What is Business Impact Analysis?
The business impact analysis (BIA) is a process that defines business continuity requirements. This includes setting strategic recovery priorities, inventorying in-scope functions and resources, and setting target recovery timeframes for those functions and resources. The major outcomes associated with the BIA include:
- Setting strategic priorities that define the products and services that must be delivered during a disruptive incident and how quickly service delivery must resume
- Inventorying business activities and resources to build a solid foundation of what needs to be recovered following a disruption
- Establishing recovery timeframes that help the organization determine when resources need to be recovered and help in prioritizing risk treatment options and recovery strategies. Recovery time objectives (or RTOs) should be established in such a way that, if achieved, would enable an organization to also meet its strategic priorities.
At Avalution, we have the people, expertise, and technology to efficiently define business continuity requirements, which, at the end of the day, is what the BIA is meant to accomplish. When we execute a BIA, we deliver a foundation upon which an organization can reduce risk and implement effective response and recovery strategies.
What Are The Common Challenges With A BIA?
Confusion Around What ‘BIA’ Means In The First Place.
There is often confusion around the business impact analysis. As a result of this confusion, some organizations ask if the BIA is totally irrelevant or even dead. In reality, much of this angst stems from a fundamental misunderstanding – and over complication – of the business impact analysis.
Many organizations struggle to define exactly what the BIA is, understand its value, and create an effective execution plan. At Avalution, we simplify the BIA and remove the confusion around terminology and jargon. We view the BIA as a tool to define business continuity requirements and the foundation of any good business continuity program. We also stay strategy-focused by defining strategic recovery priorities first, using a top-down approach, and then leverage that information as a guide for the BIA process and business continuity program.
Unlimited Scope And Too Many Data Points
Many organizations struggle with the volume of data that needs to be collected during the BIA or believe that the BIA needs to address every aspect of the organization simultaneously. For large organizations that deliver dozens of products and services and have hundreds of resource dependencies, it simply might not be realistic to tackle all of this at once. At Avalution, we focus on gathering the right information that allows an organization to make informed decisions regarding recovery objectives and then we put it into a format that is easily consumable by the business. Our data-gathering approach can easily be augmented by using the Catalyst tool, which leverages the information entered during the BIA process to automatically track key department dependencies – across facilities, equipment, people, applications, and suppliers – and then visually displays them in an interactive dependency map so you can explore and understand upstream and downstream impacts. Both our consulting and Catalyst-based approaches can be tailored to collect the right information based on the context of your organization. Contrary to conventional wisdom, the BIA does not need to be long and complex to be effective.
The BIA Doesn’t Evolve With The Business
A BIA isn’t a once and done analysis – it has to be updated as your organization changes. At Avalution, we leverage our business continuity software platform, Catalyst, to put the BIA into a format that is continually accessible and makes the BIA a living process. In addition, we work with our clients to make the BIA part of the change management and onboarding processes where needed, so that business continuity requirements grow and evolve with the business. Finally, we work with our clients to implement good program management techniques that makes the BIA repeatable.
BIA Becomes Too Time-Consuming
For many organizations, the BIA becomes a laborious effort for the business and conflicts with other priorities and business operations; the business must dedicate hours upon hours to the BIA process or is forced to complete long and complicated surveys. Avalution’s unique data gathering approach uses an organization’s time efficiently, as we engage with the business through data gathering interviews (typically lasting 60-minutes) and produce a summary that can be validated quickly. Avalution can also pair our consulting approach with our Catalyst tool to better leverage information gathering. Once Avalution initially compiles information using Catalyst, it is easy to update information in future BIA refreshes.
Recovery Requirements are Too Aggressive
When business owners demand overly aggressive recovery capabilities, or an organization struggles to use consistent criteria to set RTOs, this can lead to skewed results. Avalution’s consultants know how to recommend RTOs based on how impacts materialize over time and strategic recovery priorities. Our team is practiced at having tough conversations with business owners, and we know how to “push back” when needed – without alienating anyone.
