Business continuity planning: BIA Analysis and reporting
In Part 7 of our Business Continuity Planning series, we discussed conducting interviews as part of a business impact analysis. In this article, we will look at the post-interview analysis, clarifications stage and the process for reporting and acceptance.
Analysis
Once the interviews are concluded, it is time for the analysts to have a holistic discussion about business processes, and the requirements and priorities that are crucial for the subsequent stages in your business continuity plan development. The analysis should answer the following questions:
What are your critical processes that impact your business over time when they are not executed?
What are the dependencies to those critical processes in terms of other processes, information systems and people?
How long does it take to restore the business processes that are identified as critical?
Can your processes be executed manually and if so, how long can they be executed manually before you lose control of them?
How much data loss would the business incur during a process failure? What would the financial impact be?
Who are the critical third parties that are essential when executing the critical business processes?
What are the single points of failure where a failure of an information system, building or loss of personnel would affect executing a business process that is considered critical?
What is the peak time and the off peak time for the business processes?
Discuss with the information technology
Before the analysis is finalized, you must have a discussion with the information technology team to validate the RTO and RPO requirements that were captured during your interview sessions. This is important since departments must know how realistic their RTO and RPO for the processes that are dependent on the information systems are at the moment. In many organizations, when the IT Disaster recovery planning is not influenced by BIA outcomes, the IT department makes the whole data centre redundant and applies the same RTO and RPO requirements for all the information systems.
However, applying the same RTO and RPO requirements for all the information systems is expensive. Furthermore, testing the disaster recovery of a specific system becomes challenging, since testing one system affects the others. For this reason, most organizations’ IT departments do not conduct full disaster recovery testing.
Feedback must be collected from the IT department on the information systems that are deemed critical by the business during the BIA data collection. Once this is done, you should fine-tune your analysis.
Preparing the report
At this point, most of the analysis is done and you are ready to organize the data in a report. We recommend presenting your report draft to the champions first, and then to the steering committee. If you need any clarification from the respective departments, you must do so before finalizing the report.
The report can be prepared in a document format accompanied by an executive summary presentation or completely as a presentation. Personally, we prefer the report to be prepared as a short presentation, rather than a formal document. However, if a document is a requirement in your organization for auditing purposes, please do so.
The business processes must be segregated as per the MTPD requirements that were captured during the meetings. You do not need to list all the processes that you have captured. Instead, you can focus on the processes with criticality levels of very high, high and medium, accompanied with a spreadsheet containing all the processes you have analyzed. Below is an example of a process list.
Additionally, you will need to have another slide with the gaps identified during the analysis, such as the single point of failures that could make the strategy ineffective.
We suggest the below slides in for your presentation;
Executive summary
Program roadmap and where have you reached
Program scope
Business processes that have criticality as very high, high or medium
Identified gaps in the analysis
Next steps
You can add notes to the slides for those who wish to read about the BIA in greater detail, after the sessions. All the supporting information that is not the primary focus for the discussion should be kept as backup slides and presented only when required. Keeping the slides to no more than 10 will help you wrap up the conversation within an hour.
Presenting to the champions
Once the draft of the report has been prepared, you must schedule a meeting with the champions and their respective department heads (if they are not the champions) to present and discuss. This review stage will help the champions relax as they will then know exactly what information is being presented to the steering committee. During this meeting, keep everyone focused on the slides that list the critical processes and the gaps. Keep in mind that while mitigating the gaps is not part of the program scope, any gaps that have been identified should nonetheless be addressed by the relevant departments, following the meeting. At this point, changes to the analysis should be minimal and only if absolutely required. If your organization’s information systems are not aligned with the critical business process requirements, there may be some debate among involved departments. Steer those conversations towards agreeing on ways to reduce its impact on the business processes in a disaster, based on the current state.
Prepare for the risk assessment
At this point, the team that is responsible for conducting risk assessments must start preparing. It is also a good idea to give your business continuity stakeholders some high level updates about the progress made in the BIA and inform them that the risk assessment stage is next. You can send out tips and any other helpful information to your stakeholders to help them prepare.
You must also reach out to your enterprise risk management team or GRC to discuss conducting the risk assessment. We will provide more information on preparing to conduct a risk assessment in the next part of this series.
Presenting to the committee
Once you have presented your report to the champions and made the requested changes, you must schedule a meeting with the steering committee to present the BIA outcome. The CEO of the organization and some of the directors must be present in this meeting to give their final say on the importance of the identified processes and the gaps. You must refresh their memory on the program, approach to the business impact analysis and the terminologies before walking them through the findings. This explanation should not take more than five minutes, since you will need the majority of your time to discuss the analysis and the gaps.
If the directors demote or promote a business process, document the rationale behind such a decision. The directors are accountable to the survivability of the business in a disaster and so, their perspective is very important. When presenting the gaps, inform the committee that mitigating such gaps is not part of the program scope, but that it does lie with the respective departments. Also, let them know that such gaps will be further analyzed during the risk assessment and transferred to the enterprise risk register for mitigation tracking.
Close business impact analysis
Once the report has been accepted by the committee (and the directors), send the final report to the champions, along with the committee session meeting minutes. If they have any concerns, accept them and take them to the committee for clarifications. With this, announce the closure of the business impact analysis phase to the organization. Now it is time to move on to the risk assessment.
Conclusion
During the analysis stage of a BIA, your goal should be to determine how business processes can best be maintained during a disaster. As early as possible, the technology requirements for these processes should be identified and communicated to IT. Once the BIA interviews have been conducted, complete the analysis by listing out the business processes by criticality: very high, high or medium — you should also list any gaps that were identified during the analysis. Discuss the findings with the champions first and then the committee. Once the report has been accepted, conclude this phase and move to the next phase: Risk assessment.