Survey: to BIA or not to BIA?
- Published: Friday, 12 May 2017 08:16
One of the differentiators of the new approach to business continuity advocated by Adaptive BC is the removal of the business impact analysis and risk assessment from the business continuity process. But is that a realistic proposal? This survey seeks the views of business continuity professionals on this issue.
Adaptive BC is an alternative approach to traditional business continuity planning. It is ‘based on the belief that the practices of traditional business continuity planning have become increasingly ineffectual’ and
proposes nine principles to found its new approach. Of these the one which had proved to be the most controversial is the principle that Adaptive BC omits risk assessments and business impact analyses.
The rational behind this omission is as follows (verbatim):
The risk assessment (RA) and the business impact analysis (BIA) form the backbone of traditional continuity planning. They are considered fundamental components in virtually every best practice guide and industry standard. Employing these two practices leads practitioners along a trajectory that further entangles their work in the many related techniques of traditional continuity planning, along with the negative outcomes of these techniques. Practitioners should eliminate the use of the risk assessment and business impact analysis.
Risk assessmentThe results of a risk assessment may lead the practitioner, leadership, participants, and organization as a whole to prepare for and mitigate threats that never materialize while other non-identified threats materialize instead. Preparing for the wrong threats is a waste of resources and may lead to a false sense of security that further jeopardizes the organization.
Some threats, such as cyber attacks, disgruntled employees, and utility or infrastructure disruptions, are identified and mitigated but materialize nonetheless. It is precisely because bad things will happen, despite the best efforts of very capable risk managers to prevent them, that continuity planning is so critical. (See additional points in “Prepare for Effects, not Causes.”) There are also significant liabilities for continuity practitioners who do not possess the training and expertise to properly implement and follow through on a risk assessment. Risk assessment is a technique of risk management, a discipline with its own body of knowledge apart from business continuity. Administering a proper risk assessment and implementing the resulting action items may necessitate deep knowledge of actuarial tables, information security, insurance and fraud, state and federal regulations, seismological and meteorological data, and the law. Typical continuity practitioners do not possess such deep knowledge; those who do are most likely specifically trained as risk managers. Adaptive BC practitioners as such should eliminate the risk assessment from their scope of responsibility.
Business impact analysisThe purpose of a formal business impact analysis is to identify an organization’s services along with the potential daily or hourly loss, usually in terms of money, that a disruption of the service would have on the organization. Over time, the purpose of a BIA has changed, expanded, and become indistinct. The term BIA now often includes recovery time objective (RTO) and recovery point objective (RPO) data, response and recovery strategies, upstream and downstream dependencies, and other information.
The BIA as a measure of estimated losses should be abandoned. Its main purpose was to help leadership identify the most critical services and to set a prioritization for continuity planning efforts. The discipline should eliminate the BIA because:
Due to the increasingly nebulous and confused understanding of the term BIA, along with the many connotations and associations that the term has within traditional continuity planning, both the practice and term itself should be entirely abandoned in Adaptive BC.
If you remove the BIA from the business continuity process, what, if anything, would take it's place? David Lindstedt, one of the founders of the Adaptive BC approach, explains as follows:
"Let's go ahead and assume that the BIA could, in fact, provide an hourly or daily cost in terms of lost revenue or lost market share for each service or department that could be temporarily eliminated due to an incident. (Naturally, I think this is a problematic assumption based on commentators and research, but let's make the assumption anyway.) Shouldn't leadership know what is important without having to conduct a BIA? Don't the Board, executives, and top leadership have clear knowledge of what is most important to the continued functioning of their organization without a BIA? Or, perhaps more precisely, is leadership so inaccurate in their estimations of departmental value that the BIA properly changes these estimations and provides a more accurate picture of value to executives?"
Is it really possible to omit risk assessments and BIAs and still develop a functional business continuity plan? Please give your views in the following survey: