. Likewise, no two business units or users or departments in an organization are the same. They are not homogeneous. Understanding the differences helps to bridge and smoothen the workshop.
- Quantifying losses – how do you quantify if you have never encountered a similar type of disaster before? So, what is an acceptable or insignificant amount of money? What is a lot of money? Classifying a range of losses is not possible as each organization is of different size and may perceive the same range or amounts in different value.
- Be specific in time factor – how long is “long time”? Classify what would be the appropriate time scale for a “short-term” disruption, a “medium-term” disruption, or a “long-term” disruption?
- Understanding what is the minimum operating requirements for the business function. What are the minimum resources to support your critical business function? And what resources are dispensable?
- Quantification and numbers are NOT scientific. You could build formulas, or equations to quantify financial impact. But there are actually no right or wrong answers, because these numbers are merely estimated and potential losses (note: the word “potential”).
- It is important to understand that Executive Management level deals with big round numbers. Do not waste time debating on the granularity in dollars and cents, e.g. whether it is $453,659.45 or $450,507.10 – to the Executive Management, just tell them $450k.
Tags: Availability, BIA, protection, Security