In last week’s episode, we discussed the traditional approach to the Business Impact Analysis (BIA), a part of the Business Continuity Lifecycle. This week, we’re going to talk about the trend towards not doing the BIA at all.
In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & CEO Bryan Strawser and Senior Consultant Jennifer Otremba talk through the recent trend of not completing a more traditional business impact analysis, or BIA, process as a part of an organization’s annual business continuity lifecycle. Topics discussed include why organizations are choosing not to complete a BIA, alternate processes that allow an organization to gain much of the needed information through other means, and thoughts on where this trend will continue to evolve.
Bryan Strawser: To BIA or not. That is the question.
Jen Otremba: That’s right. So last week, we talked about the BIA.
Bryan Strawser: We did. We talked about the traditional BIA.
Jen Otremba: The business impact analysis. Yep.
Bryan Strawser: And this week we’re gonna talk about not doing the BIA. Alternate ideas around the BIA. Or justification for not doing the BIA. Of course, I’m stealing from Shakespeare’s Hamlet …
Jen Otremba: All day long.
Bryan Strawser: All day long …
Jen Otremba: That’s right.
Bryan Strawser: I’ve been quoting Shakespeare. Not really. But when we do the traditional BIA, we expect to get certain outcomes. And those outcomes are understanding activities that support products and services at the company, understanding the impact over time of those activities not happening, or how we can measure the impact of a disruption to your critical processes, or …
Jen Otremba: Financial impacts.
Bryan Strawser: Yeah, we’re capturing all kind, and again, not just financial.
Jen Otremba: Right, absolutely.
Bryan Strawser: We’re capturing all kinds of impacts, reputational, community, brand, regulatory, et cetera.
Jen Otremba: Yes.
Bryan Strawser: We’re setting prioritized time frames for resuming these activities, in some kind of organized manner of what’s important first, and et cetera, and we’re identifying dependencies, and those might be suppliers, or technologies, or other relevant interested parties.
All important, but there’s a growing belief that, perhaps, doing this in-depth BIA on an annual or bi-annual basis, or every two years, or what have you, is not important more. Why is that?
Jen Otremba: Well, I think, in some aspects, they’re not necessarily making the argument that it’s not important, but that the expense of doing it, or the time it takes to do it, it is very time-consuming process, is unnecessary, is maybe the argument, and that their time can be spent better elsewhere.
Bryan Strawser: Agreed. We’re also seeing the argument that, really, things are either critical, or not. If they’re critical, they should be recovered as quickly as possible, and things that are not critical, we’re just not gonna worry about anymore. That’s one theory.
Another theory, that … this one actually makes more sense to me, is … when you’re in the crisis, your executives are calling the shots. And your executives know, very quickly, which services are mission critical, in their eyes. So, therefore, is it really necessary to know in great, in a great level of detail, the level of impact, and the nature of what that impact looks like? When you’re already going to know, “These things are critical, and I need to restore them, as quickly as possible.”
Executives might even tell you why those things are important. Now, you might, you won’t have the raw data. You may not have all of the dependencies and interactions. You may not have a full view of all of the technologies involved, third party services or what have you, but do you really need that, in order to have managed an effective recovery of that business process, or not?
Jen Otremba: Right. If you already know that it’s really, really important, to get this to work, first …
Bryan Strawser: Right.
Jen Otremba: That may be where you put all your effort.
Bryan Strawser: Yup.
Jen Otremba: Another thought, as we were talking about it before we started recording, is that companies, many companies, have already gone through this process. They’ve already identified the critical functions, going through this process, traditionally, and they have an existing business continuity program, and they either, A, need to update their program, or B, are beginning the process of updating some of their plans. But they already know the criticality.
Bryan Strawser: Right.
Jen Otremba: They already know how the functions relate to each other, and there hasn’t been a significant enough change, in how they do business, to need to do another business impact analysis.
Bryan Strawser: It’s interesting that you bring this up in that way, because we’ve worked with a client or two that didn’t want to conduct the criticality view of what’s going on across the organization, and what’s critical. We were told, by their executives, “Here are the things for which we need a BIA, and then, a business continuity or disaster recovery plan, and we’re not really interested in the process by getting there, through objective means. These are the processes we think are critical, and as you go through this, and you find dependencies that you think are critical, then you should do BIAs and plans for them, as well.”
That was the first time that’s happened. We’ve now done it twice. It’s been kind of an interesting approach, where we’re, at least the criticality is being dictated to us. We’re still doing a full BIA. But I don’t know that that would have changed how we wrote the plans, in this particular case.
Jen Otremba: Right. Which is, I mean, that’s valid.
Bryan Strawser: So, another question about this is, there’s a lot of stuff going on in a 21st century organization. Lots of things are going digital, instead of paper. You have this impact of, a kind of multi-channel production, of stuff running 24/7. You have the Internet of things. You got all kinds of appliances, and stuff. In your company now, we’ve got reputational risks that never existed.
