Akrogoniaios Technologies Corp.

View Original

Business continuity planning: Conducting the Business impact analysis interviews

In Part 6 of our Business Continuity Planning series, we discussed the preparations required to conduct interviews for a business impact analysis (BIA). In this article we will discuss conducting interviews with your selected champions and subject matter experts (SMEs) for the analysis.

Note: We highly recommend you read Part 6 first (if you haven’t already) to familiarize yourself with the terminology of a Business Impact Analysis.

Figure 01: Preparing to conduct interviews for business impact analysis (BIA)

Preparing for the workshop

Workshops are important to prepare the champions and SMEs for the interviews. Once you have the BIA interview data collection template tested using sample business processes, you need to set up workshops with the champions and the appointed SMEs. The objective of the workshops is to make the champions and SMEs aware of the information that is going to be collected and the questions they should expect during an interview process. This will also help  fine tune the template you use to collect the data. 

Another step you can take ahead of the interviews is to conduct mock interviews with volunteer champions or SMEs. To strike the balance between a short session but also one that will provide you with enough helpful feedback, we recommend finalizing no more than two volunteers. You can ask the volunteers to come up with one complex business process and a simple business process for the workshop. Additionally, it will be good to set the expectations for the workshop by sending the template in advance so that the champions are prepared and the workshop is productive.

Conducting the mock interview

Bear in mind that each department takes the activities performed by their respective staff seriously and they are proud of that. Hence, it is important to avoid using words that make them feel that the activities they perform are not relevant to the organization, as opposed to the ones managed by the other departments such as Finance or Information Technology. 

During the mock interviews, quickly run through the template that is going to be used with all attendees and provide an overview of the objectives for the mock interview. The entire above process should not take more than 15 minutes of your time, since you should spend most of your time on conducting the interviews.

Hopefully by the time you are conducting the mock interview, you have already launched an awareness campaign — emails and meetings in which you inform all involved parties about the purpose of the upcoming BIA interviews. If some of the attendees do ask questions with regards to the purpose of the BIA interviews, you should remind them that it is to identify how long the business can withstand a disruption on its business processes and to find a way to prioritize its recovery

Be sure to explain each template column and ask for feedback. If you get into a discussion where the champion thinks that the process is critical to the organization, but you don’t agree, you should still document their reasons before moving on to the next column or process. In the end, it is up to the committee and the directors to let you know which processes are critical and thus prioritized for its recovery.

Finalize the template

After the mock interviews, go back to the drawing board and review the template based on the feedback and/or observations you have noted. Remember, your objective is to collect good enough data to enable prioritization of business process recovery during a disaster and so, do not seek perfection. However, ensure the data collected fulfills your organization’s compliance requirements — if any. Once the template is finalized, send it to the champions at least two days in advance.

The mockup interview also helps the interviewers get a sense of questions that might be asked in the interview sessions. Also, decide whether you are going to use one template per department or one template per interviewer, depending on your team's preferences.

Common pitfalls to avoid in the actual interview

The BIA interview sessions, unless conducted by seasoned professionals, could get into the wrong side of the champions. Below are some of the common pitfalls you should avoid to conduct successful interviews. Conducting interviews in stages will help you pivot and recover if you do fall into some of the below pitfalls. 

Figure 02: Common pitfalls to avoid when conducting the BIA interviews

Excessively challenging the department champions - the champions are proud of what they do and it's not your job to challenge all the information they provide. This is why it’s so important that your data collection template has elements that lead to quantitatively classifying the processes by impact and overall value to the business. In the end, it's up to the committee and the directors to look at the analyzed processes and confirm their criticality.

Acting as a subject matter expert on the department's processes - despite the wealth of knowledge you may have, the departments are the owners and they do what they do on a daily basis. Use your knowledge to guide them to the right answer, rather than answering for them.

Confusing business impact and risk - this one is very common and being prudent during the interview sessions will help you to avoid a mixup. Risk is about the impact of a vulnerability on your business, when used by a threat actor. On the other hand, business impact pertains to how much pain a business experiences when its business processes are unavailable.

