Dwight D. Eisenhower is famously quoted as saying: “In preparing for battle, I have always found that plans are useless, but planning is invaluable.” This truism carries over from the battlefield to Business Continuity Planning (BCP). However, the Business Impact Analysis (BIA) suffers a fatal flaw, thus often compromising the planning stage.
What are the components of the BCP landscape?
For those who aren’t steeped in the inner workings of continuity planning, I will lay out the general framework. Every BCP has the following components:
- A BIA to determine process priority
- A BCP to outlay recovery sequencing
- A Resiliency (or Recovery) Plan (BRP) to pave the way out of disaster
Business Impact Analysis defined
We will focus our attention on the BIA. First, by way of Gartner, let’s afford ourselves a working definition:
"A business impact analysis (BIA) is a process that identifies and evaluates the potential effects (financial, life/safety, regulatory, legal/contractual, reputation and so forth) of natural and man-made events on business operations.”
The common goal of BIAs is to understand the links between processes that drive the business, their interdependences, and the outcomes of outages, all in financial terms. For the IT side of the house, that means that continuity planners should be capable of prioritizing IT resources in the most efficient order to minimize the process outage. Ideally, planners would prioritize IT resources in a way that recovers the highest impact items first.
But, where is the fatal flaw I mentioned earlier? It's in the execution phase. There is one critical error the over 100+ BCPs I’ve been exposed to share: They fail to articulate impact in the expected financial terms. Without fail, all off-the-shelf BIAs rank business processes based on arbitrary categorical scales (or ordinal scales) where 0 or 1 represents the most critical tier of process and 3 or 5 represent the least critical.
Categorical scales in BIAs beg the question…
How do we know which top tier process is most important if they all share the same impact rating? In some BIAs, dollar values are used; however, they are no more than ranges associated to a tier to delineate one tier from another. Helpful, but not good enough.
This poses a substantial challenge to recovery planners. Without impact ratings expressed in financial terms your organization is left to its own subjective devices to determine priority. The wailing and gnashing of teeth ensues as anecdotes and emotion take hold of the list and reorganize it. Ultimately, the integrity of the BCP can, and should, be called into question. If planning has become insufficient, how much more useless must the plans be?
Why should risk professionals care about BIAs?
BIAs are nothing more than another type of risk assessment. BIAs share the same common fallacies we see in the majority of risk assessments. The clearest path to resolution here is to use a model such as Factor Analysis of Information Risk (FAIR) as a means for evaluating the financial impact of process outages. Armed with FAIR-based results--such as those provided by RiskLens--it becomes objectively evident what processes are most critical to the business and deserve first priority. Without financial terms, BIAs are not economical.