This information is extracted from Chapter 52 of my new book (happily now Amazon’s #1 searched business continuity book), The Ultimate Business Continuity Success Guide: How to Build Real-World Resilience and Unleash Exciting New Value Streams.
I hope you enjoy the chapter and my book.
Business Continuity Business Impact Analysis
The Business Impact Analysis (BIA) will empower you to clearly understand which processes are time-sensitive (critical) to your organization’s ongoing success based on several factors. You will be able to accurately gauge when each process needs to be up-and-running and the impact to your organization if it is not available when the business requires it.
The BIA also provides information that can provide value beyond core business continuity. It can help generate revenue and identify cost reduction opportunities. I discuss many of those throughout the book.
In this chapter I describe the BIA process and interject my techniques, ideas and tips that I have cultivated over the years. You do not have to use them all. Pick, choose, customize and improve the ones you find valuable and interesting.
Tip – I do my initial BIA before doing the Risk Assessment (RA). Some people do the RA and then the BIA. Some very experienced professionals believe it is only about impact and they choose not to do a Risk Assessment at all. I discuss each of these options and my preferences in the Risk Assessment chapter, which follows this one.
The BIA data will provide valuable insight, some of which might well be new to your organization:
- Financial, operational, regulatory and legal impacts on the organization if a process is not available due to a disruptive event
- Which processes are most time-sensitive (critical)?
- What is the most logical order of process recovery?
- Upstream and downstream dependencies
Tip – Prepare for process owner BIA meetings and be ready to collect both qualitative and quantitative data. Both types will be very valuable to you as you move forward. In part one of the book we discussed in detail tips and techniques to get the most out of process owner meetings.
Qualitative data is non-numerical. It is a messier type of data than quantitative. It is more subjective and cannot be precisely measured but can provide important information. For example, you may ask a process owner, ‘are you confident your employees are aware of what to do and not do when the fire alarms sound? ‘ The response may be ‘not too confident at all. There is room for improvement ‘.
It can also be observations you make during a conversation. For example, if you ask the process owner about employee morale and he/she roll their eyes and shake their head in a negative manner, it is an important indicator there is a need for improvement.
Quantitative data is more precise numerical data. For example, ‘how many sub-processes do you have? how much is a fine for late payment, how many regular employees do you have in your process?’ Each of these questions can be answered with a number.
Tip – Process based inter-dependencies upstream and downstream are important. Be sure to include all processes and the end-to-end supply chain as part of the analysis. There could be single points of failure lurking a few levels upstream that could cause peril to your organization if not identified and considered during recovery.
Many companies run lean-and-mean operations. They use just-in-time inventory which makes any breakdown in the supply chain especially disastrous. For instance, the impact from the Fukushima tsunami and power plant meltdown caused Toyota to tumble from the number 1 automaker to number 4, in part because of impacts on their supply chain (parts and paint became issues). Toyota is a model of efficiency so this surprised me. They did eventually regain the number 1 position by analyzing and acting on ‘lessons learned’ from Fukushima and increasing redundancies.
It is smart to map the supply chain and all upstream and downstream dependencies visually, in addition to textually. My favorite Business Continuity Management (BCM) systems automatically create visual mapping and RTO/RPO gaps for upstream and downstream processes including your supply chain. Also, when analyzing the supply chain be sure to include Tier 1, Tier 2 and Tier 3 suppliers in your analysis. Tier 2 and Tier 3 are often left out of an analysis and that can lead to trouble.
BIA Data Collection and Analysis:
I include the following data elements when collecting process information and dependencies for each process and their associated sub-processes. The fields I list here should be considered a starting point. You know your business better than I do, so add and delete as many fields as you need to build the perfect list for your organization. If the data is important, ask for it!
If you are using a robust automated BCM tool ALL this information should AUTOMATICALLY feed your Business Continuity Plans from the BIA collection process. You DO NOT want to go through the error prone and time consuming effort of manually inputting this data again.
Be very detailed in your data collection effort. I suggest analyzing down to the sub-process (sub-department level). Break the recovery dependencies down to timeline buckets, such as: <1 hour, 4 hours, 24 hours…). This will be critical information for you to understand and build appropriate recovery strategies. It will also be important in the event you have to declare a disaster and enact your business continuity during a real crisis. Facilities and IT will need this information to bring processes up in the correct order.
With the right tool, you can automatically do ALL of the above in real-time!
Data collection list – starting point:
- Process (Department) Owner
- Alternate Process (Department) Owner
- Employee dependencies at various time-frames (<1 hr, 4hr, 24 hr, 72 hr, 1 week). Both regular employees and recovery employees
- Employee skill-set matrix. It is important you know the required skills. Additionally, if you map employee skills throughout the organization you may be able to leverage employee resources you might not have initially considered. You can unearth interesting ‘hidden’ resources. It has happened to me.
