What are the most vital functions at your place of work that the BIA will address?
|
A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the
failure of a supplier of goods or services or delayed deliveries. There are many possible scenarios which should be considered. Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and
mitigation strategies. The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include: The point in time when a business function or process is disrupted can have a significant bearing on the loss sustained. A store damaged in the weeks prior to the holiday shopping season may lose a substantial amount of its yearly sales. A power outage lasting a few minutes would be a minor inconvenience for most businesses but one lasting
for hours could result in significant business losses. A short duration disruption of production may be overcome by shipping finished goods from a warehouse but disruption of a product in high demand could have a significant impact. Use a BIA questionnaire to survey managers and others within the business. Survey those with
detailed knowledge of how the business manufactures its products or provides its services. Ask them to identify the potential impacts if the business function or process that they are responsible for is interrupted. The BIA should also identify the critical business processes and resources needed for the business to continue to function at different levels. The BIA report should
document the potential impacts resulting from disruption of business functions and processes. Scenarios resulting in significant business interruption should be assessed in terms of financial impact, if possible. These costs should be compared with the costs for possible recovery strategies. The BIA report should prioritize the order of events for restoration of the business. Business processes with the greatest operational and financial impacts should be restored first. Next steps:
Business Continuity Plan and Information Technology Disaster Recovery Plan
What is a Business Impact Analysis?A Business Impact Analysis (BIA) is a method for analyzing how disruptions may impact an organization. The analysis considers the timescales of a disruption, as well as its intensity, and looks at the resulting impacts on important products and services; and the processes and activities that support these. The BIA is an ongoing process, with analyses taking place periodically or when a significant change is made within the organization. The outcomes of BIAs are:
What is the purpose of a Business Impact Analysis?Many organizations struggle to understand why a BIA is so important. However, when you think about business continuity as a long-term process, the BIA is the requirements gathering portion of the process. Just like a project manager wouldn’t start executing a project without clear requirements, the same is true for business continuity: a BIA should deliver clear requirements. Specifically, the business impact analysis: Provides Confirmation of Business Continuity Program ScopeThe BIA identifies the business activities and resources necessary to deliver the organization’s most important products and services. By understanding how the organization delivers its products and services, the BIA process may uncover activities or resources that were not originally in the program’s scope. Also, by understanding activity and resource impacts associated with disruption, the organization can identify which activities and resources need to be performed, regardless of circumstance, which may have an impact on the program’s scope. Identifies Legal, Regulatory, and Contractual ObligationsMany organizations do not have a clear, unified understanding of obligations. In fact, it is very rare to see any entity within an organization that has a full grasp of what is required during a disruption, and what the implications are if the organization cannot meet those obligations. The BIA enables the organization to create a thorough understanding of these obligations and to enable the appropriate level of business continuity planning to achieve compliance. Provides Clarity on Business Continuity Strategy SpendOne of the most valuable aspects of the BIA is the estimation of impacts tied to downtime. Understanding financial, reputational, contractual, legal/regulatory, operational, and other impacts enable the organization to develop the business case, with appropriate justification, to select, implement, and maintain business continuity strategies. With proper justification, the organization is set-up to identify and implement appropriate capabilities needed to meet recovery objectives – resulting in the appropriate spend. Captures Preliminary Plan ContentThe BIA process can be used to begin the data collection effort for business continuity plans. When performing the BIA, the organization can begin to collect business continuity plan content, such as existing controls and recovery strategies, team and staffing requirements, internal and external contact information, and other resource-specific information required for the business continuity plan. Once this information is collected, the organization can begin to populate the business continuity plan and present a starting point to those charged with creating and maintain the plans (as opposed to starting with a blank template). Get The Business Impact Analysis (BIA) Template DOWNLOAD NOW Implications of Not Performing a BIAWhen organizations choose not to perform a BIA, some of the most common problems that occur that affect the performance of the business continuity program include:
Business Impact Analysis and Risk AssessmentThe BIA and risk assessment are often talked about at the same time, and that’s because many business continuity programs perform them together (or in close coordination). Here are the key distinctions between a BIA and a risk assessment:
