BCM Considerations

How often should a BIA be conducted?

Generally: Every 2-3 years unless there are significant reorganizations, divestitures or acquisitions.

~ Patrick Ridder, MBCP, MBCI, CHPCP ISO 22301 Lead Auditor

Culture and Legal/regulatory environment: Every organization is different and requirements for BIA frequency are often dictated by an organization's culture as well as it's associated regulatory guidelines.

Program Maintenance: Many organizations review BIA's yearly and some even quarterly. The review is often baked into a plan review process where the process level RTO and associated impacts are confirmed to ensure they still apply.


I have worked in IT my entire career and now have been assigned to develop business continuity plans. What do I need to consider? Help!

You've gone from the frying pan into the fire my friend. Although IT will remain a focus in your efforts, you'll need to adopt a much broader scope of awareness. When you speak of "business continuity", that responsibility extends well beyond the boundaries of IT and technical solutions. You'll need to consider risks to facilities, personnel, processes, supply chain, basically anything that might interrupt the normal operation of your business. I would suggest you consult with some of the resources available on the DRJ website as a start. Then consider joining up with your local chapter of the Association of Contingency Planners.  These two actions will help move you forward very quickly in terms of knowledge.

~ Patrick Ridder, MBCP, MBCI, CHPCP   ISO 22301 Lead Auditor

Keep it simple.  There are a number of sources you can find on the internet.  Best place to start is https://drii.org/  Check out the “Resources” section and review the “Professional Practices”. It’s a great starting point and you can have the flexibility to evolve and mature your plans.  Another great website is http://www.drj.com

~ Beth Epstein, MA, CBCP, MBCI

Welcome to the world of man vs machine.  You will need to consider anything that can impact what a person does.  What are the threats and vulnerabilities?  Just to get you started, consider what the business processes are that are conducted by the employees, upstream and downstream dependencies, third party risks, required resources, regulatory requirements, types of scenarios, etc...the list goes on.  A great place to start is the DRJ website.  Reach out to the contacts listed!

~ Stacie J Herzog, CBCP, MBCI

Don't feel alone is my first piece of
advice!  Most BC Planners started their career working in IT in some capacity or another.  My second piece of advice is to remember:  IT provides the Technological Resources for the recovery.  Your Business Operational Teams provide the business knowledge requried to accept the recovered environment and get the business back up an running again.  And finally, attend a BC Planning course, such as offerred by BCI or DRII.  Gaining an understanding of the Business Impact Analysis, and making sure your Business Operational Units complete a BIA is a critical step in development of a BC Plan.

~ Colleen Huber, CBCP,MBCI,CBRM
Manager, BCP & IT Development

I am new to business continuity. I work for a small company and have been assigned to develop contingency plans for the organization. We have some IT technology plans in place and that seems to be acceptable to our management. So where do I start?

Without knowing it, you just answered your own question. You’re making an assumption that the IT plans “seem” to be adequate to your management. Step one, VALIDATE that assumption. It might be a fact that your management doesn’t understand the depth and complexity of improving your organizations resilience. Meet with your management. Give credit for what has been done and identify for them the gaps in the process. Help them understand that the IT plans might not be adequate when the impact reaches beyond the walls of the Data Center.

~ Patrick Ridder, MBCP, MBCI, CHPCP ISO 22301 Lead Auditor

IT Disaster Recovery Plans would be a good start in the BCM journey. The company would require additional procedures to supplement that are business and personnel related.

  • Workflow recovery
  • Desktop recovery
  • Physical Documentation recovery
  • Crisis management and communications
  • Emergency response
  • Incident Escalation

~ Andrew Lee

Don’t just view with a technology lense. Look at the people, location and processe. Perhaps an organizational chart will be a good start, so you can build plans from that. The org chart will identify (hopefully) who does what, where, etc.

~ Beth Epstein, MA, CBCP, MBCI

Start looking at what the people do that use this technology. Identify what business processes they do, where they do them, what regulatory requirements they have, SLAs, predecessors, etc. Once you've identified these, continue looking at other areas that may not have an IT technology plan but are dependent on the business areas you started with. Eventually, take a look at the organizational chart and map it out to ensure you have identified all the business processes that are conducted for your company.

~Stacie J Herzog, CBCP, MBCI

Once IT Recovery is complete, the Business Units will need to verify the recovered environment and "accept" the recovery. To accomplish this, Business Units document their Business Resumption Plans, or Business Recovery Plans. A good way to start this is to work with your Business Operations Staff to identify their most Critical Business Processes - these are the processes that need to be back up and running or you could sustain irreparable damage to your organizations Image, Brand or Reputation.

~ Colleen Huber, CBCP,MBCI,CBRM
Manager, BCP & IT Development

Leave a Reply

Your email address will not be published. Required fields are marked *