Data Gathering does not Help IT Disaster Recovery Initiatives
Organizations are often unable to provide IT with the data needed to define disaster recovery requirements through the BIA process. IT, therefore, is forced to engage the business separately or make educated guesses on disaster recovery requirements. Avalution’s BIA approach clearly defines application-level RTOs and data loss tolerance requirements, enabling IT to understand business requirements and assess backup and recovery capabilities. Avalution’s approach also provides consistency between business and technology recovery objectives. Catalyst can also be used to create reports and application listings that help clearly define what IT requirements the business is asking for and what IT commits to or can provide. This enables the identification and remediation of gaps – leading to a coordinated and aligned business continuity planning effort.
At Avalution, we have refined our tools and processes over many years of performing BIAs for our clients. We have established an efficient process for executing the BIA that results in clear and actionable business continuity requirements. When we perform a BIA, we also enable an organization to effectively assess risk, identify and implement recovery strategies, document meaningful plans, and ultimately provide assurances to key stakeholders. Whether your organization is leveraging Avalution’s experienced consultants or our business continuity planning tool, Catalyst, we will help make sure that your BIA is done in alignment with best practices and tailored to your organization. Finally, through it all, we stay strategic and stay focused on meeting management’s stated recovery priorities.
Although we customize our approach for each client we work with, the BIA can be broken-down into four basic phases:
- Scoping and Management Input: This phase involves understanding an organization’s obligations, breaking down the products and services delivered, and engaging with executive management to understand recovery requirements around each product and service. The outputs of this phase are:
- A clear scope statement (for the BIA and likely the business continuity program as a whole), illustrating which products and services will be addressed.
- A clear understanding of when each product and service would need to be resumed following a disruptive incident and the level of performance needed to meet stakeholder obligations (collectively, strategic recovery priorities).
- Data Gathering: This phase involves meeting with business owners and subject matter experts to understand in-scope functions, inventory resources, and gather the information need to recommend recovery objectives.
- Initial Validation: This phase involves summarizing the results of data gathering meetings with each individual business owner to ensure the information captured is accurate and reflects the needs of the business.
- Analysis and Summarization: The final phase of the BIA involves bringing together information from across the business to form a prioritized list of business functions and identifying mission-critical resources (resources that would result in a disruptive incident if interrupted). Avalution provides this information to management in a consumable format for final validation, which completes the BIA process.
Following the BIA, an organization can use the complete set of business continuity requirements to perform other key planning activities, including gap analyses, strategy identification efforts, plan development, and so on. Avalution believes that without the BIA, an organization cannot plan effectively. After all, how can you plan without knowing what you are planning for?
Let’s take a real-world example to move from the theoretical to the practical. Avalution recently conducted a business continuity program implementation for an insurance provider in the southeastern United States. This organization develops, markets, and administers insurance products. To begin the project, Avalution worked with this organization to setup an executive committee responsible for business continuity and set clear strategic recovery priorities for the organization, which included:
- Little to no downtime tolerance activities that receive policy claims and customer inquiries
- Little to no downtime tolerance for the core technology platform
- Restoration of financial reporting and other administrative functions which impact customers and clients within 2-3 days
Based on this management guidance, Avalution engaged with a series of department leaders and subject matter experts to understand the functions and resources that are needed to meet these priorities. As part of the BIA, Avalution established target RTOs for each in-scope function and resource and validated these figures with the steering committee. Following this process, Avalution facilitated a strategy analysis and worked with the organization to create a resiliency roadmap, based on the requirements established during the BIA. The roadmap included:
- Enhancing backup power capabilities at the organization’s new offices;
- Rolling out a secure remote desktop solution for customer and client facing areas;
- Working with smaller offices outside of the corporate complex to cross-train personnel on time-sensitive functions, providing an immediate failover solution in the event of a disruption;
- Evaluating current technology backup and recovery capabilities and providing recommendations on how to better leverage cloud computing and emerging technologies;
- Providing strategic recommendations on how to achieve better resiliency and customer service through geographic separation; integrated these recommendations into the larger business plan making them more practical and achievable.
This brief case study illustrates how a business impact analysis can set business continuity requirements effectively and drive change almost immediately, increasing an organizations overall level of resiliency and preparedness.