Introduction
One of the processes within the Business Continuity Management System (BCMS) is the development of a Business Impact Analysis. I have experienced several companies that are struggling with this process and this concept. In this article, I will explain the structure of one of the sections within the BIA process. This structure is analysing the resources required to ensure that the product or service is delivered, with the minimum impact on the business.
Business Impact Analysis
What is a Business Impact Analysis? This is defined as:
- process of analysing activities and the effect that the business disruption might have upon them (ISO 22300 Link)
The BIA process analyses the effects of a disruption on the organization. The outcome is a statement and justification of business continuity priorities and requirements.
The first step in the BIA is the prioritization of products and services, which is followed by several
- process BIAs (optional) and
- activity BIAs.
The scope of each of these BIAs can be limited, but together they should cover the entire BCMS scope.
Organizations should review and perform the BIA process on a periodic basis (e.g. annually) and whenever there are significant changes within the organization or its context.
1.1. Understanding the BIA Process
To understand the BIA, the process, results, and outcomes, one needs to map this in a step-by-step approach. The following 8 steps are defined:
- Step 1: Plan your BIA
- Step 2: Agree on the approach for undertaking the BIA process
- Step 3: Determine the products and services with Top Management
- Step 4: Determine the prioritised activities
- Step 5: Determine resources and dependencies
- Step 6: Analyse and consolidate the BIA results
- Step 7: Obtain Top Management approval of BIA results
- Step 8: Review the BIA
4 Steps in resources required analysis
Step 1: Identify resources
During the BIA process, you need to determine the prioritized activities. You should obtain a detailed understanding of day-to-day resource requirements, to identify the resources necessary to recover or maintain prioritized activities. These include, but are not limited to:
- people.
- information and data (including vital records).
- physical infrastructure such as buildings, workplaces or other facilities and associated utilities.
- equipment (e.g., office equipment, manufacturing equipment, special tools, spare parts, and components) and consumables (e.g., raw materials).
- information and communication technology (ICT) systems (e.g., applications, cloud services, remote access).
- transportation and logistics.
- finance.
- partners and suppliers.
Step 2: Resource requirements
For the resources identified, the following information should be collected:
- Quantity, i.e., the amount or number of resources needed over time, and based on the activity RTO, the activity owner can determine to start their activity with the following:
- a decrease in the number of resources, e.g., recognizing that the activity can recommence with a reduced capacity; the activity owner must then increase the number of resources over time so that the activity eventually returns to its business as usual;the business-as-usual quantity.
- an increase in the number of resources, e.g., to resolve the backlog accumulated over the period that the business activity was disrupted or to respond to an anticipated spike in demand; consideration should be given to estimate the period of time the supplemental quantity of resources is to be released to return the activity to its business-as-usual level;
- time frame(s) in which the resources need to be available.
- characteristics of the resource: the information to be gathered in this case depends on the type of resource, e.g.: for staff and contractors, the minimum acceptable level for required service, knowledge, skills, authority or qualifications required should be defined.
- specification of IT equipment.
- current location.
- maximum tolerable data loss (MTDL) for information resources (the RPOs should not exceed the maximum tolerable data loss).
- dependencies on other resources.
- applicable legal or regulatory requirements.
Limitations imposed on resources, e.g., by logistics, should be considered when defining requirements. During the resources requirements analysis, Single Points of Failure (SPoF) [1]can be discovered and should be documented and reported appropriately
Step 3: Analyse and consolidate BIA results
While analysis occurs throughout the BIA process, the organization should perform a final analysis (or consolidation of analyses). This involves reviewing validated and approved information gathered from all levels of the BIA process and drawing conclusions that lead to business continuity priorities and requirements.
You should choose the appropriate quantitative and qualitative analytical approach(es), which can be influenced by the type, size, or nature of the organization and resource and skill constraints. The approach(es) selected will also depend on the type of information gathered. Regardless of approach, you should challenge and check the information to ensure that it is:
- correct: sufficiently accurate and reliable.
- credible: reasonable and justifiable.
- consistent: comparable, clear and repeatable.
- current: up to date and available in a timely manner.
- complete: comprehensive.
The consolidation can reveal incompatible or inappropriate recovery objectives that need to be reviewed with the activity owner and resolved. Furthermore, it can be necessary to adjust the RTO of predecessor activities to ensure successor activities can meet their set RTOs.
The results of analysing and consolidating information are the business continuity priorities and requirements
Step 4: Obtain top management approval for BIA results
As the BIA leader, you should seek management approval of BIA results, including the prioritization of products and services, business processes (if applicable), activities and resources.
You should provide the following key BIA results to top management for their review, amendment (if necessary) and approval before moving on to the next steps:
- product and service prioritization.
- business process prioritization (if undertaken);
- activity prioritization.
- confirmation of the original, or endorsement of the modified, BIA scope.
The approval of the BIA results by top management should be documented. Some organizations can choose to seek approval via a report or presentation to top management. A presentation should be chosen if the organization would benefit from debating the BIA results before approving or proposing an alternate conclusion. A report can be appropriate as a pre-read to a presentation or as the primary method of seeking approval if recommended business continuity priorities and requirements and their justification are straightforward and likely not to require discussion.
The BIA results identify and select business continuity strategies and solutions.
Summary
The BIA process is a critical deliverable for the understanding of the impacts on the products and services of a company.
The BIA process empowered the company to understand its vulnerabilities, grow and mature its preparedness and readiness and plan for exercises and testing activities to validate and continuously improve.
Through these processes, the enterprise risk (ISO 31000) is optimised, and the enterprise builds its resilience (ISO 22300)
[1] A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working.[1] SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software application, or another industrial system. Single point of failure - Wikipedia