Updating a business impact analysis can be costly and time-consuming. But fail to do it, and your continuity plans may not be worth the paper they are written on, says James Mitchell
The standard practice of conducting a business impact analysis (BIA) to determine basic recovery requirements (mission critical processes, RTOs, RPOs, critical applications, suppliers and other resources) is a vital phase of every business continuity management (BCM) programme.
The BIA process can be long and difficult – no matter what data collection method is used. Is the return on your BIA investment (time, manpower and resources) offset by the value of the results? If a BIA is a fundamental part of BCM, the underlying cost may simply be a necessary evil. But, when a BIA is a one-time project – as in many organisations – is the cost realistically proportional to the value? Some organisations conduct a BIA expecting to repeat the process at regular intervals. However, once the initial BIA is complete and the true cost known, such expectations areoften abandoned.
Focus on change
Failure to update a BIA is a leading cause of recovery plan failure. Change is the only constant in business. A BCM programme lacking up-to-date BIA data yields plans that do not reflect an organisation's true requirements. Intending to update a BIA is easy, yet the update process often fails. Consider the effort required to complete the original BIA – questionnaire preparation, distribution and collection; interviews to normalise the results, plus the cost of analysis and report generation. Often, the original BIA process project may take three to eight months.
Significant business changes make the prospect of repeating that lengthy process daunting. Postponing the update may come to seem more rational. But, like most things in life, postponing difficult tasks allows them to grow more unwieldy
To streamline the process, the updated BIA must focus on the changes rather than repeat the entire process. It is likely that much of the information from the earlier BIA is still valid. The update process simply entails discovering which business processes have changed, and how those changes affect the original results. Of course, the method used to conduct the earlier BIA will determine just how easy or difficult the updating process becomes.
In IT, an updating process is generally ongoing (change management) because IT changes have a direct impact on daily operations. In business operations, changes occur regularly, but are seldom, if ever, documented. (To be fair, no matter how robust the IT programme, not every organisation consistently correlates its change management information with its disaster recovery plan.)
Greater than the sum of its parts?
Is it sufficient for individual business process owners or function leaders to update their own critical resource requirements? Yes, if the update method allows for the capture of changes in enterprise-wide dependencies (on other processes, applications, etc). But no effective update can be conducted in a vacuum. Any change to critical dependencies or resources is likely to have a corresponding effect upon those dependent processes.
While it may be efficient for a process team to update its own BIA, only by collecting and integrating changes across the enterprise can the true impact of business changes emerge.
Path of least resistance
Frequently, the cost of updating a BIA (in manpower and time) is perceived as unjustifiably high. Not updating a BIA may become an accepted risk.
BCM management may opt to focus on BC/DR plan updating (assuming most process owners understand the impacts of change and will modify their plans appropriately) without revising the BIA. The more burdensome the BIA process, the higher the propensity not to repeat it. Once made, such a decision often becomes institutionalised. Later, the failure to reflect fundamental changes in the organisation's structure may result in flawed plans and a failed recovery. With luck, flaws will show up in a test or exercise, not in real life.
What do you have in your toolbox?
Does your existing BIA format lend itself to manipulation? Or do you have to start from scratch? Do you use software that integrates BIA and plan development? Further, does the BIA format lend itself to the use of collaborative tools?
Can business process owners gain access to the original BIA survey? Network or web-based collaborative tools reduce the pain of updating a BIA, while enabling monitoring and auditing of the process by the BCM leaders or planners.
Assess your options, and pick a BIA updating method that works best for your situation. It may not be free; it may be time-consuming, and it may not be painless. But it will pay dividends if you have a disruptive event.
An out-of-date BIA exponentially increases the chances of plan failure. The BIA provides the core upon which an organisation's plans depend. Without up-to-date BIA information, the validity of plans should be questioned, and their successful execution must be suspect.
James R Mitchell is CBCP director, eBRP Solutions, Inc, www.ebrp.net eBRP Solutions, Inc will be exhibiting at the Business Continuity Expo and Conference held at EXCEL