ISO 27001 & ISO 22301

You have probably wondered why you have to perform business impact analysis (BIA) once you already did the risk assessment. You identified all the risks, didn’t you? Spent quite a lot of time analyzing your company, why then yet another analysis?

Well, the purpose of BIA is different. In business continuity everything is about time – it doesn’t matter if you can recover your business activities if it isn’t achieved in reasonable time. “Reasonable” is what the BIA has to determine – its main purpose is to find out what the recovery time objective is for each critical activity within an organization.

This kind of analysis is often taken lightly – first, the company is usually not aware that wrong results could incur unnecessary expenses or create an inadequate business continuity strategy, but also the effort needed to perform BIA is underestimated.

Therefore, here are some tips that will make your business impact analysis more effective:

Treat it as a (mini) project. Define the person responsible for its implementation and his or her authority; define the scope, objectives, and time frame.

Do your homework, prepare a good questionnaire. A well structured questionnaire will save you quite a lot of time, and will make the results more accurate. BS 25999-1 and BS 25999-2 standards will give you a fairly good idea about what it must contain – among other things, you have to identify impacts resulting from disruptions and determine how these vary over time, identify the resources needed for recovery etc. It is a good practice to use both qualitative and quantitative questions to identify impacts.

Define clear criteria. If your interviewees have to answer questions by assigning values for instance from 1 to 5, be sure to explain exactly what each of these five marks means. It is not uncommon that the same event is evaluated as catastrophic by the lower-level employees, while top management assesses its impact as moderate.

Collect data through human interaction. The best results are achieved when someone skilled in business continuity performs an interview with the person responsible for a critical activity. That way a lot of unresolved questions are cleared, and well-balanced answers are achieved. If interviews are not feasible, do at least one workshop with all the participants so they can ask everything that is troubling them. In other words, don’t just send them the questionnaires and scold them if they didn’t send them back in time.

Determine the recovery time objectives only after you have identified all the interdependences. For instance, through the questionnaire you might conclude that for critical activity “A” the maximum tolerable period of disruption is 2 days; however, the maximum tolerable period of disruption for critical activity “B” is 1 day and it cannot recover without the help of critical activity A. This means that the recovery time objective for “A” will be 1 day instead of 2 days.

In my experience, the results of BIA are often unexpected – usually the recovery time objective is longer than it was initially thought, and BIA reveals dependencies on some resources that are actually a single point of failure. But the best thing of all, business impact analysis is the most effective way to get people thinking about the unexpected – by creating such awareness, you increase the chances of your company’s survival.

You can also check out our webinar BS 25999-2 Foundations Part 1: Business Impact Analysis (commercially sold training).

If you started implementing business continuity management, probably the biggest challenge you are facing is writing the business continuity plans.

Why is it so difficult? Well, you have to think of various scenarios under which a disaster (or other kind of disruption of business activities) can occur, and you have to think of a way how to handle such exceptionally rare but potentially catastrophic incidents.

The problems that people who write such plans usually have include what the plan should contain (what are the main elements), how long (how detailed) it should be, what steps to include etc.

One of the best solutions to all these dilemmas is using the BS 25999-2 standard, which together with BS 25999-1 defines a framework as to how the plans should be written.

According to those standards, the business continuity plans should consist of (1) incident response plan, and (2) recovery plans. An incident response plan is usually a single plan written for the whole organization, and describes what has to be done immediately after a disaster occurs – reducing the effects of the incident, communicating to emergency services, evacuating the building, gathering at assembly points, organizing transport to alternative locations etc.

Recovery plans are usually written separately for each critical activity, and the steps to be included in the recovery plans are usually the following: when and how to communicate with various stakeholders (employees and their families, shareholders, customers, partners, government bodies, public media etc.), how to assemble the team, how to recover the infrastructure, how to check whether the applications are functioning and whether the access rights are appropriate, how to check which data is missing or has been corrupted by the disaster, how to recover the data, and how to decide when the recovery is completed so that normal operations can begin.

Disaster recovery plans (the recovery plans of ICT infrastructure) are the ones to be written with great care because they should describe how to set each system running within the recovery time objective of a particular critical activity. This is usually done by writing a detailed recovery plan for each system to be recovered.

The rule of the thumb says that the level of details in all these plans should be such that other employees (or external staff) should be able to execute the plan if the people working with that critical activity are not available. Therefore, use common sense when writing the plans – they should be understandable to anyone, not just you.

In my experience, the biggest challenge when writing these plans is that employees have to face something completely different, something they never had to think about. To overcome such a problem it is best to organize a workshop where, with or without a moderator, they could share their views about what would happen if… , how to react when…, etc.

The truth is, the mere fact that your employees have started thinking about business continuity is 50% of the job done – with such an approach, the results of business continuity planning will be much better.

You can also check out our webinar BS 25999-2 Foundations Part 3: Business Continuity Planning (commercially sold training).

You are thinking about implementing the business continuity management/BS 25999-2 standard? But then you hear it will cost you a lot? It probably will cost you, but not necessarily as much as you thought – this you can solve with good business continuity strategy.

Business continuity strategy, as defined in BS 25999-2 standard, is an “approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption”. Therefore, the point is to prepare yourself in the best possible manner to counteract a disaster if such would occur. This preparation can include organizational measures (drawing up plans, making contracts with suppliers/partners, exercising, reviewing, awareness raising, etc.), and measures including investment in equipment, infrastructure etc.

Time is a very important factor in recovery – if you do not recover your business in time, you will probably lose your customers and consequently lose your business as well. So the business continuity strategy must set the recovery time objective (RTO) for each of your critical activities, whereas RTO can be different for each of those.

One important consideration: the shorter the RTO, the bigger the investment you will need – for instance, if you want to recover your data centre in less than one hour, you will have to invest in an alternative location almost the same equipment as in the primary location; on the other hand, if you want to recover your data centre in two weeks, the investment will be much lower because it would be enough to store the backup tapes at the alternative location, allowing you two weeks to obtain the necessary equipment. All this means that your RTO must not be too long, but not too short either.

Once the RTO is set, you will still need to make some investment; however, with a good business continuity strategy you will be able to decrease that investment, while still being able to recover your critical activities within the recovery time objective. Here are some examples:

• you might not need your own data centre at an alternative location – in most countries you can rent such a location from a specialized company, which means you don’t need to invest in infrastructure, maybe not even in equipment or software,
• you might not need offices at an alternative location – employees who do not have to meet customers face-to-face can work from their homes,
• you might not need an alternative location at all if you have other business units at different locations which could take over the critical activities affected by the disaster,
• you might not need to purchase equipment in advance if you can find the supplier that could guarantee the delivery of equipment within your RTO,
• etc.

In all these examples you will need to increase your organizational capabilities, but if you want to save some money, it sure is something worth thinking about.

You can also check out our webinar BS 25999-2 Foundations Part 2: Business Continuity Strategy (commercially sold training).