BIA 4: Frequently Asked Questions When Conducting Risk Analysis and Review

This blog attempts to provide answers to some typical questions that I am often asked during a BIA implementation.

Frequently Asked Questions (FAQ) Roadmap

This is a sample roadmap of questions that are asked prior, during and after the conduct of the BIA phase.

Before Conducting a BIA

• What is a BIA?
  • Explained in Chapter 2 [TBA]
• How does a BIA get started?
  • Explained in 3.6 [TBA]
• What is a Critical Business Function (CBF)?
  • Explained in 4.3 [TBA]
• Why conduct a BIA?
  • Explained in 4.4 [TBA]
• What are the Benefits?
  • Explained in 4.5 & 4.6 [TBA]

During the Conduct of the BIA

• How do you conduct a BIA as the first phase of a BCM planning process?
  • Explained in Chapters 5 [TBA]
• What are the steps to conduct a BIA? How do you perform a BIA?
  • Explained in Chapters 6 [TBA]
• How do you present the BIA findings?
  • Explained in Chapters 9 [TBA]

After Completing a BIA

• When should the BIA be re-visited?
  • Explained in 4.7 [TBA]

What is a Critical Business Function?

Critical Business Functions (CBFs) refer to the most vital areas of the business that are crucial to the survival of the organization as a viable enterprise. Without these business functions, the organization would not be profitable, credible or viable in the delivery of products and/or services to customers, clients or the citizenry in the case of governmental entities.

Why Conduct a BIA?

A BIA drives the priorities, strategies, and solutions for managing BC and recovery. It is important because the BC planning effort and its decisions must be weighed against projected needs and costs, so that these decisions satisfy the needs and are cost-effective.

The underlying premise that supports the BIA as the foundation of viable BCP project is that the BIA data must be valid. To be valid, all entities in the organization must actively participate in the BIA process. The data they provide must reflect current operations and it must be updated as new business functions and/or technology platforms and IT applications are implemented.

By helping to identify functions critical for business survival, you will be able to focus attention on what counts most.

The BIA process also helps the whole organization get involved in BCP. It helps each Head of BU evaluate operations and assign a dollar value to down-time. It also identifies the equipment and resources needed to keep CBFs going.

In summary, undertaking a BIA is a self-evaluation process that leads your business to discover:

• Which business functions and processes are critical, necessary, or optional for business survival?
• What is the impact on revenue, investor confidence, customer service, goodwill, competitive edge and market share, if CBFs cannot be performed?
• What are the minimum resources needed to recover these CBFs?
• In what order and how quickly these business functions should be restored?
• What are the inter-dependencies of these business functions?
• What are their financial exposures?

Another good reason to do a BIA is to meet investors’ rising awareness of BCP. Increasingly, organizations which are moving toward an initial public offering, merger or acquisition are preparing BC plans. More and more investors view recovery from disasters as a significant part of their due diligence checks.

What are the Benefits?

Based on the various considerations uncovered during the BIA, the process itself can be almost as beneficial as the final written BC plan. I often list the following benefits derived from performing a comprehensive BIA to highlight the following areas of importance or concern in an organization:

• Legal liability
• Potential economic loss
• Potential exposure
• Probability of a disaster occurrence
• Preempting of disruption to normal operations
• Organizational stability
• Orderly recovery
• Adequacy of insurance premiums
• Reliance on key personnel
• Asset protection
• Safety of personnel and customers
• Compliance to legal, statutory and regulatory requirements

What are the Additional Benefits?

The following are additional reasons that would accrue from a well-developed BIA:

• Allow you to see your business in ways you never realized before. In carrying out the BIA, you may become aware of opportunities or vulnerabilities you never knew or had time to explore. As a result, you may seek to realign your priorities towards facets of your business which are most vital
• Determine how the current operations and practices contribute to meeting organizational goals and customers’ needs
• Identify the vital resources required to maintain "normal" vital operating conditions in a cost-effective manner
• Determine impact due to loss of CBFs under disaster conditions, which your staff member are least prepared to handle
• Help define continuity goals and objectives, time-window of vulnerability, recovery strategies and key assumptions relating to BC
• Propose alternative modes of business operation (which had not been thought of previously) from the recovery phase
• Obtain a preliminary idea of the sizing of critical resources and procedures needed to operate under disaster conditions
• Identify significant weaknesses and/or capacity bottlenecks that need to be rectified
• Uncover errors in vendor billing and discover alternative financial avenues, such as leasing or outsourcing instead of purchasing equipment
  
  

This list of benefits is not exhaustive but should suffice to give the Executive Management sufficient reasons for proceeding with a BIA. In short, a BIA highlights areas of risk to organization business, should the CBFs be disrupted. It is an integral element of sound business management.

When Should the BIA be Re-visited?

The short answer is the sooner the better, once your organization undergoes significant changes. The two main scenarios prompting a re-visit are:

Organizational & Technology Changes

As your business changes, plans must be updated to reflect its current status.
For example, you would want to update your BIA and plan to tie in with a significant strategic or structural change in your organization. An example is a major move into e-commerce. In trying to move sales channel to the Web, what happens if your server crashes?

In most organizations, however, changes are often frequent and not drastic, with new business activities and technologies constantly being introduced. With each introduction of a new business operation, IT application, system or network, an assessment should be made to determine where the new business function fits among the recovery priorities.

Mergers and acquisitions within organizations warrant the need for an update. It is recommended that these updates be conducted three months after the successful completion of the exercise.

Periodic Update of BIA

The frequency of reassessing the business impact depends on the frequency of change within the organization. If the organization is relatively stable, the reassessment can be less frequent.

Many organizations conduct a corporate-wide BIA at least once every two years. The factors that determine the impact of the loss of a particular function in the organization can be expected to change in that time. For example, the volume of business transactions may have increased.

The policy highlighting the frequency of update only applies to the corporate level BIA. If there is any change to the individual BUs’ BIA, it must be updated immediately. BU BCM Coordinators are expected to keep the Organizational BCM Coordinator informed about the changes once the BU’s update is done.

Should BIA be Conducted before RA?

There is a common argument that Risk Analysis & Review phase should come first while another set of professionals argued that the BIA phase should come first as the 2nd Subject Area of the ten professional practices. The need to argue on the sequence reflects a lack of understanding on the practical aspect of implementing BC plans as the quest to be correct on its sequencing is academic.

 

Reference

Goh, M. H. (2021). Conducting Your Impact Analysis for Business Continuity Planning. Business Continuity Management Planning Series (3rd ed.). Singapore: GMH Pte Ltd.

Extracted from "Chapter 4: Frequently Asked Questions"

More Information About Blended Learning BCM-5000 [BL-B-5]

To know more about our blended learning program and when the next course is scheduled, feel free to contact our friendly course consultant colleagues via sales.ap@bcm-institute.org.  They are the BL-B-3 Blended Learning BCM-300 ISO22301 BCMS Implementer and the BL-B-5 Blended Learning BCM-5000 ISO22301 BCMS Expert Implementer.