So, I came across this quote the other day that someone was using in a presentation about the importance of conducting a Business Impact Analysis (BIA):
“A business continuity plan that is not predicated on or guided by the results of a business impact analysis (BIA) is, at best, guesswork, is incomplete, and may not function as it should during an actual recovery.”
I understand what they mean and I appreciate this message given to business continuity planners, but, I would hesitate saying this in a board room. It may not be wise suggesting to the CEO and other senior executives that they do not know their business well enough to tell you what is important to them and what business processes are necessary to keep their organization solvent.
I have long since been of the opinion that business continuity planners have become victims of our own methodology. I think many of us have lost sight of the why’s and wherefores of what we do and have become too caught up in the whats and how we do things. And, I think, the BIA is a prime example of this.
Ultimately, why do we conduct a BIA?
I suggest that we perform a BIA to establish the objectives for our Business Continuity program. We gather and analyze the impacts of a business interruption in terms of financial impacts, reputational impacts, operational impacts, legal and regulatory impacts and other impacts unique to our company or industry. Armed with this measurable and intangible information, we can make an educated and informed decision about what business processes we need to continue – and, in what timeframe – to minimize our losses and keep the organization solvent following some sort of devastating business interruption event.
I like to break down the standard Business Continuity Methodology into the Strategic Planning Phases and the Tactical Planning Phases. The Strategic Planning Phases consists of the Risk Analysis, Business Impact Analysis, Recovery Requirements Analysis and Cost Benefits Analysis of viable solutions. The Strategic Planning part of the methodology helps us define “what” our business continuity plan should achieve. The Tactical Planning Phases of the methodology define “how” we achieve our objectives. This includes, implementing the chosen solutions and documenting the policies, plans and procedures.
But, I don’t believe the Business Continuity Planner is always needed to define the Strategy. I think, in some instances, the “strategy” can be given to us by the CEO, board or other executive management team members.
What if the CEO told you what business processes they want to continue, in what time frames? Are you going to tell him/her that that would be creating a BCP based, at best, on guesswork?
I know that the methodologies say we MUST CONDUCT a BIA. But, I think that that requirement is a little bit tangled up. I think it is absolutely correct to say, before you can successfully implement a viable and effective business continuity plan you must establish your recovery time and recovery point objectives; you must identify and categorize your business processes in terms of criticality and importance to the sustainability of the organization and the ability to satisfy the corporate mission; you must know the dependencies and requirements that support those critical processes to ensure a complete and holistic recovery solution – but, I am not sure a BIA is always what is needed to get these “strategic” parameters.
Yes, I have been in many a situation where the leadership team was not comfortable in establishing these objectives without the support of information gathered and analyzed through an in-depth BIA. I have also seen many a business continuity planning team chastised for spending months on gathering and analyzing information simply to conclude in telling management teams what they already knew. And, I have seen business continuity programs fail at time of an event because they were predicated on the findings from a BIA that were never verified and matched against management’s expectations, which were significantly different from what the information gathered suggested.
Now, I am not against BIAs. I have made a nice living by conducting many a BIA over the past 20 years, and I do believe they are valuable and necessary tools – just not in every case. I caution business continuity planners not to become so married to the methodology that you lose sight of what the objectives are for each methodology component. If the objective of a BIA is to establish the continuity and recovery objectives of your business continuity program and the executive team in your company knows and are willing to sign off on recovery and continuity objectives that are given to you – do you really need to conduct the BIA?
In any case, I don’ think I would ever suggest that a business continuity plan not based on the findings from a BIA is guesswork, especially if the guesses are coming from the Executive Management Team. I just know that if you came into my company and told me that a team of business continuity planning specialists are needed to identify what our critical processes are, I would be showing you to the front door.