Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

The value model for business impact analysis.

Business Continuity Expo And Conference : 22 November, 2007  (Technical Article)
James Mitchell of eBRP Solutions reports on Business Impact Analysis practice and how to get value from it in the overall business continuity process.
The standard practice of conducting a Business Impact Analysis (BIA) to determine the basic recovery requirements (Mission Critical Processes, RTO's, RPO's, Critical Applications, Suppliers, and other Resources) is a vital phase of every Business Continuity Management program.

The BIA process can be long and difficult - no matter what data collection method is used. Is the return on your BIA investment (time, manpower and resources) offset by the value of the results?

If a BIA is a fundamental part of BCM, the underlying cost may simply be a necessary evil. But, when a BIA is a one-time 'project' - as in many organizations - is the cost realistically proportional to the value?

Some organizations conduct a BIA expecting to repeat the process at regular intervals. However, once the initial BIA is completed and the true cost known, such expectations are often abandoned.

Failure to update a BIA is a leading cause of Recovery Plan failure. Change is the only constant in business. A BCM program lacking up-to-date BIA data yields Plans that don't reflect the organization's true requirements.

Intending to update a BIA is easy; yet the update process often fails.
Consider the effort required to complete the original BIA: questionnaire preparation, distribution and collection; interviews to "normalize" the results, plus the cost of analysis and report generation.

Often, the original BIA process "project", may take three to eight months. Significant business changes make the prospect of repeating that lengthy process daunting. Postponing the update may be rationalized. Like most things in life, postponing difficult tasks allows them to grow more unwieldy
To streamline the process, the updated BIA must focus on the changes - rather than repeat the entire process. It is likely that much of the information from the earlier BIA is still valid. The update process simply entails drilling down to which business processes have changed, and how those changes affect the original BIA results. Of course, the method used to conduct the earlier BIA will determine just how easy - or how difficult - the update process becomes.

In Information Technology, an updating process is generally ongoing (Change Management) because IT changes have a direct impact on daily operations. In business operations, changes occur regularly, but are seldom, if ever, documented. (To be fair, no matter how robust the IT program, not every organization consistently correlates its Change Management information with its DR Plan.)

Is it sufficient for individual business process "Owners" or function leaders to update their own critical resource requirements? Yes, if the update method allows for the capture of changes in enterprise-wide dependencies (on other processes, applications, etc.). But no effective update can be conducted in a vacuum; any change to critical dependencies or resources is likely to have a corresponding affect upon those dependent processes.

While it may be efficient for a process team to update its own BIA, only by collecting and integrating changes across the enterprise can the true impact of business changes emerge.

Frequently, the cost of updating a BIA (in manpower and time) is perceived as unjustifiably high. Not updating a BIA may become an accepted risk. BCM management may opt to focus on BC/DR Plan updating (assuming most process owners understand the impacts of change and will modify their Plans appropriately) without revising the BIA. The more burdensome the BIA process, the higher the propensity not to repeat it.

Once made, such a decision often becomes institutionalized. Later, the failure to reflect fundamental changes in the organization's structure may result in flawed Plans and a failed recovery. With luck, flaws show up in a test or exercise - not a real life incident.

Does your existing BIA format lend itself to manipulation? Or do you have to start from scratch? Do you use software that integrates BIA and Plan development?
Does the BIA format lend itself to the use of collaborative tools? Can business process owners gain access to the original BIA survey? Network- or Web-based collaborative tools reduce the pain of updating a BIA, while enabling monitoring and auditing of the process by the BCM leaders or planners.

Assess your options, and pick a BIA updating method that works best for your situation. It may not be free, it may be time-consuming, and it may not be painless. But it will pay dividends if you have a disruptive event.
An out-of-date BIA exponentially increases the chances of Plan failure. The BIA provides the core upon which an organization's Plans depend. Without up-to-date BIA information, the validity of Plans should be questioned, and their successful execution must be suspect.

eBRP Solutions, Inc will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo