BIA: the Emperor’s new clothes?

Andrew Hiles asks whether the business impact analysis process is fit for purpose.

A business impact analysis (BIA) stems from a risk assessment that is, at best, subjective. No matter how many decimal places it is calculated to, it depends on various things: on the balance of experience of the risk assessor (experience of a particular risk happening makes it seem more likely to happen again); on insurance statistics; emergency services data; past incidents etc. These statistics usually provide averages: if your feet are in the freezer and your head is in the fire, your average temperature is fine. But it isn't very comfortable. These averages have little direct relevance to me, here, now.

If we follow the statistics, something like 99.567 percent of all men involved in a car accident in Europe and North America were wearing trousers. The obvious risk reduction measure would be to take your trousers off when driving!

Statistical research is driven by funding and tends (maybe inadvertently, let’s be charitable) to follow a predetermined line to reach a preferred solution. How many successful grant applications have there been to researchers wanting to prove global warming does not exist? Or, to follow with equal vigour, all of the other possible causes of cancer apart from smoking? What possible causes? Hair sprays, deodorant sprays, adhesive fumes, exhaust fumes....

Statistics need to be approached cautiously and need to be read with a good dollop of common sense!

So why perform risk assessments? In a BIA we always focus on the end results, not the cause. However, a risk assessment does help to identify weaknesses, allows us to do something about them and, logic says, it therefore reduces the likelihood of the worst case (and lesser cases) happening. And a risk assessment provides great starting points for business continuity exercise scenarios.

So, having done the risk assessment, we turn to the BIA. We take the risks which have been identified and we apply a probability factor. ‘Past performance is no guarantee of future profits’, the small print reads in the financial adverts (how very true over the last two years!): equally it is no indicator of future risks happening. Annualised risk losses are a joke: life just isn't like that. Nothing happens; or it all happens at once!

Another health warning needs to be given: about over-reliance on software during the BIA process. This sometimes just adds credibility to a fundamentally unscientific process. A classic example was a well-known risk assessment package used by a client that solemnly informed its users that there was an 80 percent chance of an impact of £2,165,096. Not £2,165,095, not £2,165,097. C’m on! Garbage In, Garbage Out.

While I was bandying thoughts on risk assessment and BIA with a colleague, he suggested a possible improvement was borrowing from project management. What about using the ‘Three-point method’, he suggested, where you estimate the Optimistic, Pessimistic, and Most Likely outcomes, then use the formula: Estimate = O + 4M + P / 6?

BIA is probably more complex than project management, because it is built up from (usually) a larger number of individual risks to many different functions and their impacts, with the probability that not all of them will happen at the same time. Also the impact is time-dependent for each risk.

The project management line is essentially a weighted mean - equally meaningless for use in BIAs.

Basing a business continuity strategy on the outcome from the project management basis would not avoid the possibility that, if the worse than (sort of) mean case happened, the organization that followed it would be vastly under-provided for.

Another weakness of the project management method: the most optimistic case could be zero impact - playing with numbers based on one of them being infinity might be good Sudoku but.... does it have a practical value? Indeed, the most optimistic impact could even be positive. When my company was doing a BIA for an oil company, and was trying to get an impact value, one senior manager said: "Disaster? It just means the price of oil goes up." And it's not just the oil industry that can literally profit from disaster - like the growth in market share, brand value and share value of Commercial Union Insurance following the IRA terrorist bombing in Bishopsgate, London. If you follow Knight & Pretty’s (Oxford Metrica) logic, a well-handled disaster can improve share value etc by 10 to 20 percent. It's like a soldier having a 'good war'.

Losses for the same event will vary according to the day or business cycle. So on what basis do you use the BIA to decide business continuity strategies? Do you plan for the worst case with everything going wrong at the same time - paying hefty sums out of scarce revenue and capital for recovery capability for an event or scenario which actually is highly unlikely? Or do you plan for an average loss but not be able to cope with the worst-case event when it happens? Averages again - they bear little resemblance to reality. How scientific is that decision? Impact value depends on what time period you are looking at - days, weeks, months or years.

Most BIAs don't take insured value into account. Insurance? I've seen too many incidents not covered by insurance and too many policies so loaded with exclusion clauses that make payout for the real incident improbable. Insurance can take years to be paid - often too late. Besides, you have to prove loss (difficult) and insurance is forensic - it pays out on past performance, not on forecasts.

OK, I've been using similar methods to those above, for lack of anything better. But has anyone out there got a better way of conducting a BIA than using specious statistics and subjective judgement?

My wife, Dr Yvonne Gunn, was for many years a Fellow of the Chartered Institute of Statistics. Having discussed the various bases for risk assessments and BIAs with her, her professional and academic judgement was: "It's all b*******."

Author: Andrew Hiles, FBCI, is director of Kingswell International, a consulting company specialising in managing business risk and service delivery. www.kingswell.net ahiles@Kingswell.net

Make a comment

Reader comments

I'll give Andrew Hiles' article 'BIA: the Emperor’s new clothes?' 6/10 for comedic value.

As an operational business continuity manager for Nestlé S.A., the BIA, as we employ it, is foundational. Without using the version that I and a colleague (Georgios Solomos now with Tate & Lyle) developed specifically for use on our extensive and varied collection of manufacturing and distribution sites (Coffee, Chocolate, Milk Powder, Frozen Foods, Pet Foods, Ice Cream, Cereal, Culinary and Water plants), we could not have developed meaningful BCPs at Factory, Country, Region or the Head Office in Switzerland.

BCPs developed without an effective and realistic BIA are nothing but fantastical and unfounded optimism. They will not work and will deflect resource from where it really matters, whilst extending the recovery, if recovery is possible at all.

To an extent, I agree with Andrew. Attaching some of the statistical formulations for probabilities and the numbers used to the assess occurrence is indeed nonsense!

We took the view that if a key Stock Keeping Unit (SKU) of a key brand at one of our sites depended on a process/activity/piece of equipment/system/supplier, and that these could be impacted by fire, failure, disruption etc., with the impact of creating a stock out in that market (country or region), then we had to develop three things:

1. A mitigating strategy - to avoid or significantly reduce the risk of disruption. This could be a simple review and change of maintenance procedures, maintenance frequencies or technical stock-holding policy (to over simplify things for this answer).

2. A BCP to rectify the outage or bypass the equipment in order to keep operating at a local factory level. For example, if a boiler explodes and steam generating is impacted, then have a well-developed and documented plan to shipped-in portable boilers (on the backs of trucks), along with the space to site them, feed them with power and have the steam piped into the main steam ring main. In this way a boiler house explosion could be overcome in a couple of days instead of weeks, thereby avoid a stock out of a key brand SKU.

3. A BCP to support that affected market with product shipped in from a sister factory in a different part of the region or another part of the world.

The latter is the real challenge because it involves different management teams spread across the world coming together in support of a major market elsewhere. This takes coordination at factory, market (country/region), and centre level. However, it is the only way to provide resilience and support in a rationalised, reduced asset environment.

BIAs must be performed by staff that have an extensive practical knowledge of the company from Factory to Head Office processes. Avoid slapping speculative numbers to probabilities of occurrence. Focus on the potential impacts and damage to revenue and reputation.

David Hulme, Business Continuity Manager, Nestlé.

The first statement "A business impact analysis (BIA) stems from a risk assessment" sets up a series of challenges to a BIA method. BS 25999 and the GPG suggest that a BIA is undertaken first, without the pre-conceptions "gained" from trying to guess the causes of incidents and their associated probabilities. If this approach is adopted most of the issues raised in the article disappear. It can be argued that BCM is not a risk discipline at all but has its own distinct approach to the management of the unexpected.

Ian Charters, FBCI, Continuity Systems Limited

•Date: 5th June 2009• Region:UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 9TH JUNE