Don’t Be Afraid of the Big, Bad, BIA (Business Impact Analysis)
Posted November 15, 2023 by Kevin Finch
I have talked at length in previous posts about the importance of Business Continuity in general, and also the importance of performing a Business Impact Analysis in developing program maturity. I’d like to talk about something a little bit different today and I’d like to address the trepidation a lot of program managers feel and taking that first step and starting their BIA.
“Nothing in life is to be feared, it is only to be understood.”Marie Curie
The Cost of a BIA
We all know why you want to do a BIA. You want to gain understanding of the critical processes that make up your business, and you want to be able to place value on those processes if they cannot be performed. If you can’t do something that’s important to your business, you not only want to know that it will cost you- you want to know how much it will cost you and “how” it will cost you whether it’s in operational throughput, financial penalties, or reputation. Ideally, you will also have some idea what the most likely causes of business interruption are going to be by the end of the BIA. You want to have that data in front of you when you go talk to other areas of your business so you can better prioritize recovery efforts during an incident.
Doing a BIA is a lot of work. In order to gain that understanding of critical processes, you need to figure out what those critical processes really are. If you want to understand the value of those processes, you need to look at them holistically in relation to each other and their impact to the business as a whole. If you want to understand financial penalties, reputational impacts, and reductions in productivity from a process going away, you have to be able to define those parameters. If you want to use your BIA data to prioritize recovery efforts during an incident, you have to have as much BIA information across the entire enterprise as possible. This helps you identify which business processes need to be prioritized over others during a recovery effort.
“Don’t let the fear of striking out hold you back.”Babe Ruth
I think the best way to overcome their trepidation you may feel in starting a BIA is to simply write out a workable project plan. If you breakdown your BIA into manageable steps, like gathering information and engaging stakeholders and documenting business processes at a departmental level, it’s easier to draw out the scope of the overall project. A short session with an experienced Business Continuity professional, an experienced project manager and someone that truly knows your business, and you could probably have a timeline sketched out for the entire project in just a couple of hours. Once you have that project timeline and scope defined, then it’s a lot easier to start breaking things down into smaller pieces and assigning those pieces to the expertise of individual departments for data collection and analysis.
Another point that’s worth addressing: delegating responsibilities. Performing a proper BIA for a large enterprise is not something that’s completed in weeks. It’s something that’s completed over the course of years if there’s only one person working on it. If you want to make meaningful progress on any BIA effort, it’s going to take the cooperation and assistance of every single department in the company. However, with the support of upper management and the assistance of individual departments, it ends up being fairly light work for each department. A well-organized questionnaire and a few short meetings would probably handle most of the data gathering for an individual department. Then the role of your Business Continuity professional would be more along the lines of an analyst tabulating the data, rather than a secretary chasing down people in dozens of departments to get their input.
“One of the greatest discoveries a man makes, one of his great surprises, is to find he can do what he was afraid he couldn’t do.”Henry Ford
The Unexpected Benefits of a BIA
Your business can look forward to benefits it would never expect with completing a BIA. Inevitably analyzing your business and evaluating all of its processes against a standard will change the way you look at it. You will notice things that you hadn’t noticed before because no one had ever thought to shine a light on aspects of the way your company does its daily work and makes money.
Here are two examples from places I have worked and overseen the BIA process:
1. When I was managing the Business Continuity program at a Fortune 100 financial services company several years ago, we realized that every single one of these offices were completely dependent upon it’s Internet connectivity to do business. While that might seem like an obvious thing, their reliance on the Internet was so ubiquitous that it had gone unnoticed until we started looking at all of their business processes in the aggregate. After I brought this up to the CIO, the company decided to go through and reinforce their Internet connectivity to all of their branch offices through multiple links and multiple Internet providers. A couple of years later when there was a widespread outage from a major telecom provider, my company was one of the few in the industry that was virtually unaffected. They would never have taken steps to prepare for an outage like that if they had not completed a BIA.
2. When I was performing a BIA in my role with a major international manufacturer, we came to realize that certain long-standing assumptions about the capabilities of alternate suppliers were actually invalid. We came to realize that should an actual incident occur, the alternate suppliers would not be able to meet our needs for either volume or quality. As a result, when we created new Business Continuity plans based on that BIA data, we did our research and found appropriate suppliers to meet the needs of the business during an incident. When an actual incident did happen that impacted production, the company was better able to respond in a timely manner and saved several million dollars over the course of the next few months.
“I am ready to face any challenges that might be foolish enough to face me.”Dwight Schrute, “The Office”
So, don’t be scared of the big bad BIA. It’s a lot of work, but with a thoughtful project plan and judicious delegation, that work can be subdivided and well organized. Your company will be able to reap the benefits of having solid BIA data to help move your business resilience program forward. Are you ready to start having those conversations, or just want some help figuring out how to take the first step? Sayers is here to help. Our staff has decades of Business Continuity experience to bring to bear on your project, and we have tools and technologies that can help mature your program faster