Conducting only top-down or bottom-up interviews - more often than not, a member of the management team will provide a very high level view of a business process and their subordinates will provide more detail in regards to a  process — such as the “habits” of people involved. The champions, if they are the head of the department, must involve at least one subordinate during the interview sessions. Likewise, if the champion is not the department head, the data collected during the interview must be sent to the department head and discussed at least once.

Assuming all the departments have a mature process or know what a process is - sometimes you may come across the departments that assume certain activities as official processes and start describing them. This usually happens a lot in the departments that handle the administrative affairs of the organization and sometimes even in other departments that are process-oriented. To avoid this, you should clearly outline which processes you will be examining and provide a variety of detailed examples. 

Manpower single point of failure - Sometimes organizations only have one staff member handling a critical process, which can be a risky situation. This arrangement is sometimes used as a job security mechanism and hence, you must tread carefully during the interviews. During the risk assessment, some of these single points of failures should be addressed and backup staff should be identified.

Spoiling your relationship with the interviewing departments - You will need the  cooperation of the departments for a very long time and so, you need to shy away from acting as a subject matter expert or an investigator.

Interview sessions

Allocate enough time for the interviews and spend the first session to capture the list of business processes performed by the department. It is important to distinguish between business processes and activities, since sometimes activities are not associated with any process, for example, daily standup meetings. Instead, you need to focus on capturing the business processes and the associated (or dependent) activities. When you find an activity that is not associated with any process (or it cannot be defined as a process), ignore it.

Champions usually find this exercise surprising and even eye-opening. They discover broken processes or gaps with some of the current processes and it may lead to process quality improvements eventually (outside the scope of business continuity planning). Once you capture the list of processes, move on to capture the rest of the information, process by process.

Post interview consolidation and initial analysis

After every interview session, review the information you have gathered and start making your preliminary analysis. These preliminary analyses will help you find gaps and fine tune the data collection. When you discover an interdepartmental dependency, refer to the information collected with each involved department that is part of the interdepartmental dependent processes. If you find discrepancies in the information provided, mark them, discuss it with the respective analyst who conducted the interview and also the department you conducted the interview with.

Additionally, when you shortlist business processes, based on the priorities provided by the interviewer, you will start identifying the gaps and also whether a particular process should be categorized as a critical process. By looking at the Business impact, MTPD, RTO and RPO, you can identify whether a business process is critical or not. If a champion or SME says that payroll is a critical business process, the respective Business impact, MTPD, RTO, RPO and the business impact must reflect the criticality.

If you come across a process that is said to be Very High in its criticality, but the MTPD does not say “5 - Very High”, then it cannot be a critical process. Also note that the MTPD of a process can be “2 - Low” during a certain period of time and then become “5 - Very High” during its peak time. In our example of payroll process, the overall process and related activities could be “2 - Low” during most of the time of a month, except starting from three days before the payroll.

Follow up and concluding the interviews

Once you have conducted a preliminary analysis, it’s likely you will have questions. You can get answers to these by scheduling brief  follow up interviews with the champions and SMEs. If the department’s champion is not the head of the department, you must request that the department head attend the follow up session, and summarize the data and get their acceptance. 

Optionally, you could send the interview data with a preliminary analysis in advance to the department champion (and the department head) so they can prepare. During the follow up interview, keep your attention on the preliminary analysis, identified gaps, interdepartmental-dependent processes and other missing information. By keeping the scope tight, you can focus on closing the interview phase and moving towards the analysis and report development.

Update the relevant spreadsheet template columns with the feedback received. When enough information has been collected to support your prioritization activities, you should conclude the interview with the champions and start the analysis. 

Conclusion

Your business recovery strategy will rely heavily on the analysis of the data collected during the interviews, so make sure you are well prepared for them. To do that, conduct mock interviews to ensure the champions are aware of data they need to provide. After the mock interviews, further refine your data collection template. During the actual interviews, be aware of the common pitfalls and try to avoid them as much as you can. Once the interview is done, conduct a preliminary analysis and then follow up interviews before concluding the interview phase.