Business continuity planning: Preparing for the Business impact analysis
In the previous article, we discussed identifying the project team, different resiliency plans, business functions and the respective departments’ champions. Additionally, we discussed the design of the awareness programs, change management and scheduling involved in the planning stage of a business continuity plan development program. In this article, we will discuss preparing for business impact analysis which is part of the planning stage of the program.
Terminologies relevant to Business Impact Analysis
It is important to understand some of the abbreviations and terminologies used in Business continuity planning from this stage. If you like the definitions provided by the ISO 22301:2019 framework, please refer to the framework.
Business Impact Analysis (BIA) - the process of analyzing business activities to determine recovery priorities, objectives, business dependencies and targets.
Maximum Tolerable Period of Disruption (MTPD) - the maximum time a business can withstand disruption of its business process without it having an adverse impact on business operations. It can also be defined as an organization’s maximum acceptable outage (not IT per se, but process as whole).
Recovery Time Objective (RTO) - the timeline within which a business service or activity and its associated resources must be restored.
Recovery Point Objective (RPO) - the maximum amount of information the business is willing to lose— also known as maximum data loss.
What is a business impact analysis?
The purpose of conducting a BIA is to identify the impact of a disaster on an organization's processes and the supporting resources over a period of time and provide sufficient information required to prioritize business recovery.
Having identified the teams involved (as detailed in Part 5: Planning), you are now ready to conduct interviews with the department champions and the other subject matter experts (hereafter referred to as SMEs) to identify the processes and their dependencies to find criticality of the business processes during a disaster and the order in which they must be restored.
Whether an organization should conduct a risk assessment or business impact analysis first is a much debated topic. We will provide a companion series in the future that further explores the pros and cons of each approach, but for now we’ll outline the process of starting with a business impact analysis.
Irrespective of whether you conduct risk assessment first or the business impact analysis first, you need to identify the critical processes and the amount of downtime a business can afford in a disaster. If you are conducting a BIA for the first time, the champions will not know what they need to prepare ahead of the interview. Therefore, we suggest hosting workshops to set expectations and give the involved parties an opportunity to ask questions.
Preparing for the business impact analysis
Preparation is important to successfully conduct BIA interviews with the department champions. Below is a list of things you should consider:
Prepare a list of champions or SMEs that you will interview
Create the spreadsheet template you’ll use to collect information during the interview
Create a sample interview data template you can share with the interview attendees
Prepare a pre-session presentation to discuss with the selected champions or SMEs
Send the interview schedule to the participants at least two weeks in advance
The spreadsheet template for the interview is crucial and so it must be prepared according to your organizational needs. ISO 22301:2019 provides some guidance on the information that needs to be collected during an interview. In general, the interview template should facilitate the collection of the below information:
The list of activities performed by the different departments that support your organization’s vision
Quantitative and qualitative scales for each process to determine its criticality
Impacts on the organization over time when the respective activities are not performed
Dependencies in terms of other activities inside your organization and external to your organization
Resource dependencies for the identified activities
The information systems that are used to support the respective business activities
There are no set rules to the spreadsheet design. You just have to make sure you capture the above information at a minimum. The spreadsheet could consist of a single worksheet or multiple worksheets, each capturing a category of information. Before you design the template, it is important to have enough discussions with the steering committee to determine the scales for MTPD, RTO and RPO, which will be used to capture the information.
Determining the measuring scales for MTPD, RTO & RPO
MTPD, RTO and RPO can be represented in minutes, hours, days or weeks. Collecting these measurements will help you determine how long a particular business process could withstand a disruption before it becomes a disaster (MTPD), at what point the business expects the activity to be up and running (RTO) and how many hours, days or weeks worth of information the business is willing to lose (RPO).
