A look at the new ISO 22317 Standard for Business Impact Analysis (BIA)

In September 2015, ISO finalized and published their second standard for business continuity: ISO 22317:2015 – Guidelines for Business Impact Analysis (BIA).

In the life cycle of your business, leveraging a systematic business continuity process can mean the difference between a safety net and disaster.

ISO 22317 analyzes from within

Getting to the heart of business continuity analysis, planning and execution involve working from within — developing a deep understanding of your organization, its products, and its processes.

How to document all of that information, achieve management buy-in, and come up with the best Business Impact Analysis (BIA), is what ISO 22317 is all about.

How ISO 22317 relates to ISO 22301

Somewhat of a stepchild as well as a stand-alone nephew of ISO 22301, ISO 22317 is the “how-to” part of ISO 22301 guidance for the Business Impact Analysis process, which says an organization needs to do the following:

• identify activities supporting how a business provides products and services
• assess how not performing those products and services over time will impact the organization
• set priorities and timeframes for resuming business at a minimum acceptable level
• identify the connection and dependencies between supporting resources for the impacted business activities

Purpose and scope of ISO 22317

So ISO 22317 is a new technical specification designed to complement ISO 22301. It can, however, be a “stand-alone” standard. The BIA processes analyzes the actual consequences of a “disruptive incident” on the organization.

Its specific purposes are to:

• be the basis for continually improving the organization’s BIA–It specifies ongoing review and event-triggered activities.
• guide the organization in planning, conducting, and reporting on BIA–This is where the “how-to” part of ISO 22301 comes in.
• assist the organization in its BIA in a consistent manner reflecting good practices–ISOs are all about agreed and “good” practices.
• open the door to proper coordination between BIA and the overarching business continuity (BC) program–BC planning, as we pointed out in our previous blog is an integrated process; BIA is at its center.

5 impact areas of your business that ISO 22317 analyzes

The following are 5 areas of any business that ISO 2317 addresses:

1. Financial–losses due to lost profits, diminished market share, fines, penalties, etc.

2. Reputational–Damage to the brand or negative public opinion

3. Legal and Regulatory–loss of license or litigation liability with a need of DVLA feedback.

4.  Contractual–breach of contract or service obligation with other organizations

5. Business Objectives–going “dead in the water” by failure to deliver on objectives and take advantage of opportunities.

Outcomes of ISO 22317

The goal of ISO 22317 is to address the foregoing and other consequences of business disruption. Its goals are to both promote and ensure the following:

• imprinting (endorsing) or modifying the overall scope of the organization’s business continuity program
• focusing and identifying governing obligations–legal, contractual, etc.–that justify going to the trouble of doing all this in the first place (The requirement for business continuity planning is the law of the land for many types of business.)
• setting a timeframe and priority for restoring the business after a disruptive incident
• identifying and articulating the relationships between everything the business does: products/services, processes, activities, and resources
• determining the people, facilities, equipment, etc., needed to do what is necessary to get the business up and running after the disaster
• taking into account the dependencies on other factors–activities, supply chains, partners, etc.
• knowing how recent and up to date all that information must be

The value of BIA

Stated another way, the value of BIA is that it ensures the most cost-effective strategies by focusing on the correct business continuity requirements. Moreover, BIA provides evidence to company managers that business continuity aligns with organizational objectives and strategies.

Finally, BIA identifies the connection between products and services and the process, activities, and resources that the company needs to employ to keep going.

Monitoring and Reviewing the BIA

ISO 22317 specifies BIA monitoring on a periodic basis, or when triggered by events such as product or service change, regulatory change, change in company structure, or following a business continuity exercise or disruptive event.

Conclusions

• ISO 22317 has flexible guidelines for any type of business in the performance of a BIA process.
• ISO 22317 is consistent with ISO 22301, and it can stand alone as the basis for BIA.
• ISO 22317 gives your business the ability to identify business continuity requirements, which matter to your organization and its stakeholders

We can help

Do you need advice or guidance in your business continuity planning or implementing ISO 22317 as a part of your business continuity program?

We can help. Learn more about our approach to Business Continuity in our Ultimate Guide to Business Continuity and then contact us today.