“You can’t build a great building on a weak foundation. You must have a solid foundation if you’re going to have a strong superstructure.” ~ Gordon B. Hinckley
I have done a countless number of Business Impact Analyses (BIA) in my days as a Crisis Management consultant. I worked for a global company who sold this type of work as a service. We would conduct workshops, gather data and report our findings. We ALWAYS did statistical reporting – showing the number of critical business functions and percentages of Recovery Time Objectives by tier – but we never offered analytical reporting and frankly, I feel like we missed the point and often left the customer to decipher what it all meant and how to use it.
After I left the firm and started doing BIAs on my own, I realized that gathering the data is one thing, but putting the data to use is where the magic is. While the statistical information might be interesting, the real value is in understanding how to turn the data into useful information. By conducting analytical reporting on the BIA data, we can better understand priorities, group data to show impact of a lost system or facility, identify risk associated with gaps in the program and build strategic, prioritized program-level plans to improve the organization’s overall resiliency and readiness.
Three Components of Crisis Management
Whenever I’m given the opportunity to implement a crisis management program, I like to use a model that covers Business Continuity (how the various business units will continue to execute their critical functions during a crisis), Disaster Recovery (how the technology team will recover infrastructure, systems and data) and Crisis Management (how the leadership team will respond, communicate and navigate through the incident). Data gathered in the BIA becomes the foundation for all of these plans.
Business Continuity: BIA data allows you to understand what business functions are most critical to the organization. During the BIA, we would identify the business unit’s view on maximum tolerable outage (how long they could afford to be without this function), and understand the impact that the business would face because of an interruption. We explore what their acceptable response strategies might be, what their resource and system requirements are, understand their manual processing capability, people requirements, dependencies on other teams and more. So, when we write a Business Continuity Plan, we’re not just giving instructions on what to do during a disruption. We’re writing a plan that lays outs a specific response to enable the most critical aspects of the business to continue, with a full understanding of their requirements in mind.
Disaster Recovery: In each BIA workshop, we will have gathered system requirements along with the business unit’s perceived Recovery Time Objective (RTO) and Recovery Point Objective (RPO). I say “perceived” because often, these requirements are over stated. (“We can’t live without email for more than 20 minutes”). But once the data is compiled, vetted and approved by senior management, you start to have the basis for a comprehensive set of requirements for your disaster recovery strategies. I like to conduct a Disaster Recovery Gap Analysis to see exactly where we stand in our overall recovery capability against the requirements defined by the business. From there, we can put a plan together to implement disaster recovery solutions to close the gaps. You can prioritize the development of solutions based on the overall impact (gathered in your BIA) of systems being down.
Crisis Management: People don’t always think to use BIA data in their Crisis Management Plan, but I’ve found this to be extremely valuable. Imagine a scenario where a specific building is lost. Using BIA data, we can show the Crisis Management Team how many people are affected, what business units are impacted, what specific business functions will be interrupted and even offer a composite view of impact to the organization. Priorities become clearer because we have a detailed view of the business. While individual business units are executing their Business Continuity Plans, the Crisis Management Team will have an effective dashboard showing the impact of the outage as it progresses.
In addition to using BIA data in specific response plans, it can (should) be used to help govern the progress of your program. If we establish guidelines saying that all critical systems must have DR and all critical business functions must be covered in a Business Continuity Plan, we can identify gaps and build a course of action to become fully resilient.
If you have never conducted a Business Impact Analysis, or if your information is out of date – you are missing out on a treasure trove of useful information. Turning ‘data’ into ‘information’ is a skillset that can bring your BIA data to life and become a strong foundation that will allow you to build a formidable program.
Next: What information should I gather in a BIA?