James R. Mitchell, CBCP, director, eBRP Solutions, Inc.
Cost vs. benefit
The standard practice of conducting a business impact analysis (BIA) to determine the basic recovery requirements (mission critical processes, RTO’s, RPO’s, critical applications, suppliers, and other resources) is a vital phase of every business continuity management program.
The BIA process can be long and difficult – no matter what data collection method is used. Is the return on your BIA investment (time, manpower and resources) offset by the value of the results?
If a BIA is a fundamental part of business continuity management, the underlying cost may simply be a necessary evil. But, when a BIA is a one-time ‘project’ – as in many organizations – is the cost realistically proportional to the value?
Some organizations conduct a BIA expecting to repeat the process at regular intervals. However, once the initial BIA is completed and the true cost known, such expectations are often abandoned.
Focus on change
Failure to update a BIA is a leading cause of recovery plan failure. Change is the only constant in business. A business continuity management program lacking up-to-date BIA data yields plans that don’t reflect the organization’s true requirements.
Intending to update a BIA is easy; yet the update process often fails.
Consider the effort required to complete the original BIA: questionnaire preparation, distribution and collection; interviews to ‘normalize’ the results, plus the cost of analysis and report generation.
Often, the original BIA process ‘project’, may take three to eight months. Significant business changes make the prospect of repeating that lengthy process daunting. Postponing the update may be rationalized. Like most things in life, postponing difficult tasks allows them to grow more unwieldy
To streamline the process, the updated BIA must focus on the changes – rather than repeat the entire process. It is likely that much of the information from the earlier BIA is still valid. The update process simply entails drilling down to which business processes have changed, and how those changes affect the original BIA results. Of course, the method used to conduct the earlier BIA will determine just how easy – or how difficult – the update process becomes.
In information technology, an updating process is generally ongoing (change management) because IT changes have a direct impact on daily operations. In business operations, changes occur regularly, but are seldom, if ever, documented. (To be fair, no matter how robust the IT program, not every organization consistently correlates its change management information with its disaster recovery plan.)
The whole is greater than the sum of its parts
Is it sufficient for individual business process ‘owners’ or function leaders to update their own critical resource requirements? Yes, if the update method allows for the capture of changes in enterprise-wide dependencies (on other processes, applications, etc.). But no effective update can be conducted in a vacuum; any change to critical dependencies or resources is likely to have a corresponding affect upon those dependent processes.
While it may be efficient for a process team to update its own BIA, only by collecting and integrating changes across the enterprise can the true impact of business changes emerge.
The path of least resistance
Frequently, the cost of updating a BIA (in manpower and time) is perceived as unjustifiably high. Not updating a BIA may become an accepted risk. Business continuity managers may opt to focus on BC/DR plan updating (assuming most process owners understand the impacts of change and will modify their plans appropriately) without revising the BIA. The more burdensome the BIA process, the higher the propensity not to repeat it.
Once made, such a decision often becomes institutionalized. Later, the failure to reflect fundamental changes in the organization’s structure may result in flawed plans and a failed recovery. With luck, flaws show up in a test or exercise – not a real life incident.
What’s in your toolbox?
Does your existing BIA format lend itself to manipulation? Or do you have to start from scratch? Do you use software that integrates BIA and plan development?
Does the BIA format lend itself to the use of collaborative tools? Can business process owners gain access to the original BIA survey? Network- or web-based collaborative tools reduce the pain of updating a BIA, while enabling monitoring and auditing of the process by the business continuity managers or planners.
Assess your options, and pick a BIA updating method that works best for your situation. It may not be free, it may be time-consuming, and it may not be painless. But it will pay dividends if you have a disruptive event.
An out-of-date BIA exponentially increases the chances of plan failure. The BIA provides the core upon which an organization’s plans depend. Without up-to-date BIA information, the validity of plans should be questioned, and their successful execution must be suspect.
eBRP Solutions, Inc will be exhibiting at the Business Continuity Expo and conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident. www.businesscontinuityexpo.co.uk
•Date: 30th Nov 2007• Region: World •Type: Article •Topic: Plan dev.
Rate this article or make a comment - click here