Timothé Graziani is a business continuity practitioner with ten years’ experience. In this article, he explains why he is now convinced that the business impact analysis is an unnecessary part of the business continuity process.
This year, I had the opportunity to attend controversial presentations given by David Lindstedt and Mark Armour from AdaptiveBCP.org, whom I would like to congratulate again for their excellent performance and ideas. As a result, it provoked in my mind a chain reaction which led to a permanent question: What am I doing when I am executing a BIA?
So, let’s be straight and talk about the main idea for this article: ‘No more BIA’.
Well, the first time you hear that kind of revolutionary idea, a natural reaction is to resist the change. As I am a practitioner of 10-years, it’s not always easy to change a modus operandi you always believed in.
At first, my comment to Mark was about changing the traditional approach of the BIA and moving forward to what really works, and not eliminating the BIA. But, thinking more about it, why not? Why not eliminate the BIA?
My objective in this article is to share my thoughts and some ideas regarding these new ways of doing business continuity, and also to share my experience (like you, I did many BIAs) and ideas on how we could improve our techniques.
Meaning of BIA
Let’s start with some basics: what is a business impact analysis?
According to the ISO 22301 standard, the BIA is ‘a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets.’
To execute a well-designed business continuity management program, we need to gather data and understand the information (ISO 22301 – Cap. 4.1 : ‘Understanding the organization and its context’ and Cap. 4.2: ‘Understanding the needs and expectations of interested parties’) in order to be able to select business continuity strategies, implement business continuity solutions, and write business continuity plans according to this data.
Before going further, we need two more definitions. According to the ISO 22301 standard:
- MTPD: Maximum Tolerable Period of Disruption (or MAO – Maximum Acceptable Outage). Time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable.
- RTO: Recovery Time Objective: Period of time following an incident within which product or service must be resumed, or activity must be resumed, or resources must be recovered.
Expected results of a traditional BIA
According to ISO 22301, ‘the business impact analysis shall include the following:
- identifying activities that support the provision of products and services;
- assessing the impacts over time of not performing these activities;
- setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and
- identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.’
The BIA ‘shall include assessing the impacts of disrupting activities that support the organization’s products and services.’ And this is why, ‘Houston, we may have a problem’…
What is the value of knowing the impact of an incident on the business?
Our executives are fully aware of what products, services or channels (from now on we will use the word ‘services’ to describe any of those three terms) are the most critical, the most strategic and the most urgent. Let us call these types of services that represent the core business of the organization ‘mission critical’ services.
Thinking about what Lindstedt and Armour said, recovering mission critical services won’t depend on circumstances. We have to get them back as soon as we can, no matter when or how things happen. In the traditional BIA, we focus on the worst-case scenario (worst moment or situation). However, note that a failure of any mission critical service is a worst-case scenario by itself, no matter the timing. In the financial industry, if your Internet banking fails during the night when no one is connected, maybe your customers will be still satisfied, but the news outlets and the regulators won’t be: and you will be on the front page the next day with a tremendous reputational impact.
As soon as we speak with a senior executive, we understand very quickly the orientation of what our business continuity management program will be because we learn which services are mission critical. Then, is it necessary to know in detail the nature and the level of the impact? If our executives indicate that services A and B are mission critical, the reasons why are very irrelevant. The good thing is that executives might tell us why! But giving a value for each type of impact for the entire list of services is wasted effort.
What are we expecting from our program? We want to be sure that our mission critical services are covered. The other services will come after! So, we don’t need to rush! We don’t need all the details to do our job! We just need to do things step by step, priority by priority.
What about the MTPD, maximum tolerable period of disruption? What about the RTO?
For a mission critical service the tolerance of disruption will most likely be NONE … ZERO!
We all know the reaction this kind of requirement will generate especially from the IT managers.
Nevertheless, in the 21st Century, digitalization, multichannel, 24/7 services, IoT, reputational risk, business competition, customer expectations, and regulations’ requirements don’t allow room for mistakes. So, yes, a classification of a service as mission critical will mean the maximum recovery capability we can implement … within the budget they’ll give us (we’ll get back to that point later).
And the MTPD? What about the desired RTO that ISO 22301 speaks about? For the mission critical services, this information won’t be useful because the executives want the best solution at the cost they’ll decide.
Executives might ask you the financial impact in order to decide what recovery option they should choose but it will occur during the business continuity strategy stage. Which means: don’t waste time and energy asking this information from everyone! You just don’t need it during your assessment and certainly not for every service as we used to look for in the traditional BIA.
Which leads me to the next thought: what are we really looking for and for what purpose?
