Consequently, we need to gainfully employ every available individual and resource in our recovery strategy. Those functions and resources that do not require immediate recovery or deployment become potential resources for those functions that do require immediate recovery. To become such potential resources means we need to know of their existence, and when they will become critical to the organization. There should be nobody at home waiting for a phone call that they can now come back to work.
Thus, the purpose of the business impact analysis is to identify the criticality of all functions and resources that are under the ownership and management of the organization as they relate to the functioning of the whole organization in support of its mission.
Second, we are often met with the response that a disruption of particular function or operation could never happen here, since it hasn’t happen to-date. The purpose of the Business Impact Analysis is not to learn the consequences of a disaster, or the likelihood of a specific interruption occurring. That is the purpose of the risk assessment. Assessing how an absence could occur or whether we are adequately prepared to address such an absence is not the subject of the business impact analysis. The purpose of the business impact analysis is to learn how the organization functions regularly on a day-to-day basis, not how it does not function in a disaster.
The goal of the business impact analysis is to learn the relative importance of each function and process as they relate to the other functions and resources in the organization. By learning the consequence on the organization resulting from the absence of a function or resource over time, we learn its relative importance to daily operations and their criticality to sustaining our mission. We can then put into place the preparations to appropriately respond to an interruption that affects any function or resource at its height of criticality to the organization. Our goal is to develop a business continuity program that can address an interruption from any event or cause at any time, and not only from specific known or identifiable causes. Thus, the business impact analysis should not be tied to a disaster scenario!
Third, if it seems like a lot of work to develop something that nobody is going to believe or act on, maybe we are not doing it correctly. We can often get caught up in the need to minimize the time to perform a business impact analysis by conducting an opinion survey or questionnaire to reach our findings. In such a survey we may ask the participants to tell us how important they are, and to tell us how quickly they need to be up and running following a disruption of their functionality. Thus, we are having the participants do our analysis for us. The result will be findings that we cannot defend because they are not based on a consistent and identifiable set of criteria. If the findings are not defendable they are not credible.
The business impact analysis data gathering can generally be simplified into five primary questions. Although, these questions will necessarily lead to subsequent questions in our pursuit of the truth:
- What do you do, why do you do it, and how does the organization measure that you have done it?
- How do you do it, and what support and resources do you depend upon to do it?
- What happens to your performance over time if you don’t have the dependent support and resources?
- Who and what depends upon you doing what you do, and why do they specifically depend upon you?
- What happens if you don’t do what you are suppose to do, when you are supposed to do it over time?
Although we may be given it without asking, we do not directly ask for an assessment of self-importance or a definable maximum time the organization can withstand a disruption of a function or process. A department cannot define its own criticality, although it can define the criticality of a resource that it depends upon to carry out its responsibilities. A department process or resource criticality is defined by the impact of its absence on the dependent mission, value or function and their importance to the organization.
Thus, we focus our questions on the consequences of non-performance. We can then compare our answers to a set of consistent criticality criteria and the unacceptable boundaries for these criteria. This allows us to apply a consistent standard to all functions and resources in the organization and achieve defendable and credible findings.
This criticality criterion consists of those measurable qualities that the organization holds in high-esteem, and attributes to the continuing success and strategic viability of the organization. For example, these may include key elements in your mission, vision and value statements, legal and regulatory factors, metrics that keep your customers, employees and vendors happy, as well as financial performance standards.
In addition to delegating the analysis to our participants, there are many other ways in which we can corrupt or develop findings that are suspect. For example, should we take into consideration that a particular function or resource has redundancy or a recovery capability in place when conducting a BIA? Absolutely Not! This is called confusing the problem with the solution and can lead to an incorrect statement of requirements!
An illustration of doing this would be to reduce or nullify the potential impact on the organization resulting from a disruption of a system dependency because your organization has a recovery capability for that system. This would understate our underlying requirement for this system, and could result in the conclusion that the recovery capability for the system is unnecessary.
Another example would be to include in our financial analysis the cost of hiring temporary employees that we would need, should we incur an interruption of a vital information system. While these expenses may be considered the current cost of system down-time, they have nothing to do with the financial impact resulting from the absence of a function or resource on the operations of our organization.
When we get into strategy design, we can then evaluate any alleged strategies in place and measure their effectiveness on satisfying a particular set of recovery requirements. To make such an evaluation valid though, we need to ensure that our BIA has established an unbiased and honest set of requirements. Thus, until then we need to focus on how the organization is supposed to operate on a good day, and not how it might operate on a bad day.
Done right the business impact analysis continues to assure us that we are defining our requirements for business continuity based on a sound business rationale. We have yet to find an alternative to the business impact analysis to learn our underlying requirements for business continuity and recovery. Usually the reason we seek an alternative is because we are not having successful results with the current way we are carrying out the project.
So, let’s not give up on the business impact analysis just yet. Instead, let’s take another look at what we ask, whom we ask, the way we ask it, and how we analyze the answers to reach our findings. Otherwise, we will risk getting GIGO (garbage in, garbage out) and we will all lose. The business impact analysis is still the most efficient and informative means of learning about your organization and it works! It needs no alternative.
Barney Pelant, BS, MBA, MBCP is internationally recognized in the field of business continuity and the business impact analysis. He is founder and manager of Barney F. Pelant & Associates, LLC (www.bfpelantassoc.com), a practice dedicated to business continuity planning and development since 1991. Pelant has more than 30 years of experience speaking to the private and public sector, training business continuity professionals, and helping organizations on three continents to develop viable business centers and business continuity programs to ensure their ongoing operations.