In a Business Continuity Management (BCM) Program, there are specific professional practices that must be adhered to. The Disaster Recovery Institute (DRI) outlines first steps as Business Continuity Management (BCM) Program Initiation and Risk Assessment, with the third being the Business Impact Analysis (BIA). This practice is outlined by the following tasks:
- Identify and prioritize the entity’s functions and processes in order to ascertain which ones will have the greatest impact should they not be available.
- Assess the resources required to support the business impact analysis process.
- Analyze the findings to ascertain any gaps between the entity’s requirements and its ability to deliver those requirements.
Naturally, in order to outline the steps for recovery in a crisis, an organization must first know what is at risk and what the risks are. Only then can it identify the required recovery actions.
In our recent blog, “Challenges with the BCM Program, Once it is Implemented”, we identified the changes that can occur in an organization that make it difficult for a business to maintain a BCM Program. These include staff turnover, organizational changes, new services and new technologies.
It all starts with a Business Impact Analysis
The Business Impact Analysis (BIA) is likely where these changes would present problems. Establishing the criteria and methodology to be used in conducting the BIA is important and consistency is key. A change in personnel, services or technologies could easily affect the data being measured. Changes that occur during the data collection process can disrupt the collection process and lead to inaccurate results. The data collected in a BIA is needed to determine the organization’s recovery time objectives and recovery point objectives, which must be precise and accurate.
Even with accurate data collection methods, the BIA process can still run into issues if there is a high turnover of staff. The problem is twofold, because the BIA requires the individual input of key stakeholders as well as a clear outline of all employee roles. If one of the key employees changes roles, someone else must be able to provide the same information in a timely manner. If any other employee changes roles, the effect of this change on all organizational functions must also be taken into consideration. A change in the role of one employee is not catastrophic on its own, but organizations with high employee turnover will experience constant small setbacks during the BIA process.
Evaluating Risks and Impacts are key for a successful Business Continuity Planning
These factors are both internal to the organization, but there are also external factors that must be taken into consideration. A BIA must also examine these external factors in order to be fully accurate. Some of the factors that need to be considered are how quickly customers will learn that a problem exists, the likelihood that they will take their business elsewhere, how concerned they will be about existing agreements and impacts to committed service levels, the impact to the customer’s supply chain and whether there were any injuries or deaths as a result of the event. It is important to have a consistent and measurable way to assess and monitor the reputational impact of negative media attention, negative social media commentary, negative community perception, and changes in shareholder confidence. These external factors must be considered in the BIA, because they will have an effect on recovery objectives and plans. Customer retention and loyalty are important outcomes of a successful BCM Program. However, since these factors are external, it is difficult to measure and predict them accurately. Additionally, external factors are prone to more unpredictable change than internal ones, which further complicated the Business Impact Analysis Process.
The findings of a Business Impact Analysis are used to make critical decisions, which is why the accuracy of information contained in the BIA is so important. The data collection process must ensure consistency, reliability and measurability for all possible impacts. Therefore, an organization facing constant changes will likely experience many challenges during the process.
Some of our recent articles: