This entry was posted on Thursday, June 10th, 2010 at 15:59 and is filed under Main. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
You have probably wondered why you have to perform business impact analysis (BIA) once you already did the risk assessment. You identified all the risks, didn’t you? Spent quite a lot of time analyzing your company, why then yet another analysis?
Well, the purpose of BIA is different. In business continuity everything is about time – it doesn’t matter if you can recover your business activities if it isn’t achieved in reasonable time. “Reasonable” is what the BIA has to determine – its main purpose is to find out what the recovery time objective is for each critical activity within an organization.
This kind of analysis is often taken lightly – first, the company is usually not aware that wrong results could incur unnecessary expenses or create an inadequate business continuity strategy, but also the effort needed to perform BIA is underestimated.
Therefore, here are some tips that will make your business impact analysis more effective:
Treat it as a (mini) project. Define the person responsible for its implementation and his or her authority; define the scope, objectives, and time frame.
Do your homework, prepare a good questionnaire. A well structured questionnaire will save you quite a lot of time, and will make the results more accurate. BS 25999-1 and BS 25999-2 standards will give you a fairly good idea about what it must contain – among other things, you have to identify impacts resulting from disruptions and determine how these vary over time, identify the resources needed for recovery etc. It is a good practice to use both qualitative and quantitative questions to identify impacts.
Define clear criteria. If your interviewees have to answer questions by assigning values for instance from 1 to 5, be sure to explain exactly what each of these five marks means. It is not uncommon that the same event is evaluated as catastrophic by the lower-level employees, while top management assesses its impact as moderate.
Collect data through human interaction. The best results are achieved when someone skilled in business continuity performs an interview with the person responsible for a critical activity. That way a lot of unresolved questions are cleared, and well-balanced answers are achieved. If interviews are not feasible, do at least one workshop with all the participants so they can ask everything that is troubling them. In other words, don’t just send them the questionnaires and scold them if they didn’t send them back in time.
Determine the recovery time objectives only after you have identified all the interdependences. For instance, through the questionnaire you might conclude that for critical activity “A” the maximum tolerable period of disruption is 2 days; however, the maximum tolerable period of disruption for critical activity “B” is 1 day and it cannot recover without the help of critical activity A. This means that the recovery time objective for “A” will be 1 day instead of 2 days.
In my experience, the results of BIA are often unexpected – usually the recovery time objective is longer than it was initially thought, and BIA reveals dependencies on some resources that are actually a single point of failure. But the best thing of all, business impact analysis is the most effective way to get people thinking about the unexpected – by creating such awareness, you increase the chances of your company’s survival.
You can also check out our webinar BS 25999-2 Foundations Part 1: Business Impact Analysis (commercially sold training).