So, the how-to instructions below will provide you a way to complete both a BIA and risk assessment together! How to Conduct a Business Impact Analysis?At Castellan, we have refined our processes and tools for performing BIAs over many years. We have established an effective process for executing the BIA that results in the delivery of clear, approved business continuity requirements. Additionally, our process allows us to obtain the information necessary to assess an organization’s business continuity-related risks, identify and implement response and recovery strategies, document meaningful plans, and provide assurances to key stakeholders. Our process follows five key steps. Step 1: Scope the Business Impact AnalysisThe first step in performing a successful BIA is to ensure that the right business activities and resources are in-scope. Castellan does this by completing what we call the Frame meeting. During this meeting, we work with businesses to address the following four questions:
The Frame meeting does several things for a business continuity program. Specifically, it aligns leadership on program objectives, determines the right program participants, and allows for tailored governance documentation. The most important output of this meeting, however, is identifying the in-scope products and services for an organization’s business continuity program. Identifying products and services allows the organization to focus the business continuity program on maintaining operations that support the most important aspects of the business during a disruption. Once products and services are identified as in-scope, required departments (or business functions, depending on your organization’s nomenclature) and the subordinate activities should be identified for inclusion in the BIA process. A BIA should consider all departments that complete activities needed to deliver products and services to stakeholders, consistent with expectations. To learn more about how to scope a business continuity program with executives, download our free executive support amplifier. Step 2: Schedule Business Impact Analysis InterviewsAfter identifying in-scope departments and activities, schedule a one-hour meeting with each department’s leadership as well as any required subject matter experts. Include a meeting invite informing them of the purpose of the business impact analysis, meeting objectives, and required preparation. Of note, it is important that meeting participants represent the department at the right level. Participants should have:
Step 3: Execute BIA and Risk Assessment InterviewsInterviews should determine the activities the department performs that supports the delivery of in-scope products and services. For each identified activity, it is important to capture the steps necessary to complete the activity, peak operation times, downtime impacts (i.e. reputational, contractual, operational), and the dependencies that are required to perform each activity. The following dependency types should be documented:
It is important that, for each dependency, a description of its use, manual workarounds or alternate suppliers (as appropriate and if known), and recovery time and recovery point objectives (if applicable) are captured. In addition, conduct the risk assessment by assigning a 1-10 value for the likelihood of loss and impact of loss for each dependency. Once all data is collected, these numbers can be multiplied together to provide a risk rating for every dependency. In addition to dependencies, it is important to understand if the department has experienced any event that has prevented it from completing operations in the past. These are higher risk events that merit strong planning. Step 4: Document and Approve Each Department-Level BIA ReportFollowing each department-level meeting, a documented report with the results of the meeting should be completed (Castellan recommends using a business continuity software to increase the efficiency of your program and the value proposition includes automation regarding analysis as well as functionality to enable future updates). These reports should contain all pertinent information that was captured during the interview, as well as recommendations based on the information collected. A great example is recommendations regarding recovery time objectives based on the impacts estimated. After the report is drafted, distribute it to the meeting participants. The meeting participants will review the document, make any necessary edits or changes, and approve the report. Each department-level report is a “puzzle piece” necessary to establish organization-wide business continuity requirements for management’s review and endorsement Step 5: Complete a BIA and Risk Assessment SummaryAfter all department-level meetings and reports have been completed and approved, it is time to complete an organizational-wide BIA and risk assessment summary to enable management’s review and approval. The purpose of this presentation (we prefer presentations as they are a more effective form of engagement) is to provide an overview of the key activities, resource requirements, and risks identified during the department-level meetings. Additionally, this report is used as an opportunity to make risk treatment-related recommendations related to key risks that were identified. After coordinating the department-level BIA conclusions, the BIA and risk assessment results and recommendations should be presented to leadership (typically, the Business Continuity Steering Committee). While presenting to leadership, a focus should be placed on:
These recommendations should be prioritized for leadership by focusing on achieving the right level of resilience (based on the guidance provided during the Frame meeting) and the development of strategies to address the loss of necessary activities and resources. Get The Business Impact Analysis (BIA) Template DOWNLOAD NOW What are the common challenges with a BIA?The BIA is Too Time-ConsumingRoot Cause: You’re conducting your business impact analysis manually. For many organizations, the BIA becomes a laborious effort and conflicts with other priorities. For many BIA processes, the organization must dedicate hours upon hours to the BIA data gathering and reporting effort, often based on the need to complete long and complicated surveys. Castellan’s unique data gathering approach uses an organization’s time efficiently, as we engage with the organization through data gathering interviews (typically lasting 60 minutes) and produce a summary report that can be validated quickly. Castellan can also pair our consulting approach with our business continuity software tool, to better leverage information gathering and to automate parts of the analysis effort. Once Castellan compiles information using the tool, it is easy to update information in future BIA refreshes. Inaccurate or Unrealistic Recovery Time ObjectivesRoot Cause: Recovery time objectives are assigned without adequate business justification. An important BIA output is establishing business continuity requirements, which means activity and resource recovery priorities, objectives, and targets (which includes, but is not limited to, recovery time objectives and recovery point objectives). Establishing recovery objectives helps to identify the most time-sensitive business activities and resources, which leads to an appropriate order of recovery. However, organizations often assign RTOs without adequate business justification, such as by asking leadership representatives and SMEs their subjective opinion based on a limited understanding of their department’s capabilities or priorities, undermining conclusions and recommendations. To ensure accurate and realistic activity and resource-specific RTOs, business continuity practitioners should confirm that:
The BIA Doesn’t Evolve as the Organization EvolvesRoot Cause: You aren’t conducting your business impact analysis frequently enough. A BIA isn’t a “once and done” analysis – it must be updated as the organization changes. At Castellan, we leverage our business continuity software platform, to put the BIA into a format that is continually accessible and makes the BIA a living process. In addition, we work with our clients to make the BIA part of the organization’s change management and onboarding processes where needed, so that business continuity requirements evolve over time based on evolving needs, priorities and expectations. Finally, we work with our clients to implement good program management techniques that make the BIA process repeatable and pragmatic. BIA Data is Too Overwhelming to AnalyzeRoot Cause: Incorrect BIA scoping – you’re trying to boil the ocean. A key BIA objective is to gather data to answer two primary questions: (1) what business activities are necessary to perform business operations, and meeting organizational objectives and external obligations (e.g., customer, regulatory), and (2) how quickly do business activities and supporting resources need to be available before the disruption creates unacceptable impacts for the organization or its customers, and to what performance level? For simplicity, many business continuity practitioners choose to use organizational charts or facility lists to determine BIA scope. While it may seem logical to use these resources, practitioners may find that using this method results in too much data that is often difficult to analyze. The most efficient scoping method is to identify the key organizational products and services —organizational outputs or offerings— and then interview or collect data from the departments that perform business activities delivering – or supporting the delivery of – these products and services. This method helps focus the BIA process’ scope and ensures that BIA participants only provide relevant data that supports critical business activities, making data analysis more straightforward. BIA Data is Useless or Irrelevant
Root Causes: 1. Incorrectly identified BIA participants and 2. Ineffective data gathering methods. 1. Incorrectly Identified BIA Participants When identifying BIA participants, it is important to identify internal subject matter experts (SME) that can both understand the department’s role in the delivery of products and services, as well as speak to specific day-to-day departmental activities and supporting resources. Organizations that choose to only interview high-level executives may find that these individuals cannot speak to resource dependencies. Similarly, lower-level support staff usually do not have high-level organizational insight and cannot provide information regarding internal organizational dependencies and impacts, nor can speak to how the department contributes to organizational priorities. To avoid these issues, organizations should consider the following questions when choosing BIA participants:
2. Ineffective Data Gathering Methods Instead, Castellan recommends using data gathering interviews or a hybrid approach (where interviews and questionnaires are both used) to deliver actionable results in a time-efficient manner. In addition to following the recommended interview approach, organizations should ensure that BIA facilitators, or those who will be collecting BIA data and driving analysis and reporting efforts, are capable and knowledgeable in the organization and the BIA process (together with an understanding of the BIA outcomes). A knowledgeable BIA facilitator should not only be able to ask the right questions and capture data but should also understand when to go “off the script” to guide discussion and draw indirect information from the SMEs. Disengaged ExecutivesRoot Cause: Business continuity practitioners do not effectively engage top management throughout the BIA process. Top management involvement is essential in driving preparedness and program improvement, providing business continuity strategic direction, and sponsoring organizational changes in ways the business continuity team cannot. Without engaging and building top management business continuity awareness, business continuity practitioners may find that top management is disengaged, resulting in lost opportunity and poor business continuity program performance. Specific to the BIA process, top management has a role in endorsing the BIA scope and the final BIA results. Business continuity practitioners should include leadership representatives, often a Business Continuity Steering Committee, during the BIA scoping process, particularly to confirm:
Once the BIA is complete, practitioners should develop a BIA summary presentation for top management review and approval. Through the summary presentation, top management should be able to understand:
To ensure top management engagement, practitioners should avoid:
TEMPLATE Business Impact Analysis (BIA) Template This template is designed to help you capture all the essential information for a departmental BIA. Downloads as a fully editable Word document. DOWNLOAD NOW Frequently Asked QuestionsHow often do you perform a business impact analysis? Castellan recommends, based on industry standards, updating and performing a business impact analysis on an annual basis (more or less frequent based on organizational change). Some organizations determine that a semi-annual refresh should be completed. In general, this determination should be made based on the speed in which your organization is changing and evolving. If an organization experiences significant changes often (i.e. the scope of each department, leadership, strategic initiatives, dependency shifts), it may be beneficial to conduct a BIA refresh on a more frequent basis than if an organization remains largely stagnant in terms of departments, activities, risks, and dependencies. Who should be involved in the business impact analysis? Different individuals and groups are required during different steps of the BIA process. First, the Business Continuity Steering Committee, Program Sponsor, and Program Manager should work collectively to determine the in-scope departments for the business impact analysis. For individual interviews, Castellan recommends having an interviewer and note taker during the BIA data gathering meeting. The interviewer will conduct the interview and the note taker will scribe. This method is a fast and accurate way to complete a department report. Additionally, department leaders and subject matter experts should be present for each interview. Lastly, the BIA and risk assessment summary report should be presented to the Business Continuity Steering Committee (typically, by the Program Manager). Should I use a BIA Survey? Castellan believes that an interview-based BIA data gathering approach is the most effective engagement technique because the conclusions are more accurate and complete. Survey design is extremely difficult to capture the nuances inside and between various departments. Additionally, surveys do not provide the context, depth, or additional information that may be required to accurately analyze the risks faced by a department. You should go and talk to departments. What is in a business impact analysis report? A department-level business impact analysis report summarizes the activities performed by the department, the estimated impacts associated with downtime, resource and organizational dependencies needed for each activity and business continuity requirements. Individual department-level reports are used to create an organizational-wide Business Impact Analysis and Risk Summary presentation that documents recovery times, organizational risks, and risk mitigation recommendations. How do I start a business impact analysis? The first step in completing a business impact analysis is scoping. In-scope departments for a business impact analysis should focus on operations that support the delivery of in-scope products and services. We have an entire guide available to get your program started, called the executive support amplifier. Do I need software for a business impact analysis? Yes and no. Small programs may find it possible to manage a business continuity program/business impact analysis without software (by small, we’re talking about organizations with less than 10 or 15 departments and less than 1,000 employees). However, software makes it significantly easier to manage a program and to automate elements of the analytic effort. For larger organizations, software is essential as the automation alone can replace the costs associated with one or more FTEs. For example, software allows a program manager to eliminate the need to manually follow up with department owners or establish a critical path of activities and resources to deliver a specific product or service. Software can also recommend recovery objectives based on automated interdependency analysis. With the time savings, the program manager can focus on stakeholder engagement and improving the organization’s ability to respond and recover. Obviously, we’re partial to Castellan Business Continuity Software. Why is the business impact analysis important? The business impact analysis is used to identify time sensitive activities and resources, the estimated impacts associated with a disruption, and dependencies for activities that relate to an organization’s in-scope products and services. This information is used to determine key risks and response/recovery capability gaps. Additionally, BIA outcomes help determine response and recovery strategies. Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals. BOOK A MEETING This website uses cookies to provide the best service possible. To find out more about the cookies we use, see our Privacy Policy. What are some functions that would be identified in the BIA?The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include: Lost sales and income. Delayed sales or income.
What does the BIA focus on?The BIA process focuses on the effects or consequences of an interruption to critical business functions and attempts to quantify the financial and nonfinancial costs associated with the disaster. The BIA identifies and analyzes the parts of the organization that are most crucial.
What are the three key outputs of the BIA process?The BIA quantifies the impacts of disruptions on service delivery, risks to service delivery, and recovery time objectives (RTOs) and recovery point objectives (RPOs).
What are two objectives of a BIA?The objectives of a BIA are to: Determine the criticality of individual business functions in the organization. Determine the impact of a disruption on CBFs, e.g. financial and non-financial losses.
|
