Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 30, Issue 3

Full Contents Now Available!

In difficult times of economic crisis, business continuity management often goes by the wayside, and I don’t think it should.

At first glance, it would seem that the survival of the company at the present time depends entirely on the skills of effective operational management. After all, the current problems require immediate action, and it happens so that we lose the broader context.

In any area of life, as in business, it is worth it to stop for a moment and look carefully at our surroundings.

The crisis of 2008 took everybody by surprise. Just a year later, the global economy was again shocked by Greece insolvency and the crisis in the Eurozone. To this must be added an unprecedented increase in the frequency of natural disasters of regional and sometimes global economic consequences. With these circumstances, it should be openly said that it is time when we need to change the approach to risk management and the role that risk management plays in tactical and strategic management.

The key issue is the correct identification of potential threats to the company survival and assessment of the corresponding risks. For this it is necessary to move away from the “expert method” -- now quite commonly used in risk analysis, which relies heavily on subjective opinions of people who often have interests conflicting with the goals of the risk management program. This method has gained immense popularity, mainly because of its convenience and relatively low effort. Unfortunately, in the face of the events of 2008 and subsequent years, it also proved that it is not particularly effective. What’s more, you may possibly begin to evaluate risks apart from probability and base assessment primarily on the impact they could have on your organization. This is a revolutionary change in the approach to estimating risk exposure. This change has an important advantage of putting in the spotlight the “black swans,” the risks of very low probability but with disastrous consequences.

Few managers are aware that there is a ready methodology for this type of analysis. It is the business impact analysis (BIA), a tool often overlooked and often used incorrectly, due to the lack of management support and often also because of the lack of the necessary expertise. BIA examines the effects of interruption of business processes, allowing companies to determine their risk appetite and define specific guidelines to prepare themselves for the worst-case scenario.

Let’s then look at the most important characteristics of the properly carried out BIA and its significance for risk management process in the organization.

1. A well-defined scope of the analysis

As the name suggests, this is a study that measures the business impact -- not the potential loss of company assets, but the impact on its operations -- including the company’s image. Therefore, BIA includes only business processes, namely those that generate products or services to the outside world (including those processes that allow regulatory compliance). All other operational processes, which provide internal services, are treated as supporting processes and excluded from the analysis.

2. Properly selected participants

BIA is not an exercise which you can delegate to any employee. The weight of decisions taken in the course of the analysis is so great that it is advisable for the process owners to personally participate in it (with the support of experts and analysts in the field). In case of doubt as to whether we correctly pointed out the process’s owner, one could use indication that the owner of the process is the one who sets the requirements and criteria for its implementation. It is not necessarily the same entity that is responsible for the operations.

3. Conducting BIA

Should be required that the BIA is conducted in the form of workshops, attended by all process owners. The level of complexity of business processes, their mutual interdependence and the areas that may be affected by the interruption is so high that the organization can not afford the risk of missing some important aspect.

4. Impact estimation

The advantage of the BIA comparing to the other methods of risk analysis is based largely on the fact that the impact of interruption is estimated with three principles in mind:

a) the analysis is performed for the worst possible scenario – the worst time of the year, the worst day, worst time of the day and the event is affecting the most important customers – it allows to estimate the maximum potential loss – crucial element in the process of strategic decision-making;

b) when estimating the impact it is important that we do not take into consideration the existing control measures and back-up solutions in order to assess the inherent risk of such an event (it allows to avoid over-optimistic assumptions, which are often the case in other risk analysis methods);

c) the potential financial and intangible impact is measured at several time intervals, which allows to pinpoint the maximum allowed interruption time.

5. Strategic decisions

The results of the BIA constitute very valuable information for the board and the basis for strategic decision-making. The results allow the board to look at the level of the risk exposure in a whole new angle. Sometimes, all of a sudden, it turns out that the processes, which often do not generate significant profits, generate very high losses. The decisions to be taken on issues such as:

a) maximum acceptable time of interruption – an important issue, given the fact that therefore we accept all the losses incurred to the process resumption;

b) minimum level of process recovery. This parameter can dramatically change the existing SLA standards and affect the terms and conditions of future contracts;

c) time at which the process must return to the normal operating mode – parameter, which is crucial for the assessment of existing and selection of new measures to prevent and minimize risk.

Decisions taken at the stage of the BIA form the basis for risk management program, particularly strategic risk management. Criteria set and based on the BIA results are well founded and also financially and precise enough to be used for conducting credible analysis, aimed at identifying hazards that could lead to the interruption of critical operations (including the infamous “black swans”).

It is worth it to reach for the BIA experts or to train risk officers in this methodology. Thanks to that, organization will obtain valuable knowledge about the potential threats to its existence and let you prepare in advance. The idea of staying unaware in the coming period of disruptive and potentially catastrophic political, social, economic, and commercial change is simply unthinkable.

Renata Davidson works in the business continuity management area since 1998. She was the first professional in Central and Eastern Europe to be certified by Disaster Recovery Institute International. During the course of her career she led tens of projects for “Blue Chip” companies in Poland, in all sectors of the economy. She is the founder and CEO of Davidson Consulting LLP, a partnership of experts specializing in business continuity, operational risk management, and process management.