In a recent Continuity Central article Dr. Alberto G. Alexander set out nine methodological steps for developing a business impact analysis (BIA). David Lindstedt has submitted a detailed response to the article…
Dr. Alexander has laid out a reasoned and methodological approach to performing one of the industry’s most challenging processes, the BIA. But as we reflect on the many steps that make up this lengthy process, it might well make us wonder: Is the BIA necessary? The benefits of the BIA have been coming under scrutiny as of late. I would like to use Alexander’s well laid out approach to demonstrate how undertaking a BIA may not be necessary.
Alexander’s own presentation allows us to see that the BIA is both inadequate and unnecessary for today’s business continuity practitioner. Why? Because the BIA already smuggles in the very information we hope to learn from its execution.
Alexander infers at least three reasons why organizations should perform a BIA:
- Identify those products and services most in need of business continuity planning;
- Determine the degree to which we need to prepare services to recover;
- Discern the recovery priority of services.
However, Alexander inadvertently helps us see that the BIA does not deliver what it promises. Let us look at each of these three reasons in turn.
One reason practitioners may have traditionally performed a BIA was to discern which services are the most important services that the organization provides. As Alexander writes, we expect that a BIA “…allows the organization to identify the critical processes of business and its continuity requirements...” But this information has already been determined before we begin the BIA. In the very first step of setting the scope for the work of the BIA, Alexander advises that “… top management should have identified the scope, considering the products and services of the organization. Several key criteria could be considered to decide the products and services of the organization that need to be protected to assure continuity; including: a) market pressure, b) specific company sites, c) products and services profitability.”
Therefore, top management already knows the “products and services of the organization that need to be protected.” They provide us this information when we set the scope to perform the BIA. The traditional BIA methodology starts with the very answer it proposes to seek. We do not need to conduct a BIA to learn the products and services that are most important to the organization. Such knowledge is the proper sphere of top management from the very beginning; we only need to obtain this information directly from leadership.
Note too that none of Alexander’s suggested criteria for making such a determination are found in the BIA’s financial impact assessment as he sets it out, and only one is found in the operational impact assessment. This should clue us in to the fact that the real criteria that makes a service or product important is not so easily quantifiable, and likely goes well beyond the types of measures a BIA purports to offer.
A second reason we may have traditionally performed a BIA is that we hoped to learn how thoroughly to prepare each service to recover from significant interruption. The business continuity practitioner wants to know to what degree the functionality of each service has to be resumed following a disaster. But this too lies outside the traditional BIA and has to be smuggled in. In step six, estimating required resources, Alexander writes that, “previously, the firm should have identified the minimum level at which each critical activity needs to be performed upon resumption.” This “minimum level” is sometimes referred to as the minimum business continuity objective (MBCO) (1). But observe that this critical step occurs outside the BIA and, in fact, is necessary in order to perform subsequent steps of the BIA. It seems Alexander would agree with Charlie Maclean-Bristol’s statement that, “you should always state the level of recovery required by the activity first and then look at the strategy and the required resources to achieve the stated MBCO.” (2)
A final reason we traditionally conducted a BIA was in an effort to determine the recovery priority of every service. I have argued elsewhere that any attempt to set recovery time targets is deeply flawed (3). But for the purposes of this article, it is enough to point out a third way in which what we hope to learn from a BIA must be smuggled in from outside the BIA. Working to identify a maximum tolerable period of disruption (MTPD) for every service and thereby establish a “priority for their recovery,” Alexander argues that the MTPD will soon become obsolete. He writes that: “Considering today’s connectivity and the dependency on information technology, the trend of MTPDs is to shrink in terms of duration and probably they will be close to zero in the near future.” If the MTPD is the way that we are supposed to determine recovery sequence, and that way is becoming obsolete, then we can draw one of only three possible conclusions:
- We will be left without a way to determine recovery sequence;
- The MTPD was not really the way we actually determined recovery sequence in the first place; or
- There is, in fact, no need to determine recovery sequence.
Regardless of which of these three consequences Alexander wishes to embrace, we see that the BIA cannot provide the mechanism by which we determine recovery priority (4).
In conclusion, we see that the BIA cannot be used to:
- Identify those products and services most in need of business continuity planning;
- Determine the degree to which we need to prepare services to recover;
- Discern the recovery priority of services.
Why, then, would we conduct a BIA?
Following the nine steps Dr. Alexander outlines in his article, as many organizations have done, requires a large outlay of “cost, time and performance.” How can we continue to justify such an expenditure? In a previous Continuity Central article (5), I summarized the major objections that other authors have brought against the BIA. This examination of Dr. Alexander’s methodological approach should provide further reason for organizations to give pause before committing to the very expensive BIA. And it should also give pause to business continuity practitioners when considering the future of their profession: if the BIA “is the backbone of a BCMS,” we had better figure out how to succeed as invertebrates. Perhaps this forced flexibility will lead us to a more adaptive approach to business continuity.
The author
David Lindstedt, PhD, PMP, CBCP is the founder of Readiness Analytics and the co-founder of AdaptiveBCP.org. His most recent book, Adaptive Business Continuity: A New Approach, is now available in paperback from Rothstein Publishers.
Notes and references
(1) Do not mistake this for maximum tolerable period of disruption (MTPD), which is a measure of time – what Alexander is referring to is more like the minimum business continuity objective (MBCO), the “minimum level of services and/or products that is acceptable to the organisation, to achieve its business objectives during a disruption” (Business Continuity Institute’s Good Practice Guidelines).
(2) Maclean-Bristol, Charlie, 2015, “The minimum business continuity objective: the Cinderella of the BIA...”, http://www.continuitycentral.com/index.php/news/business-continuity-news/640-the-minimum-business-continuity-objective, viewed 9/15/17.
(3) Lindstedt, David, 2017, “Our deep misunderstanding of time in preparedness planning”, http://www.mynewsdesk.com/uk/the-business-continuity-institute/news/our-deep-misunderstanding-of-time-in-preparedness-planning-233347
(4) Note, too, that if the “MTPD value expresses the maximum limit for the RTO value”, and if the MTPD “will be close to zero in the near future”, this therefore also renders the RTO obsolete.
(5) Lindstedt, David, 2017, “What was the business impact analysis?”, http://www.continuitycentral.com/index.php/news/business-continuity-news/2113-what-was-the-bia