Ideally, once you identify the MTPD, the RTO can be half or three quarters of the time from MTPD, unless such a proposal is not practical for your business. The scales for the above measures can be range based or absolute. When a range based scale is selected, the MTPD (and RTO, RPO) is usually provided in a range, such as:
0-4 hours
5-12 hours
13 hours-1 day
2 - 4 days
5 days-2 weeks
2 weeks or more
Alternatively, when an absolute scale is selected, the values are very specific such as:
4 hours
12 hours
1 day
4 days
1 week
2 weeks or more
Although there is no right and wrong in choosing either of the scales, choosing an absolute scale has some advantages. Absolute values leave no ambiguity regarding when information must be restored. Ranges on the other hand, tend to confuse some by providing two values, leading to a debate whether a particular process must be restored before the 5 hour or 12 hour mark in a 5-12 hour scale.
The above absolute value based scale often provides better clarity when the information that is collected and reported. Absolute values can also aid you in designing information systems with appropriate availability and data retention.
Impact area
When you conduct interviews, you should seek to find out what happens when your normal business processes are unavailable. The impact category defined in your organization’s enterprise risk management framework must be integrated into your BIA interviews in order for you to understand how long it takes for an unavailable process to impact the business at the impact categories (or business impact area).
Depending on your organization, you impact category (or business impact area) and its scale might be similar to the following:
Business impact area (or impact category): Finance, Legal, Reputation, Health & Safety, Productivity, Information, Customer
Risk scale: Very Low, Low, Medium, High, Very High
Keeping in mind the information we have discussed so far in this article, let’s move on to the template.
Designing the BIA template
The template must reflect the depth and breadth of information you would like to collect from the departments. As I have highlighted in the section “preparing for the business impact analysis,” there is certain information that you should ensure you capture and these will make up your base columns. Our examples depict spreadsheet templates, but you can also opt to use a different document format or to collect information through specific software.
The columns in Figure 03 are provided as an example. In a real scenario, depending on your business, the template might grow into multiple worksheets, each dedicated to a category of information. Below is a breakdown of the columns in the above spreadsheet template.
Process ID - a unique ID for the process within your organization. This is a key component for clearly mapping interdepartmental process dependencies. You can make this ID unique by starting with a 3 digit alphabet department abbreviation and then a 3 digit number for each department, starting at 001. E.g. FIN001 for the finance department
Name - the name of the process or activity
Description - brief summary of the process’ purpose
Owner - the name of the process owner(s)
Dependent Process - process ID of the dependent process. When consolidating, you should replace the process ID with the process name and link to the respective process for an easy analysis
Dependent staff information - list of staff name(s) involved at different parts of the process, namely; the initiating phase, reviewing phase and approval phase. This list will help you determine the staff who need to be involved in restoring the process.
Impact area - each column represents the impact area from the enterprise risk assessment framework. The values in these columns should be drop downs with all the impact areas listed as options.
Max Threshold - captures the MTPD, RTO and RPO for the respective process.
Dependent data storage - the location(s) where the data is stored, both physical and digital. If the process is automated, this could be a database of a particular information system. Otherwise, this could be a particular filing cabinet. Also capture the location for the alternate copy of this information.
Information System - captures whether the process is automated and if so, the name of the information system. Knowing the automation status will help you conduct a risk assessment on the dependent information systems and also contribute to designing an appropriate IT disaster recovery.
Manual processes - captures whether a manual process exists and if so, how long it can be carried out before it becomes unmanageable.
Other resources - any other resources that are required to execute this process such as printers, office supplies, third party vendors or stamps.
Comments - free text comments from the interviewer intended for the analyst.
Once the template is designed, you must test it by entering sample information. After that, you must conduct workshops with the champions and SMEs to demonstrate the template and collect feedback to make the template suitable for real-world data capture. Once the template is fine tuned (or close to getting fine-tuned), you should send out the schedules for the upcoming business impact analysis interviews.
Conclusion
Business impact analysis is a crucial part in planning for business continuity, so designing a thorough data collection template is essential. The template must be designed according to your company needs and then tested with some real business scenarios. Only then, can you confirm the interview schedules and officially begin conducting your analysis.