Charlie provides some useful hints and tips on how to improve your Business Impact Analysis.
This week I have been in Cluj-Napoca, Romania working with a client’s business continuity team on simplifying their BIA. They inherited a complex BIA and have been looking for some time to try and streamline it. They wanted to capture the essential information required to develop their plans, but still meet the requirements of a BIA as described in ISO 22301 and the BCI’s Good Practice Guidelines. Whenever you are working with others or developing an element of business continuity, you are always learning, and I thought I would share what I had learned from our BIA discussion.
When you are developing the BIA for a particular department or part of the organisation, you collect lots of information. Some of this goes into the BIA, but other bits are background information which are not formally required as part of the BIA. This could be information about the number of assets, locations and how they deliver their activities.
While developing this organisation’s BIA, we were pretty brutal about not collecting any superfluous information, in line with my ideas of 3gBC. We didn’t want to lose the background information on the department, but if it was formally included within the BIA, it would have to be double-checked, signed off and could go out of date quickly. To get around this, any notes we made during the BIA workshop, which didn’t have a place within the document were put in a notes section at the back of the document. We wanted to keep the information within the BIA so someone else could read our notes, rather than keeping them in a separate document or in a notebook as they were likely to get lost. This information was a moment in time, so it didn’t matter if it went out of date, as it was notes rather than a formal part of the document.
So, tip one is to consider a notes section as part of your BIA, to reduce the likelihood of information going out of date.
Many BIAs I see are far too granular and end up capturing a large number of activities per department, which all need MBCOs and RTOs and can require a whole load of accompanying information.
We decided, in line with 3gBC, to capture the activities at a high level. What we did within the BIA was capture a list of priorities for the tasks within the activity. In many other BIAs these would be considered stand-alone activities, and this would be the level at which the RTOs are captured. Once these priorities have been developed they can be cut and pasted into the department's plan. So when the plan is implemented the department can recover to the designated time (RTO), but also there is a list of priorities for each activity which will further guide their recovery.
So, tip number two is to capture high level activities and write a list of priorities, rather than have a large number of activities at a lower level.
The impacts considered during the BIA must be tailored to the organisation. During defining an activity’s MTPD, an unacceptable impact must be tailored to the type of organisation undergoing the BIA.
For an oil and gas company, the impacts considered should be focused on prevention of death or injury, environmental damage and major financial impact. While a retailer may consider financial impact but should also look at customer service and reputation. Even companies in the same industry may want to focus on different unacceptable impacts. As a premium brand airline, British Airways might focus on customer service and reputation, while Ryanair may focus on financial impact and being on time and may be less concerned about impact on customer service and reputation.
As part of your development of the framework for carrying out your BIA, make sure you agree with top management, what the unacceptable impacts tailored to the organisation are.
So, tip number three is to tailor unacceptable impacts to the organisation.
If anyone out there has any other BIA tips, I would love to hear them!