“Everything is complicated if no one explains it to you.” ~ Fredrik Backman

A client asked me one time “How did you know what was important to my company”?  And I replied, “I asked.”

This is part two of my blog series about a critical component in your Business Continuity and Crisis Management Program:  The Business Impact Analysis (BIA).

Today I want to focus on what information needs to be collected in your BIA and my approach to collecting it.   I’ve summarized this to keep it at an appropriate length for a blog post.

I use Excel to collect the data and I project the spreadsheet on a screen so the team can see what I’m typing.  If you bring a scribe to the BIA workshop and let THEM type, it allows you to stay focused on the data gathering.

I have my spreadsheet set up with six tabs.  I gather information for all business functions within each tab before moving on to the next tab.  This helps with the information flow and eliminates the sense that we’re jumping back and forth.  It gets easier after the first function is documented and the team sees the type of information you’re looking for.

Tab 1: Learn About the Business.  Some people like to collect data about critical business functions only.  I like to get a complete picture of the business so I ask the team to list every business function that is performed by their department.  I get a summary of what that function does, who owns it, how many people are involved (and the minimum number of staff required), where it’s done, what their critical or seasonal periods are and what their typical hours of operation are.  I also ask them to define the maximum amount of time they feel the function could be suspended before it caused significant problems for the organization.  Additionally, I ask what tasks they could defer doing in an emergency.   Why: On this tab, I’m trying to learn as much as I can about each business function.  The maximum tolerable downtime establishes criticality.   The rest of the information becomes useful in support of the entire program.   Where used: Business Continuity Plan, Pandemic Plan, program management.

Tab 2: Relationships.  On this tab, I ask the team to identify their dependencies on other departments and external agencies.  This includes suppliers, vendors or any external organization.  Why: I want to understand their dependencies on other groups and how if affects their ability to complete the functions identified in Tab 1.  Where used: Business Continuity Plan.

Tab 3: Vital Resources and Technology. Here we focus on the technology that is used by the business unit.  Get a list of all applications, productivity tools, telephony and other tech-related items that they need.  It’s best if you can be specific and tie this technology back to individual functions within the business unit.  Identify their Recovery Time Objective (RTO) and Recovery Point Objective (RPO) (where applicable) for each item.  Keep in mind that multiple business units will likely use the same technology – so you will need to compile this data at the end of the BIA.  Also identify any non-technical resources that are needed.  This may include things like manuals, special forms, physical files, etc.  Why: We are establishing what tools they need to function.  Where used: Business Continuity Plan, Disaster Recovery Plan, Crisis Management Plan.

Tab 4: Manual Processing.  For each function, identify if they can complete the work manually (without access to the systems identified in Tab 3), even for a short period of time.  Capture the capability, including the overall sustainability of the manual effort.  Why: It’s important to understand the impact of system downtime on the day-to-day operation.  Where used: Business Continuity Plan, Disaster Recovery Plan.

Tab 5: Alternate Work Site.  On this tab, I ask the team where they could / would work if their main facility was unavailable.  More and more, companies are opting to have their employees work from home during a crisis. Determine the number of people who will work at the alternate location. Why: We need to establish viable options for where the team could work if they can’t work in their normal location.  Where used: Business Continuity Plan, capacity planning for remote access.

Tab 6: Impact Over Time.  I love this tab.  It allows us to determine just how critical each of these functions really is.  I typically only conduct this tab for functions that the business identified as being critical (generally those identified in Tab with a maximum downtime of 72 hours or less).  What we want to do is determine the impact to the organization in a scenario where each critical function is completely suspended, in various time periods.  We establish guidelines at the beginning of the BIA to define the various ratings of impact to the organization’s finances, operations, reputation and legal/regulatory requirements.  Why: First, it corroborates the maximum tolerable downtime claim from the first tab and gives us the tools necessary to build a priority response matrix.  It also clearly defines the risk to the organization if their functions are suspended.  Where used: Crisis Management Plan, Business Continuity Plan, program management.

If we think about the data that we’ve collected – we understand what the business does, what the critical functions are, where they can work, what they can/cannot do manually, what tools they need and the impact of their downtime.  Used properly, this data becomes the foundation of your Business Continuity Program.  I’ll expand on that in future posts.

Up next: Reporting the Results of the BIA.

Want to know more?  Contact Mark Hoffman at [email protected] or follow Mark on Twitter @mhoffman_cbcp