How to determine what are mission critical organisational activities

Get free weekly news by e-mailAutomata’s Garry Poole explains the concept of ‘Activity Analysis’.

At Automata, we believe that although the British Standard Institution’s PAS 56 Guide to Business Continuity Management gives a very precise definition of ‘Mission Critical Activities’ (MCAs), it is not entirely clear in answering the following important questions:

* What are activities?

* At what level do activities operate within an organisation?

* How can activities be determined within an organisation? And

* What are the criteria for determining whether activities are ‘mission critical’ or not?

In addition to following the advice and guidelines given in PAS 56, we believe further research can be extremely useful in understanding these key issues. We call this research ‘Activity Analysis’ and usually undertake it using five steps.

Whether all or some of the five steps are undertaken depends upon factors such as the information available within the organisation and its size. Furthermore, sometimes the steps require modification or may have to be undertaken across multiple levels of the organisation. In addition, we use Activity Analysis to filter and focus the numbers of activities that will be initially subject to business impact analysis (BIA) in large organisations, in order to be cost effective.

Automata’s ‘Five Step Activity Analysis Method’ is overviewed below:

Step 1
Undertake research to fully understand the strategic objectives of the organisation. The strategic objectives of the organisation are its high level, planned objectives. Sometimes these are called the aims, objectives, business drivers, visions, missions, i.e. they are those factors that contribute to the fulfilment of the purpose of the organisation. Furthermore, the strategic objectives may comprise elements of all or some of these factors. One would expect these to be fully understood and formally defined in all organisations but very often, more often than one would expect, this is not the case!

Step 2
Arrange a workshop(s) with senior executives from key areas of the organisation to complete this and the remaining steps. In addition, representatives from all levels of the organisation should be either involved or consulted, as well as external representatives, where appropriate, e.g. IT suppliers. All participants should be reminded that this form of analysis is not an exact science and that to split hairs on such discussions will be unproductive. Set a time limit and request that all do their best to adhere to it.

Obtain clear agreement on the strategic objectives of the organisation aiming for approximately five to ten, ensuring that they are concisely defined, measurable and accountability is allocated for each.

NB: In small to medium sized organisations, by undertaking step 2, business continuity practitioners may achieve an extremely valuable output. However, in many organisations, particularly large, complex organisations business continuity practitioners may be advised not to undertake step 2. This would particularly be the case if it would result in the business continuity programme becoming embroiled in un-ending internal debate! (In this instance go straight to step 3)

Step 3
Decide upon financial and non-financial BIA criteria, i.e. ‘pain thresholds’ relevant to the organisation. These should be aligned as closely as possible to the strategic objectives of the organisation and formulated to determine whether an activity is a MCA as per step 5. Examples might include:

* Major direct revenue losses exceeding £10,000 per day

* Fines or penalties exceeding £5,000 per day

* Serious injury or loss of life

* Regulatory requirements not met

* Severe customer dissatisfaction

* Operational efficiency severely compromised

* Serious adverse publicity in national and trade media

* Corporate social responsibilities breached

Step 4
Delineate all key activities undertaken within the organisation, i.e. “operational, support or service or product related activities provided internally or externally including their dependencies and single points of failure which enable the organisation to achieve its strategic objective(s), taking into account season trends and / or critical timing issues.” (Automata’s definition based on PAS 56 definition of critical activities). Activities may sometimes be termed processes or functions within organisations. Moreover, managing projects may be perceived to constitute an activity.

Give each activity a concise but accurate description. For example: Processing incoming calls from Category X customers 9-5 pm weekdays.

Group all related activities that could be operated and recovered using similar human resources, software, equipment and facilities, e.g:

* Processing incoming calls from Category X customers 9-5 pm weekdays.
* Processing incoming calls from Category Y customers 9-5 pm weekdays.
* Processing incoming calls from Category Z customers 9-5 pm weekdays.

Regard such activity groups as single activities and give them a single description, e.g. Processing incoming calls from Category XY & Z customers 9-5 pm weekdays

Step 5
Provisionally determine whether activities are MCAs by applying the following condition: If an activity became non-operational, for whatever reason, would any of the BIA criterion apply? If so, the activity will be provisionally classified a MCA.

The resulting MCA activities can now be subject to more in depth BIA analysis to confirm that they are indeed MCAs. This will also determine the information and resources required to recover them.

Garry Poole, BA Hons, FBCI, is Course Tutor, Business Continuity Masterclass. This monthly training course explores the above issues in detail.

Date: 6th July 2005 •Region: UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here

Copyright 2010 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help