The latest business continuity news from around the world

To BIA or not to BIA: a response from Steve Dance

Steve Dance reacts to the debate that has commenced in the wake of Continuity Central’s recent survey into attitudes to the business impact analysis and the risk assessment elements of the business continuity lifecycle.

I completely support the views of Lindstedt, Armour and Barnes on this – what should be a sensible approach to prioritisation has been made into an esoteric, convoluted process which has been put on a pedestal and enshrined as a biblical truth that only heretics would dare question. 

For me the ‘BIA’, has now become so over-engineered and ubiquitously applied that it is no longer useful for focusing on real business priorities.  Whether performed with the support of an automated tool or not, the BIA eventually descends into an activity that is performed purely to satisfy requirements for compliance, making it a periodical ‘tick in the box’ activity that adds very little value to the business (even though it’s proponents may think otherwise). 

In his response, Peter Barnes describes a process where senior management basically set the parameters that steer the development of business continuity capabilities according to business priorities.  For me this is not just a ‘fast track’ approach, it’s also the most practical.  I have seen this fast track in operation and found that other significant benefits accrue from its use, including:

  • Management give a clear direction in respect of the response and recovery capabilities that the organization needs to mitigate exposures such as contractual liability, regulatory obligations, customer and counterparty goodwill and financial liquidity.  This gives a clear steer to the organization as to the capabilities needed to be developed to mitigate these exposures;
  • Once these priorities have been defined, the main participants required to develop (and subsequently maintain) these capabilities will be almost self-evident.  Those parts of the organization that don’t touch these areas can be handled with generic approaches – and don’t need to ‘do a BIA’;
  • Maintenance processes become simpler, because there’s much less information to manage.

As for the ‘mavericks’: it’s the mavericks that are doing the critical thinking, searching for improvements and focusing on capability over compliance. I think we need more mavericks!

The author

Steve Dance is the Managing Partner of RiskCentric llp, a company that specialises in assisting organizations to develop and deploy programmes for business continuity, compliance and risk management.  His clients include global financial institutions, law firms and aerospace companies.  He can be contacted at steve.dance@riskcentric.co.uk



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

   

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.