To BIA or not to BIA: a response from Steve Dance
- Published: Tuesday, 11 July 2017 07:35
Steve Dance reacts to the debate that has commenced in the wake of Continuity Central’s recent survey into attitudes to the business impact analysis and the risk assessment elements of the business continuity lifecycle.
I completely support the views of Lindstedt, Armour and Barnes on this – what should be a sensible approach to prioritisation has been made into an esoteric, convoluted process which has been put on a pedestal and enshrined as a biblical truth that only heretics would dare question.
For me the ‘BIA’, has now become so over-engineered and ubiquitously applied that it is no longer useful for focusing on real business priorities. Whether performed with the support of an automated tool or not, the BIA eventually descends into an activity that is performed purely to satisfy requirements for compliance, making it a periodical ‘tick in the box’ activity that adds very little value to the business (even though it’s proponents may think otherwise).
In his response, Peter Barnes describes a process where senior management basically set the parameters that steer the development of business continuity capabilities according to business priorities. For me this is not just a ‘fast track’ approach, it’s also the most practical. I have seen this fast track in operation and found that other significant benefits accrue from its use, including:
- Management give a clear direction in respect of the response and recovery capabilities that the organization needs to mitigate exposures such as contractual liability, regulatory obligations, customer and counterparty goodwill and financial liquidity. This gives a clear steer to the organization as to the capabilities needed to be developed to mitigate these exposures;
- Once these priorities have been defined, the main participants required to develop (and subsequently maintain) these capabilities will be almost self-evident. Those parts of the organization that don’t touch these areas can be handled with generic approaches – and don’t need to ‘do a BIA’;
- Maintenance processes become simpler, because there’s much less information to manage.
As for the ‘mavericks’: it’s the mavericks that are doing the critical thinking, searching for improvements and focusing on capability over compliance. I think we need more mavericks!
Steve Dance is the Managing Partner of RiskCentric llp, a company that specialises in assisting organizations to develop and deploy programmes for business continuity, compliance and risk management. His clients include global financial institutions, law firms and aerospace companies. He can be contacted at email@example.com