- Normal process start-time and end-time (include time zones)
- Work shifts – Great to reduce workstation area recovery seat requirements – especially valuable when you are paying by the seat. I was able to enjoy significant savings using the same seats spread over multiple shifts. More on that later. It can be a nice win for you.
- Critical processing times of the year
- Supplier dependencies at various timeframes (<1 hr, 4hr, 24 hr, 72 hr, 1 week)
- Vendor dependencies at various timeframes (<1 hr, 4hr, 24 hr, 72 hr, 1 week)
- System dependencies at various timeframes (<1 hr, 4hr, 24 hr, 72 hr, 1 week)
- System recovery time objectives (RTO) and recovery point objectives (RPO)
- Vital Records – what kind and where they are stored. Hopefully, not in the basement
- Hardware dependencies at various timeframes (<1 hr, 4hr, 24 hr, 72 hr, 1 week) – include the required amount of each item. I included a tip on probing for ‘special’ equipment below. In my experience, recovery sites have printers, copy machines, etc. It is the special equipment that can be a bigger issue.
- Equipment dependencies at various timeframes (<1 hr, 4hr, 24 hr, 72 hr, 1 week) – include the required amount of each item
- Supplies- include the required amount of each item and when needed
Do you recall the following questions from the process owner high level meeting chapter in part 1 of the book? If you have already asked them, great. If you did not ask them earlier, then now is the time to gather this information. This will be valuable later as you build your recovery strategies. Here they are again:
- Do you keep an updated contact list for your team with you at all times?
- Do your managers have company issued laptops?
- Can managers work from home, if necessary?
- Can your team work from multiple sites or is it necessary for everyone to be physically in one room?
- Do you have critical customer facing toll free numbers? Can you currently re-route the calls if necessary? Have you tested re-routing them?
Tip – In my experience process owners are generally accurate in their assessment of the time-sensitivity of their processes. It is important to communicate to them when they are suggesting a very aggressive RTO – for example <4 hours for marketing, that there will be additional costs involved in building such an aggressive recovery time-frame. Be sure to advise them, if this is the case in your organization, that the goal is to keep the business going and not to attain business as usual. Often the process owners will say ‘hmmm‘ and modify their expectations when they realize there is an associated cost with a compressed time-frame and management will ultimately have to sign off on it. It is your job to level-set this information with the process owners before their responses get to the BIA – RA Management Report.
Tip – For each process, compare the number of business-as-usual employees in the process to the number of recovery employees required by the process owner. If you are scarce on in-house recovery seats or you are using a third party recovery vendor and are paying by the seat you should be especially sensitive to the number of seats the process owners need for recovery.
For example, if sales has 200 employees and they indicate the require 200 recovery seats you should definitely question that. Remind them the expectation is not ‘business as usual’. For example, salespeople often have great flexibility where they can work from. Work from home can be a good option. I only use sales as an example, you should assess the requirements for every process. Consider building this in as one of your automated assessment metrics (discussed in the Automated Assessment chapter later in the book). For each process, establish a baseline of BAU vs recovery employees. When process owners change these data elements you will identify any potential gaps in seat availability and can act on it.
Tip – Multiple shifts can be another way to save on seats. This can be very useful whether you are contracting for seats or building your own recovery site. You may be able to size it smaller if you can utilize shifts. So, probe if there are any constraints on processes splitting staff into 1st, 2nd and 3rd shifts. Customer Service might be difficult unless you are servicing customers in different time zones or globally. Remember, if you are building your own recovery site, do factor in growth. I have built recovery sites both domestically and internationally and shift work was an important factor in each instance. I discuss this in more detail in the Recovery Strategies part of the book.
Tip – Map the process owners’ view of the world to IT’s view of the world. You may identify important gaps:
Collecting the business view of RTO (process recovery time objective) and RPO (system recovery point objective) against information supplied by IT during an AIA (application impact assessment) provides great value. This will allow you to do a gap analysis that may uncover gaps in what the business needs and what IT is capable of actually delivering. You can do this manually, but a good BCM tool should be able to do calculations and uncover gaps automatically. The benefit is real-time ‘even while you sleep’ metrics. More on that in the automating assessments chapter.
Tip – Process owners will have no idea what RTO and RPO mean. Explain the purpose and value of each in very simple terms so they can give you accurate answers.
RTO and RPO data will be valuable to:
- Insure the proper backup and recovery strategies are in place to meet the business needs. For example, if you need a system back in 1 hour and you are backing up to tape, there is a big gap between expectations and capabilities. On the other hand, you may be able to save money by doing the analysis and identifying systems that have an overly aggressive recovery solution and the associated expense. You may be able to reduce the expense with a more appropriate recovery solution. For example, you may be running a system active-active for real-time data mirroring – which can be expensive when it is not necessary based on the business requirements to have the system back in 72 hours.
- In addition, you will be able to do system upstream – downstream analysis that can uncover well-hidden gaps in system dependencies that can jeopardize recovery. For example, a critical Tier 1 System may have dependencies on data from a supposedly non-critical Tier 3 system. Perhaps, when restoring systems, your network team will need to bring up that Tier 3 system or the Tier 1 system will not function properly.
System inter-dependencies and business requirements are dynamic, not static. If you build your automated real-time system correctly to monitor all of this information you will uncover gaps in real-time. Otherwise, if done manually, it will be like finding a needle in 10,000 haystacks.
Tip – Over the years I have migrated from using the term ‘critical’ to using ‘time sensitive’ when referring to the recovery time-frame for processes. For me, that simple adjustment has worked well. Process owners understandably feel their process is critical and they are right! If the process was not critical, why would the company pay people to do it? If someone hears their process is not ‘critical’, they might understandably think ‘the writing is on the wall’ and the company is seeking to dissolve or scale down the process and employees – uh oh! It is easier for process owners to digest that certain processes are more ‘time sensitive’ than others and it makes sense to give them priority during recovery. We discuss this and other interpersonal tips in the process owner meeting chapter.
Tip – Be open minded when performing your BIA. Experience has taught me that it is advantageous to examine all processes during the BIA analysis, rather than a subset of pre-determined critical processes. I am still not sure how criticality can be accurately determined prior to actually performing a BIA. There could be financial impacts and critical dependency issues that only become apparent when interviewing the process owner and mapping processes and systems upstream and downstream.
An example that hits close to home is when I recently conducted a BIA interview with a seemingly non-critical process. Unfortunately, in many BIA’s this process might not have even been included. During the BIA, after some prompting, the process owner said, ‘Oh, by the way Marty, there is this one regulatory issue that could come up… ‘, Digging a bit deeper, we identified a possible $1,000,000 regulatory risk that could have severely impacted our organization with regulatory, revenue and customer confidence issues. Seems like a time sensitive process to me.
During the same meeting, I discovered the process owner that I was interviewing was the most qualified person to be my onsite business continuity backup if I were not available during a crisis. He was quite knowledgeable about crisis management and business continuity. He described how he helped build plans for a local school as a volunteer. That made my day!
If I had approached the BIA meetings with the notion that this process was out of scope for the BIA analysis, when the inevitable disaster occurred my butt would have been on the line for having not identified the potential regulatory impact. Plus, I can now take an occasional vacation (which I rarely do) knowing I have a qualified backup!
My advice is to go into the BIA with an open mind and let your thorough analysis of each business process define what is time sensitive and what is not.
Tip – Probe for Specialized Equipment and Supplies
When you are doing your BIA follow-up interviews with process owners, ask them about any specialized equipment and custom supplies they will require during a disruption. Make them really think. Present a scenario where they do not have access to their office and must work from home or an alternate recovery site. When you probe them, they may come up with equipment they did not capture on the first draft of the template. (In the Recovery Strategy part of the book I included a chapter on storing specialized equipment off-site).
Examples of equipment and supplies I have uncovered during probes:
- MICR printers (check printing)
- custom forms
- high-speed scanners
- rubber stamps
- extra batteries…
Tip Reality Check: Getting the BIA back on time – some will and some won’t:
Some people will be more receptive than others to devoting time to completing their BIA. If you think you will send out twenty emails to process owners asking them to complete their BIA and you will receive them back on time fully completed and then everyone will show for their scheduled BIA follow-up review meeting, I have a bridge in Brooklyn I would like to sell you… In reality some will and some won’t. Follow-up with the people that did not comply, mention the drop-dead due date and then it goes to management on an exception report. People hate being on exception reports! If, after two follow-ups you do not get the survey from them, tough luck on them – report them to management! I realize this is not their main job but you must keep the program moving forward.
Tip – In the BIA intro email to the process owner it helps if you mention that the person of authority, such as the Senior Vice President, endorses the program and will review the results on ‘such and such day’. You will get a far higher percentage of completed BIA’s returned on time. You will also get a far higher percentage of not getting blown off for the follow-up meeting request. People never like being on management ‘lists’.
