Q&A with ICMC 2018 Speaker, Mark Hoffman

Mark Hoffman is the founder of Anesis Consulting Group, Inc. He has more than 25 years of crisis management consulting experience. In his role as managing partner, Mr. Hoffman manages business development, marketing and communications while playing a leading role in client delivery work. He carries the CBCP certification and has a reputation for excellent delivery and execution and is known for developing customized BCM Programs that integrate crisis management, business continuity and disaster recovery.

We recently asked Mark about BIA and his upcoming ICMC 2018 presentation, “How to Get the Most From Your Business Impact Analysis.”

1. In case anyone in our audience doesn’t understand, please describe what a “BIA” is.

BIA stands for Business Impact Analysis, which is described by the BCI Glossary of Business Continuity Terms as the “Process of analyzing activities and the effect that a business disruption might have on them.” My methodology, which has been refined over the course of hundreds of workshops, collects key information about business functions including, staffing and system requirements, recovery objectives, dependencies, single points of failure, key roles, work locations, maximum duration of potential downtime and so much more. Additionally, a well-run BIA will identify the impact that a disruption would be on the organization, measuring in four unique impact types.

2. Can you explain BIA data and the importance of collecting it accurately?

I consider BIA data to be the backbone of your Business Continuity / Crisis Management program. Data collected in the workshops establishes requirements for system recovery (Recovery Time and Recovery Point Objectives) and requirements to alternate work locations for key staff – in order to enable key business functions to continue. Strategies and solutions will be developed and implemented based on the data gathered in the BIA. If recovery objectives, or impact is overstated, not vetted properly or captured inaccurately, solutions will be implemented based on a false premise – resulting in either the solution not meeting the needs of the business or having a solution that far exceeds the requirement. Business Continuity and Crisis Management Plans lay out objectives and specific actions based on this information, therefore, its accuracy is essential.

3. How often should an organization conduct a BIA? Use a Fortune 500 bank as your benchmark.

Best practices call for BIA data to be updated at least every two years, however I believe that in some cases, (such as the Fortune 500 bank you mentioned), an annual refresher is required. Any business that is in a highly volatile industry or one that is constantly adding new products, services or lines of business should review their BIA data every year and conduct new BIAs for the new functions. For those in a more static environment, once you’ve conducted a full BIA, subsequent workshops can be streamlined to focus on validation/update of the collected data, identifying areas where business requirements have changed. I also include a Risk component in my BIAs, so an annual refresher of Risk is a good idea, even if you don’t feel the need to re-visit the full slate of BIA data on a yearly basis.

4. What can the 2018 International Crisis Management Conference attendees expect from your presentation?

I’m going to touch on a couple of interesting things pertaining to BIA data. First, based on the results of a survey that we conducted a couple of months ago, I want to share what people told us they struggle with when dealing with BIAs and provide some thought leadership on ways to make life a bit easier. I want to share with you what people told us about how they use their BIA data, and provide my model for how this data can be used across the program to improve your preparation and response to various types of crises. You will be surprised how the data collected can be used to help your organization build a solid Crisis Management Program and respond effectively at time of crisis.