To BIA or not to BIA... revisited: final survey results

Published: Friday, 28 June 2019 07:32

In June 2017 Continuity Central published the results of a survey which looked at whether attitudes to the business impact analysis (BIA) and risk assessment were changing. Two years on, we repeated the survey to determine whether there has been any development in thinking across the business continuity profession. The final results are now available.

The original survey was carried out in response to calls by Adaptive BC for the removal of the business impact analysis and risk assessment from the business continuity process.

Respondents

There were 267 respondents to the survey, which was conducted online during the Spring of 2019 using Survey Monkey. The majority of responses came from larger organizations (77.44 percent were from organizations with more than 250 employees). 16.54 percent were from small organizations (less than 50 employees) and 6.02 percent were from medium sized organizations (51 to 250 employees).

Respondents came from many different countries with the top four being:

Omitting the risk assessment?

The first question asked in the survey was ‘Do you think that it is possible to omit the risk assessment from the business continuity process?’ Overall responses were as follows:

When compared to the previous survey in 2017, it appears that respondents have somewhat moved away from the Adaptive BC position. In 2017 a minority (46.48 percent) thought that the risk assessment is a vital part of the business continuity process; this has increased in this year’s survey to a majority (58.27 percent). In 2017, 33.33 percent said that the risk assessment could be omitted from the business continuity process and the business continuity plan would be fully functional. In the 2019 survey this figure was reduced to 22.18 percent. The number of respondents believing that the risk assessment could be omitted but the resulting business continuity plan would be weakened remained virtually the same: 13.62 percent in 2017 and 13.16 percent in 2019.

When broken down by organizational size, some significant differences can be seen, as shown in the following table (2017 survey results are in brackets):


Organizational size

Yes: and the resulting business continuity plan would be fully functional

Yes: but the resulting business continuity plan would be weakened

No: the risk assessment is a vital part of the business continuity process

Not sure

Small

13.95 percent
(12.5 percent)

9.30 percent
(4.17 percent)

76.74 percent
(79.17 percent)

0 percent
(4.17 percent)

Medium

12.50 percent
(27.27 percent)

0 percent
(18.18 percent)

87.50 percent
(54.55 percent)

0 percent
(0 percent)

Large

24.15 percent
(36.72 percent)

14.98 percent
(14.69 percent)

52.66 percent
(41.24 percent)

8.21 percent
(7.34 percent)

Comparing results from the four countries with the most respondents there were again significant differences:

Country

Yes: and the resulting business continuity plan would be fully functional

Yes: but the resulting business continuity plan would be weakened

No: the risk assessment is a vital part of the business continuity process

Not sure

US

25.29 percent

12.64 percent

56.32 percent

5.75 percent

UK

23.64 percent

18.18 percent

45.45 percent

12.73 percent

Canada

33.33 percent

20.00 percent

26.67 percent

20.00 percent

Australia

46.15 percent

15.38 percent

38.46 percent

0 percent

Respondents were invited to make a comment about their response to this question. 118 comments were received and can be read here (PDF).

Omitting the business impact analysis?

The second question asked by the survey was 'Do you think that it is possible to omit the business impact analysis from the business continuity process?' Total responses to this question were:

Again, there does seem to have been a move away from the Adaptive BC position. In 2017, 19.25 percent of respondents said that the BIA could be omitted and the resulting business continuity plan would be fully functional: in 2019 this reduced to 15.04 percent. The percentage of respondents believing that the BIA can be omitted but the resulting business continuity plan would be weakened also reduced: from 9.86 percent in 2017 to 6.77 percent in 2019. Those stating that the BIA is a vital part of the business continuity process and cannot be omitted increased from 64.79 percent in 2017 to 75.19 percent in 2019.

When broken down by organizational size, some significant differences can be seen, as shown in the following table (2017 survey results are in brackets):

Organizational size

Yes: and the resulting business continuity plan would be fully functional

Yes: but the resulting business continuity plan would be weakened

No: the BIA is a vital part of the business continuity process

Not sure

Small

11.63 percent
(8.33 percent)

4.65 percent
(16.67 percent)

83.72 percent
(75.00 percent)

0 percent  (0 percent)

Medium

12.50 percent
(9.09 percent)

0 percent
(9.09 percent)

87.50 percent
(81.82 percent)

0 percent  (0 percent)

Large

16.02 percent
(21.59 percent)

7.28 percent
(9.09 percent)

72.82 percent
(61.93 percent)

3.88 percent
(7.39 percent)

Results from the four countries with the most respondents showed significant differences:

Country

Yes: and the resulting business continuity plan would be fully functional

Yes: but the resulting business continuity plan would be weakened

No: the BIA is a vital part of the business continuity process

Not sure

US

21.59 percent

7.95 percent

68.18 percent

2.27 percent

UK

12.73 percent

12.73 percent

72.73 percent

1.82 percent

Canada

20 percent

0 percent

80 percent

0 percent

Australia

30.77 percent

0 percent

61.54 percent

7.69 percent

Respondents were invited to make a comment about their response to this question. 118 comments were received and can be read here (PDF).

Influence of standards

Respondents were asked to identify the business continuity standard which they are most familiar with and then were asked the following question: Thinking about compliance with the business continuity standard, which comes closest to your view. The results follow, showing that in this year’s survey more than three-quarters of respondents believe that a risk assessment and a BIA are both essential for compliance with the standard they are most familiar with.

63 comments were received about this question and these can be read here (PDF).

Continuity Central would like to thank everyone who took part in this survey. If you would like to submit a comment or an analysis of the results please email editor@continuitycentral.com