Tip – Technology can SUPERCHARGE the value of a BIA and make your life easier:
The BIA is NOT a onetime event – or at least it shouldn’t be. It is an ongoing process. At the very least you must ‘re-BIA’ once a year. There are so many moving parts in your organization. Things can change on a daily or weekly basis. Here are just a few critical dependencies that can and will change:
- Staffing dependencies
- Time sensitivity requirements
- Upstream and downstream process dependencies
- System dependencies
- Telecom dependencies
- Equipment dependencies
- Vendor dependencies
- Please add additional dependencies important to your organization
In fact, if things are not changing in your organization you may have bigger issues. It could be a sign that your business has become stagnant. In today’s world of disruptive technologies, disruptors (Netflix, Amazon, Uber) entering your niche may be a growing risk! Identifying this lack of change can be enlightening to management. I build this into my algorithms when automatically assessing my program
The ideal solution is to make your BIA dynamic rather than static. Leverage technology to monitor all changes to your program in real-time. As visionaries such as Elon Musk and Jack Dorsey say – ‘Take it to the 10x level!’
Automation will allow you to identify changes that impact your organization from end-to-end. You can build simple or complex rules (algorithms) and workflows to trigger events and alert the right people instantaneously. This impact/risk insight can simultaneously be automatically reported on a detailed level to process owners and/or summarized to middle and upper management in a dynamic colorful high level dashboard. Imagine a cool real-time dynamic chart changing colors to alert the right people of risks and opportunities. Most importantly, it provides them with a holistic real-time vision of the organization they have never had before. There is immense value and career payback to you for implementing such a visionary system. The automating assessments chapter provides detailed information on the power of having a real-time pulse on your program.
BIA checklist steps:
(All of these steps, and more, are listed in the BCM Online Roadmap included with this book)
- Decide on the type of data you want to capture
- Decide on the type of repository you will use to capture and store the information you collect from process owners. Will it be in a spreadsheet (not recommended for mid to large organizations), in word processing docs (again not recommended for mid to larger organizations) or a business continuity management (BCM) system (recommended for many reasons listed throughout the book)
- Decide on which processes will be in scope for the BIA. I suggest all processes are in scope for the analysis. Experience has demonstrated to me that pre-conceived notions can be inaccurate and dangerous. In basketball, players on occasion say to refs on a perceived bad foul call, ‘ball don’t lie‘(refs do not like to hear that). Well, the BIA equivalent would be,’data don’t lie ‘. Go by the data you collect to decide what is really time sensitive and what is not!
- Decide on the type of data collection process you will use. Two popular options are 1) having the process owners take a first try at filling out the BIA in a meeting or 2) emailing them a survey they will fill out. I have done it both ways. I enjoy meeting with them and helping them the complete the BIA. It is fun and I always pick up interesting info. I have also had good results in cases when it was not practical to meet in person so I send them the survey and they complete it. The next few steps describe if they are taking a first cut at completing the BIA
- I always try to make the BIA very straight-forward. I include simple step-by-step instructions with a description of each field in the template and why we are collecting the information. The process owners take a first cut at completing the BIA. I encourage them to contact me with questions or concerns. We then do follow-up meetings in-person, if practical, or by webinar to review each piece of data
- Develop a clear concise introductory email that helps process owners understand the goals of the BIA. They must clearly understand what you expect of them
- Include your BIA template as an attachment or preferably a link to the online version. If they will be completing the BIA in a BCM tool, so much the better. It will save you time, as the BIA data will naturally flow into the Business Continuity Plans and anywhere else you want to analyze and report on the data. The key to normalizing data in all aspects of your program is to enter data only once (gold source) and get value from it in as many ways as possible. Well-designed database systems separate the presentation and data layers. I discuss good basic design in the ‘Database or Spreadsheet’ chapter in the Technology part of the book
- Always set a due date for completion and return of the BIA survey. If you keep the survey clean and simple, seven days is plenty of time. Mention that upper management wants to have the process completed by the due date
- Also, set up a follow-up meeting for ten to fifteen days after you send them the survey. This puts some urgency for them to have their first draft of the BIA back to you before the meeting, so you can review it with them. The purpose of the follow-up meeting is to walk through the information the process owner provided. You can answer questions and provide additional guidance if needed. You can then finalize the BIA
- Compile and summarize results in preparation for the upcoming executive management report (to be discussed in an upcoming chapter in this part of the book)
- Treat yourself to a nice dinner!
- ‘Re-BIA’ manually on a regular basis or preferably automate the process and re-BIA in real-time when any piece of information anywhere in your organization changes! In the next chapter, we will discuss the BIA’s partner; The Risk Assessment. Following that we will put it all together and discuss automating the business impact analysis and the risk analysis for real-time awareness of threats, opportunities and assets.