Okay, in answering the question posed in the title of this blog, I am ready to commit heresy. I have lost this argument with many an auditor and probably won’t convince too many of you reading this, but I suggest that there are some situations where you do not need to perform a formal Business Impact Analysis (BIA). Did I just lose your respect?
First, let’s look at what the BIA does for us. Quite obviously, it measures the impact on the organization should a business process cease to function, for whatever reason. Okay, why do we need to know that? We want to know the impacts on the organization so we can identify those business processes that have the most severe impact (or impacts that exceed a pre-defined pain threshold) to include in our business continuity program. The BIA also helps us establish Recovery Time Objectives and Recovery Point Objectives (also, I think the RPOs really come later in the process, but that will be the topic of a future blog article).
So, the BIA provides the statistical and intellectual support for our Critical Business Processes and associated recovery objectives – great. But, what if those are given to us?
I have witnessed on more than one occasion, after a long, in depth BIA, the findings are presented to the Executive Committee only to have them respond, in so many words, “I don’t care what your BIA says, what we need to do is recover these processes in this timeframe.”
Even worse than that, I have personally been involved with assisting a business in their recovery efforts following the World Trade Center bombing in 1993, which occurred on a Friday afternoon, where the CEO says, “I don’t care what we planned for; we will be back in full operation with 100% of our workforce in place by Monday morning.” The Business Continuity Manager lamented that that was not what they planned for as their BIA indicated they could survive with 25% of their workforce supporting about 50% of their business processes. Needless to say, a mad scramble to now meet management’s expectation was underway. We had a fun weekend – NOT.
Like I said, I have had arguments with auditors who insist that they need to see evidence of a formal BIA and I could not get them to see the waste in time when the Executive Team already established the program recovery objectives.
Now, on most occasions, when I go into an organization and explain that their business continuity program should ensure that their mission critical business processes are recovered in a timeframe to ensure losses do not exceed an acceptable level so as to jeopardize the solvency of their organization, I am asked how we define those. And, of course, the answer is to conduct a BIA.
But, in those situations where I am told, create a program that allows us to recover very specific business processes within x hours, I ask you again, Is a Business Impact Analysis Needed?