DRJ Fall 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 32, Issue 3

Full Contents Now Available!

If your organization has started down the path of building a business continuity program, no doubt your team is also trying to save on the cost of time, people, and resources while performing that task. To achieve both tasks, some executives have taken the approach of using only a few resources to push a business continuity and disaster recovery plan writing campaign. This campaign produces quick success by outlining some procedures they envision that will absolutely secure successful business operations recovery in case of a disruptive incident. Notice I said “plan writing” campaign and not a systematic planning methodology. Then, when the leaders feel the plan is complete that item can be “checked off” the proverbial to-do list as done.

You cannot write a good and viable plan unless you have defined the goal of your plan. A plan writing campaign, like any task in a project, is only one component of a longer list of objectives and actions within a systematic planning methodology that ultimately makes up a comprehensive deliverable. In this case, the deliverable is a business continuity capability within an organization.

One of the components that is tossed aside most often is the business impact analysis, or BIA. The BIA according to the Disaster Recovery Institute International (DRII) achieves the following:

Identifies the impacts resulting from business interruptions that can affect the organization and techniques that can be used to quantify and qualify such impacts. Identifies time-critical functions, their recovery priorities, and inter-dependencies so that recovery time objectives can be established and approved.

The “quick success” approach with writing business continuity plans most of the time is based on nothing more than a gut feeling about potential scenarios (e.g., risk of a tornado hitting their site, ignoring the fact that the business is located next door to a chemical manufacturing facility, down the street from a major rail yard or airport, etc.) A thorough process analysis is what tells you which processes or functions are critical to the business, which processes should get priority with recovery and restoration actions, and which processes and functions are not so critical. A “quick success” plan is usually the one that sits on a shelf that no one knows about and begins collecting dust.

The BIA, when conducted fully, will lay out the big picture of the most critical, or “life blood,” operations. A BIA will also do the following needed to stop the bleeding:

  • Define required recovery timing for data and operations recovery
  • Establish essential staffing requirements identified in the planning stage
  • Identify critical business partners, vendors, and other resources

The BIA’s main purpose is to present your most critical operations with data that supports decision-making to reduce exposure to risks and threats and recover operations.

The BIA also outlines the quantitative (e.g., financial impact) and qualitative (e.g., impact to customer experience, degraded brand impact) risks, costs, and loss associated with interruption and disruption of those critical processes and functions. Knowing these key elements in advance will promote increased awareness and understanding of the need for comprehensive and viable business recovery capabilities (not just plan documents) that establish order, control, and resilience for the entire organization.

When leaders can map and see the big picture of critical or life-blood operations, they enhance their awareness and can make effective decisions on whether to plan to control, deflect, avoid, or mitigate certain risks and threats to certain critical operations.

Moreover, they will decide recovery priorities based on which risks they can accept or handle with no or minimal action on their part and which threats are intolerable for their operations. In other words, the BIA helps leaders determine and understand their risk appetite for threats to their critical operations and how to best apply resources to protect and mitigate those risks and threats. (A risk assessment may unearth threats as well, but some industries perform a BIA first.)

After capturing BIA data through interviews, surveys, and business meeting discussions, the BIA also serves as a specifications document for use by all business continuity team members, supporting partners, and other dependent resources. The “specs” outlined in the BIA will direct each team member on what the priorities are for each critical process and how long the critical process can withstand the impact before irreversible damage is done.

For example, by sharing the BIA information with the IT team on critical business systems and when those systems must be back online, IT can make enhancements to their disaster recovery plan outline, adjust their data back-up schedule as needed, and then restore only the most critical systems and applications within a required timeframe as outlined in the BIA, thus ensuring the life-blood processes of the business are back online.

In addition, the BIA will also outline the partners to engage who will support the critical process, what other resources are needed for critical operations, and other interdependencies that you rely on (i.e., vendors, suppliers) or that rely on you (i.e., clients, internal business partners).

For example, by sharing the BIA with the facilities management team, they can make sure that an alternate/back-up work site is equipped, furnished, and functioning on time and by key vendors and suppliers according to the BIA business security, space, and seating requirements.

