What’s More Important?
- Published on October 22, 2010
- Written by GREIG FENNELL, FBCI
There has been a lot of discussion around the importance of conducting a business impact analysis (BIA) and a risk assessment (RA). Which is more important? Which should be done first? What I have learned over the years is they are both important and it doesn’t matter which gets done first, as long as they both get done! Both are necessary as they set the foundation and influence future proactive and reactive business continuity planning within the company.
What people need to understand is that the BIA and RA evaluate two completely different data sets. The BIA evaluates the impact of not doing a particular business process over time and measures the quantitative and qualitative impacts of not doing the process. The RA evaluates the risks that could impact the location, the magnitude of the impact, and the relative probability of occurrence. These are two different data sets of information, but when combined can tell a very insightful story about how quickly a disruption can impact a business, where the impact will have the more severe impact, how quickly that impact will occur, and to what order of magnitude.
Some BCM professionals like to use the RA data for use in conducting the business impact analysis, but I don’t! I tell the business group the process is not available, you have no access to the data or the location, and whatever contingencies you have in place … they are not available either! Now, understanding all of that, we can begin to determine how long the company can go without completing the business process and determine how quickly the quantitative and qualitative impacts begin to occur and their order of magnitude. I also explain to the business group that we will later use the information from the RA to determine how the identified risks may influence future planning efforts, and we will overlay any existing contingency plans with what we learned from the BIA to see if there are any gaps that may need to be considered in future planning efforts. The reason for not initially using the RA data or considering current contingency plans is that this information is not material in determining the time sensitivity of the business process. The time sensitivity of the business process is what it is, regardless of the identified risks. It does not matter if the area is prone to earthquakes, volcanoes, hurricanes, fires or floods. The time sensitivity of the business process is the same.
Where the RA becomes important is in determining the level of proactive or reactive planning that may need to be done to assure the business process can be resumed prior to the company reaching a critical point by not performing the process. If the RA identifies the area is prone to earthquakes or hurricanes, then the level of planning may be quite different than if the area is prone to an occasional snow storm.
When I worked for a company in San Francisco we conducted a number of BIAs to identify and prioritize business processes, some of which were very time sensitive and if not available could have significant impacts to the company in a very short period of time. Whether the company was in San Francisco or another city, the time sensitivity of the processes would be the same.
The RA identified San Francisco is prone to earthquakes (duh) which influenced our decision to develop an out of area business resumption strategy. The company’s data center was also located in San Francisco near Fisherman’s Wharf with a warm site DR contract in place with an out of state vendor. Since San Francisco is earthquake country, we wanted to learn more about the structural integrity of the buildings where people worked and the building where the data center was located.
After conducting a structural RA of the buildings the company learned that the building where the data center was located had a high probability of collapse. The outcome of the RA along with this new information influenced management’s decision to move the data center out of state so the company did not have to deal with the recovery of the data center and resumption of critical business processes at the same time.
Here was a case where the RA influenced the type of proactive and reactive planning that needed to be done to assure continuity of the more time-sensitive business processes. If the company was not located in an area prone to earthquakes, there may not have been the need to move the data center.
This is why it is important to conduct both a BIA and an RA. The data from each analysis is unique but when combined can effectively influence risk intelligent decision-making ... and it does not matter which gets done first. As long as they both get done!
Greig Fennell, FBCI is president of Weakest Link, a risk assessment and business continuity management consulting company and has about 20 years experience in conducting risk assessments, business impact analyses, and in developing plans and exercises associated with business continuity, incident management, and crisis communications. He has worked for companies and consulted for companies to build or enhance business continuity management programs. Fennell can be reached at firstname.lastname@example.org or call (913) 219-2611.