A critical and foundational element of business continuity planning is a clear understanding of the business environment, together with the critical products and services and processes that contribute to the creation of business value. To recover successfully, an organization must connect its critical products and services to the key elements that produce them. In addition to facilities, equipment, people, technology and data, these elements include suppliers and the goods they supply, the internal process stream (or streams that transform the resources and input), and the consumers of the output. Overall, a business continuity professional must have a clear understanding of day-to-day business processes and resources in order to be successful in planning for disruptive incidents.
The question then becomes how to develop a repeatable process that provides this clear understanding without making it an end unto itself and creating unsustainable overhead. Even better, how can the business continuity professional leverage tools and methodologies in use by other disciplines to improve performance throughout the organization?
Two of the major regulations or standards documents, the FFIEC BCP IT Examination Handbook (March 2008) and ISO 22301 – Societal Security – Business continuity management systems – Requirements (May 2012), both make reference to understanding the organization, but provide a minimal amount of guidance for execution in their discussion of Business Impact Analysis.
The FFIEC Handbook, in describing the analysis requirements, states that:
“The BIA should include a work flow analysis that involves an assessment and prioritization of those business functions and processes that must be recovered.
The work flow analysis should be a dynamic process that identifies the interdependencies between critical operations, departments, personnel, and services.”
Appendix F further explains the requirements and potential information sources:
“The Business Continuity Planning Committee and/or Coordinator should review organizational charts, observe daily work flow, and interview department managers and employees to identify critical functions and significant interrelationships on an enterprise-wide basis. Information can also be gathered using surveys, questionnaires, and team meetings.”
ISO 22301 contains requirements for process analysis in Section 8.2.2 – Business impact analysis:
“The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives, and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services.
The business impact analysis shall include the following:
a) Identifying activities that support the provision of products and services;
b) Assessing the impacts over time of not performing these activities;
c) Setting prioritized timeframes for resuming these activities at a specified minimum
acceptable level, taking into consideration the time within which the impacts of not
resuming them would become unacceptable; and
d) Identifying dependencies and supporting resources for these activities,
including suppliers, outsource partners and other relevant interested
Unfortunately (but by design), these documents outline the requirements but provide little in terms of guidance.
This lack of guidance has left many organizations struggling to find solutions to enable compliance. Many business continuity planners, especially those who are relatively new to the field, are looking for a way to understand their organization’s business processes, resource needs, and stakeholder expectations. Often, they turn to business continuity planning software products as a potential solution. While many of the advanced products offer a “Business Impact Analysis (BIA) module”, most serve as a repository of information rather than an approach and methodology to understand and collect the organization’s strategy, its products and services and the processes that add value – knowledge that the planner often does not have available at the early stages of program development. Others who do not turn to software products simply dive straight into detailed data collection for every department (interviews or questionnaires perhaps) based on an approach or report downloaded from the internet (which unfortunately can be less strategic and often far too tactical in nature).
A potential solution to the problem can be found in the techniques used by other disciplines for business process analysis and process reengineering. There are numerous methodologies and models that have been developed and matured over the years – from business process mapping and business process reengineering to analytic tools related to Lean and Six Sigma methodologies. While we are not advocating becoming an expert in any of these disciplines, leveraging specific, appropriate tools can greatly improve the quality of your business continuity planning efforts and outcomes. Additionally, depending on their use in other areas of your organization, tools borrowed from Lean and Six Sigma could enable your program to be more easily accepted in the early stages of development. The following table summarizes some of the tools and techniques offered by these two disciplines and how they might benefit the business continuity planning effort (some of which move beyond process understanding and analysis):
The list above is by no means a comprehensive analysis of all techniques and tools that can be leveraged by business continuity professionals, or a recommendation to use all of them in any program. However, two that can assist with the BIA effort, flowcharting and SIPOC, are techniques that Avalution strongly recommends. We will discuss and describe these tools further.
If you are lucky enough to have a process improvement culture or even a group within your organization, the first step is to learn what methods are utilized for process mapping and dependency analysis and leverage previous work as a starting place for the business continuity analysis (where possible). Keep in mind that you do not need to master the entire methodology – only explore and leverage the parts you need. If your organization does not have an established capability in this area, two good sources of practical techniques are Lean and Six Sigma (as described above). Both methodologies were established for process improvement and have merged in several areas over time. The methods from these disciplines that we recommend to assist with the BIA process are flowcharting and a structured interview technique based on what Six Sigma calls SIPOC. With flowcharting, the objective is to take an individual product or service and document the process steps, often in an iterative manner, until sufficient detail is achieved to identify activities and resources. A simple iterative model is shown here – for business continuity purposes the key is to know where to stop.
In general, you have achieved the appropriate level of detail if the activities are all conducted by the same group or department, or from a systems perspective, if all process steps utilize the same equipment or application. If you’ve reached a level where all the elements will be recovered, you do not need to know additional details at this point.
The other technique, which we often use in conjunction with process mapping flowcharts, is referred to in Six Sigma as SIPOC. SIPOC stands for Supplier, Input, Process, Output, and Customer and it allows you to examine processes and dependencies at a detailed level. We have found it is most effectively employed as a tool to structure departmental interviews. The table below demonstrates a simple analysis for two functions within an A/R group.
The urge to use this technique in a survey format should be avoided whenever possible. Much of the value of this technique lies in hearing a department representative discuss their activities. The interview format also provides the opportunity to probe and discover key elements such as key suppliers or critical raw materials with no viable alternatives.
These two simple techniques, if executed and documented properly during the early stages of business continuity program development, will fulfill the requirements of the standards noted at the beginning of this article and, more importantly, provide a clear picture of your organization’s critical products and services, supporting processes, and key dependencies.
Overall, the structure and tools available through established process improvement and quality methodologies can be a great resource for business continuity professionals. We highly recommend investigating these disciplines, or others that may be available in your organization, to expand your business continuity toolkit.
- Implementing ISO 22301: The Business Continuity Management System Standard
- Applying Root Cause Analysis (RCA) to Business Continuity
- Plan Do Check Act (PDCA) – How it Applies to Business Continuity
Avalution Consulting: Business Continuity Consulting