Without this knowledge from the BIA, the business continuity planning effort will go in the wrong direction, potentially cover too many non-priority processes, and leave out critical processes and resources needed to recover from a disruptive incident. It is like knowing and then planning what goes into a lifeboat when the Titanic is sinking. The key is to get the most critical resources into the lifeboat, so they can be recovered and used to rebuild and restore the Titanic or get a new big ship. The BIA process is not easy, requires time and resources, but is necessary if business continuity/recovery plans are to be viable and build true resilience within an organization.

Some organizational leaders still see the whole business continuity practice and the BIA process as a waste of time and resources, because their specific site has never had an incident large enough that an “all-hands-on-deck” response didn’t get them out of. However, I would argue that continuing down this cynical path is like putting all your eggs in one basket – the “nothing will ever happen” basket.

Further, I would argue that if a BIA was performed and used to prepare a business continuity plan and team, any response to an incident will be faster, efficient, and operations restored more effectively than any “all-hands-on-deck” approach.

Within the last 10 years, many incidents, emergencies, and disasters have occurred that confirms the truth behind the adage, “It’s no longer if, but when.” So, continuing down the path of believing BIAs are a waste of time and resources will ensure clients’ interests are jeopardized and at risk, not to mention the risk of continuity of business operations and human resources.

As an organization that services clients, your teams must be enabled to respond and be the leaders and voices of reason and authority when an incident occurs that disrupts business and flow of operations. Order and control are necessary to successfully control and recover from an incident or emergency – and you cannot have full order or control by skipping the BIA. A business continuity plan without a BIA will only achieve a false sense of security and surely end in continuous re-work or, at worst, with operational shutdown because your team didn’t know the priorities and how to control recovery.

Here are a few things an organization may experience when the BIA process is skipped, stressing your crisis/incident management plan:

  • Priorities are unknown – you identified some critical and important processes/functions but don’t understand which ones to focus on first and which must be recovered in a sequence because some are dependent on each other.
  • Triggers or criteria for activating the business continuity team are unknown and adds time-pressure, stress, and emotions to the decision-making process.
  • Business continuity team members don’t know or understand their role as a team member and are therefore unavailable when an incident occurs.
  • The right “team mix” is unknown – e.g., you may have identified IT representatives as critical team partners but didn’t include the telephony and Web teams for a potential massive system failure; you took an “all-hands” approach, and now you have too many people involved with little direction on their part in the recovery. Time is being wasted.
  • Unidentified critical resources cause delays with operational recovery and restoration – e.g., the legal team is able to return to work after their work space and building are restored, but they did not identify vital data to be restored by IT and vital records to be delivered from the record storage facility in time for them to resume work.
  • Communications with business partners and clients are slow to get out as partners and clients are calling and don’t know about incidents or shifts to recovery operations.
  • Communications with employees are slow to get out as the next shift of employees begins to show up (not knowing about the earlier incident or employees do not know where to call to find out what plans are in place for the next shift or next business day).
  • Competing for resources in the community (i.e., recovery and relief supplies – water, food, generators, diesel fuel, cots/blankets, contractor support for repairs, etc) because critical vendors/suppliers were not identified and contracted in advance.

You get the point. You must know what goes into the lifeboat, otherwise you lose critical data, information, people, and other supporting resources that will help you get back to normal. The BIA process helps you with this analysis, decision-making process, and recovery actions and leads you to your desired recovery objectives – to be resilient.

The BIA is not only an opportunity to define specifications for your business recovery plan, but also the process invites education and relationship-building as you capture and map critical operations data and information through interviews, surveys, and meeting discussions. Each component of the BIA, when complete, will show a new big picture of the business. Seeing this big picture also promotes a new way of thinking and responding when incidents occur and the order and control that are required to recover from such incidents. The BIA is that cornerstone of the resilient structure you really want to build that brings the success for which you are seeking.

Natalie R. Wilson-Jones, CBCP, is a 16-year veteran of business continuity with practical experience in both the public and private sectors.