Data and goals
Our main target is to improve our recovery capabilities. For that purpose and, in order to identify the business continuity strategies, we need the following inputs:
- List of all services in our organization;
- Mapping process for each service;
- Resource requirements for each service (IT, people, location, data, third parties).
These elements are key if we want to understand the business of the organization and if we want to speak the same language as the executives. Also, it will allow us to execute all the steps of our program with a clear understanding of the complex ecosystem of the organization.
Should a BIA give us this information? Perhaps not. For an effective program, we are supposed to get these three elements BEFORE starting and it is supposed to be already documented (with a Porter’s Value Chain for example).
Let’s recap what we have seen until now:
- We need a list of services (supposedly already existing and provided by the organization),
- We need a value chain (resource requirements: process, people, infrastructures, etc.), also supposedly already existing and provided by the organization,
- We need the list of mission critical services defined by the executives,
- We don’t need the details to determine impact to services, and
- We don’t need to know the MTPD or the RTO for the services because the time to recover will be decided during the business continuity strategies by the executives.
Next question: Now that we have all this information, how can we process it efficiently during the business continuity strategy?
Business continuity strategy
Your experience will teach you one main lesson regarding this stage: “Show me the money”.
The final RTO will be decided during the business continuity strategy by the executives themselves who will make the decision considering the cost of the recovery solution and the effectiveness of this investment.
There are three things to keep in mind during this stage:
- Minimum business continuity objective (MBCO)
- Faster recovery solutions
- Everything is not about technology.
The minimum business continuity objective (MBCO) is the ‘minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption’ (3.28 - ISO 22301). This is not a time-related measure or target. It is an estimation of the scope of what we need to recover for each service. It informs us about the degree of functionality that will need to continue operating even under adverse conditions. The MBCO might be one of the most useful pieces of information we need to find. It will help us to select more appropriate recovery solutions in order to cover what the interested parties desire.
Faster recovery solutions. Again, we live in the 21st Century! The organizations change, the technical solutions change, our knowledge changes, and the way we work too, which means that most of our solutions now have a higher recovery capability and a shorter RTO.
Everything is not about technology. During this stage, we will be able to propose other recovery options that do not rely on technology (procedures, locations, people, suppliers, etc.). What will happen? We will present a list of solutions with the associated RTO and the cost to the executives and they will ask us again the same question: “What would justify such investment? Why do we need a shorter time of recovery?”
Our job is to gather information in order to explain the value of each solution we propose. At this stage, not before, we need to find arguments/explanations and present them. This critical information does not come from a BIA; a long list of numerical impact estimates does not provide the kind of information we need to justify real expenses and address executives’ concerns. Tell the executives what they could lose, what the results could be (according to their teams) and let them decide.
Non-mission critical services
And what about the non-mission critical services? Does a traditional BIA provide us the relevant information? Same answer as before: the executives will choose what will be next. Then we’ll need to justify the recovery solutions to enable the executives to make a choice based on cost effectiveness. We don’t need all the details before. We just need the specific details for a selection of services at the right moment.
Before concluding this article, let me summarize the main argument:
- The BIA is 'a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets.'
- However, our executives are fully aware of what services are the most critical, the most strategic, and the most urgent to recover (the mission critical services).
- Therefore, we do not need to perform a BIA.
- We want to be sure that our mission critical services are identified and will be efficiently recovered in case of an event (we can address all other services later).
- For a mission critical service the tolerance of disruption is NONE … ZERO! We will need to implement the maximum recovery capability we can, within the budget they’ll give us.
So, what’s next?
Honestly, it is hard to say, but I know one thing: We all want to do our job better.
We are wasting a huge amount of time and energy to gather information we won’t ever use and that won’t matter when the time comes to make important decisions about the business continuity strategies.
We can (must?) optimize what we are doing now.
We can eliminate the BIA and execute a new approach as follows:
- Gather the information regarding the organization;
- Gather all information regarding the services;
- Work with executives to identify those services that are mission critical;
- Design the recovery strategies for the mission critical services;
- Propose the recovery strategies to executives; justify any added expenses by identifying the MBCO (with the help of the operational teams) and why this level of functionality is critical;
- Let the executives decide!
Again, I wish to thank David Lindstedt and Mark Armour for opening my eyes on this subject and putting me on a new path with their work at AdaptiveBCP.org.
Comfort is ruining our job if we don’t embrace change! Time for me to start changing things in order to do my job better!
Timothé Graziani is Gerente División Continuidad del Negocio at a bank located in the Dominican Republic. Contact him at email@example.com