Why do a Business Impact Analysis?
Posted June 21, 2022 by Kevin Finch
“You can’t make an architect. But you can open the doors and windows toward the light as you see it.”Frank Lloyd Wright
If defining your business continuity program is putting down its foundation, then conducting a proper Business Impact Analysis is figuring out where to put your windows and doors. You can’t really have a useful structure without defining how things move in and out of it.
What is a Business Impact Analysis? Simply put – you look at what it is that your business needs to do, and then figure out what happens if you can’t do it. You look at the underlying Processes that comprise your business, and then look at what those Processes need to continue to operate. Some companies feel the need to enumerate all their Business Processes, and some companies only look at the most important Processes in some departments. Many companies find it helpful to purchase tools to help guide them through it all too.
“I understand that everything is connected, that all roads meet, and that all rivers flow into the same sea.”Paulo Coelho
The important thing to remember, however, is that Business Processes and Functions don’t simply operate on their own; Processes have things they depend on to function. Some Functions might need specialized equipment, some might need specific skill sets or a minimum level of staffing. Many Processes will need inputs from vendors or suppliers. Most Processes or Functions will need inputs from elsewhere in the business. In performing a Business Impact Analysis one of the key things you need to determine is how long Processes or Functions can operate if those inputs go away.
Another key thing that you need to research is the severity of impacts. Some business interruptions will have a greater impact than others, and may impact the business in different ways. Depending on the nature of your business, your company may be impacted financially, operationally, legally, or may even damage its reputation, if a business interruption occurs. Usually, it’s a combination of those types of impacts, with the severity of consequences to the business increasing over time.
“It is a capital mistake to theorize before one has data.”Sherlock Holmes, A Scandal in Bohemia
What’s the point of gathering all this data, you may ask? I know what’s important to my business, so why can’t I just focus on that?
Well, the devil is in the details. Most companies are surprised by some of the things they find when they perform a Business Impact Analysis. Often companies don’t realize how dependent they are on a particular business process or a particular vendor. Companies usually don’t have a good grasp of how much losing key Processes can cost them, and how quickly those costs can stack up. A well-run Business Impact Analysis will tell you all of that. Business Impact Analysis tools and Business Continuity Management tools can also help you collect more complete data and conduct deeper analyses of the results.
Once you have all the information, your company can determine what levels of risk you are willing to accept. You can determine your tolerance for downtime and set Recovery Time Objectives, and you can determine your tolerance for data loss and set Recovery Point Objectives. The great thing about going through and gathering data to make those decisions is that you can be sure you are making decisions based on the true impacts to the business instead of just guessing. With those recovery objectives in place, you can develop viable plans for recovering Business Processes, and you can communicate the needs of the business to your stakeholders. You are also able to initiate a gap analysis to determine if technology providers and vendors are truly able to meet the needs of the business in the event of a work interruption.
So yes, there’s a lot of work to get to that point, but the rewards to the business are great. You gain a better understanding of the way your business operates and can see the way that different parts of your Company interact with each other. You gain a better understanding of the risks that your business faces every day. But most importantly, you gain the ability to make decisions on how to face those risks and problems using hard data.
“Contact data ages like fish, not wine … it gets worse as it gets older, not better.”Gregg Thaler
There’s a caveat to that though: the data gets old after a while. Business Processes change, vendors change, staff changes over, and technology always changes. All these factors can change the risks your business faces and change the results of that carefully executed Business Impact Analysis. That’s why best practices suggest to not only reexamine your Business Impact Analysis data annually, but also revisit it whenever some fundamental change to a process comes along.
“Data really powers everything that we do.”Jeff Weiner
Conducting a Business Impact Analysis is absolutely essential to getting the most out of your company’s investment in its Business Continuity Program. Getting the right data and keeping it up to date might seem like a lot of work (especially if you’re looking at tools to help with it), but Sayers is here to help. Our Business Continuity Maturity Assessment Tool can help show you exactly where you are on the path, how well-defined your Business Continuity program really is, and where you might need a little help.