This week Charlie outlines the minimum requirements for developing a Business Impact Analysis (BIA).
Many of those developing business continuity struggle with the BIA and are not sure about what it should contain. I have seen many BIAs missing fundamental parts, even down to listing the organisation's RTOs, which are key to the delivery of BC and without them you might as well have not bothered doing all the other BC activities. In previous bulletins we have discussed Third Generation BC (3gBC), which would significantly slim down your BIA, but it doesn’t cover the necessary information that you need to put in your BIA.
The following are the minimum standards for developing a BIA. Whatever style you use to carry out your BIA, it should contain all of the following items.
- A statement of scope and details of why any products and services have been left out of the scope.
- A list of the organisation’s products and services, grouped together if there are multiple ones. If you are a supermarket and you sell thousands of items, you can group items together e.g. perishable fruit and vegetables.
- A list of activities across the organisation at a high level (preferably not more than 20). This should include all activities across the organisation, rather than leaving a number out as they are seen as “non-critical”.
- MTPD as a time frame considered against the organisation’s values, plus any comments on why the particular MTPD timeframe was chosen.
- Financial impact of downtime, if it can be meaningfully calculated. I also think this should be done at the organisational level, rather than for each individual activity.
- An RTO for each of the activities. Some opt for a draft RTO and then go firm on the RTO in the design stage, once this has been looked at in respect of the recovery strategy and consolidated across the organisation.
- Internal and external dependencies – this can be done at activity level or at organisational level for the external dependencies.
- Take into account cyclical variations. This shows when activities are more important due to business cycles, like reporting to the city at the end of the financial year or payroll at the end of the month.
- Return to normal – this is the time when you need to have your activities back at 100%.
As part of the BIA, you also need to look at the resources needed to recover operations. For each activity, an MBCO should be written which details the level at which the activity should be recovered.
The following resources which underpin the activities of the organisation should be collated:
- A list of IT applications, data, communications tools, telephony, and customer facing numbers, with their RTOs and RPOs, if known.
- Numbers of staff needing access to corporate systems, either via work area recovery, an internal displacement strategy or working from home and accessing the systems through VPN.
- Any other equipment which greatly differs per industry could vary from portable generators to tokens to access bank accounts.
- Key suppliers should be listed.
- Consumables and critical supplies.
- You may want the recovery numbers for staff over time.
There may be other resources you want to note or count, but never put them in just because you can. Every bit of information in the BIA must tell you something and add to the development of the recovery strategy.
It is important when conducting a BIA that you do not create a monster full of useless information which takes a huge amount of time and effort to update. Put in the minimum amount of information to do the job, but make sure that all the categories above are covered.