There’s more competition, the barrier to entry is low, and so, it’s easy to run into significant competition. Customer expectations are higher, and the way the regulatory environment is on, particularly when it comes to health and financial risk, there’s no room for mistakes.
So, companies that may choose not to do a BIA, are essentially saying that, “Within the confines of this budget that we’re going to receive, what you define for us as mission critical, we’re going to give, we’re gonna get the minimum amount of disruption possible, given those constraints around time and the budget the question. And these critical functions, we’re going to recover them as rapidly as possible, due to the lack of the BIA. We’re just being told that these are the critical things.”
Jen Otremba: Yeah.
Bryan Strawser: And so, your approach changes …
Jen Otremba: Right.
Bryan Strawser: I think, as you go into this.
Jen Otremba: Yeah, so you’ve made that discrimination, without going the process, ultimately, that X, Y and Z is the most critical function, and we’re gonna do, we’re gonna put an unlimited amount of resources and money towards correcting those functions.
Bryan Strawser: So, if we take this alternate view of the BIA, that we’re not gonna do this traditional BIA, now, what we’re thinking about are really these, kind of five things. We know that we need a list of services that the organization provides. That list probably exists. It can just be teams and departments, or however you break things up.
We need some definition of the value chain within this, that should come from the organization, and here, I’m talking about, “Well, how many people and processes and infrastructure are tied to these particular processes? What are the resource requirements?” And we need the list, by the executives, to tell us, what are the mission critical teams in here? What are they? What are the things that have to continue to operate?
What we don’t need are impact of services, because, we’re told, these things are critical, they therefore need to be recovered as quickly as possible. And we don’t need to know that RTO, or the maximum allowable outage, or, pick your metric, because the time to recover is going to be decided, in the moment, by the executives, based on what’s in front of you.
So you’ve really, you’re condensed this BIA into some basic information capture, and that becomes the way that we think of the BIA, and you’re going to use this in a crisis, and you’re really gonna look for the crisis management team, or to your executives, to tell you, “Prioritize this for me, now, in the moment, while we recover.” It’s a different approach.
Jen Otremba: It is. It’s not usually the approach that we prefer to recommend, because we often talk about having a plan, and a framework, a decision-making framework. But it is a way to do it. It’s an alternative to what we usually talk about.
Bryan Strawser: Now, we brought this question up, this two-part podcast, because we received a reader question about, “Hey, what do you think about,” forget the exact wording at this point, but, “What do you think about this newer theory of not doing the IBA?” I’ll admit, there’s some things here that I’m attracted to, that I do think it’s true, that in the moment, that you’re gonna prioritize, based on what your executives need.
I know I went through a situation that was well-documented, because we wrote some articles about it very publicly, when I was a target, about a flooding that occurred in one of the headquarters buildings, back in 2013 or ’14. In that situation, we had flooding, and I think it was three and a half floors, and there was one critical team.
So they had a plan, and they executed that plan flawlessly, and it worked. But everything else on those floors was not critical, by our definition, and by the following morning, I was quickly, [inaudible 00:08:59], absolved of that idea.
Jen Otremba: Yes.
Bryan Strawser: We had to take action to support those teams, because leadership had decided that they were indeed critical. So, and in retrospect, they were probably right, but I think it kind of goes in this, it goes along with this idea with the BIA, which is that, your executives are going to make these decisions in the moment, based upon what’s in front of them.
Our leadership team said, “Hey, this stuff that we told you a year ago, was not critical, is critical, and they need to be recovered, and they need to be recovered now.” Okay. So we did. But that flies in the face of the traditional BIA approach of, “Well, this isn’t critical, so we’re not gonna do it.”
Jen Otremba: Yeah.
Bryan Strawser: Which probably would not have been a good answer for me to pull out of the wallet at that time.
Jen Otremba: No, that’s not the answer I would have used, either. I think the answer, at that point, is to recover, and move forward. Maybe those teams now need a plan, and maybe those teams are added to the next BIA cycle.
Bryan Strawser: Right. Right.
Jen Otremba: It’s an alternative view, and it’s true, I think, in a crisis, things do change. You learn a lot, and you adjust as necessary, moving forward, after that.
Bryan Strawser: So this idea of not doing the BIA really means that you’re executing a new approach, a different approach, and it’s really, it’s kind of a six-part thing. You’re gonna gather some information about the organization, and what’s the structure, and what’s the org chart, what are the services? You’re gonna get as much information as you can about the services and products that the company provides, whatever those are.
You’re gonna work with the executive team, to identify the services or products that are mission critical. They’re going to tell you. You’re gonna capture it. You’re gonna design recovery strategies around those mission critical services. You’re gonna propose other recovery strategies to executives, and you’re gonna justify any added expense by explaining how it fits into this mission critical process, and then, you’re gonna let them decide.
You’ll build your strategies and plans around that idea, and when you’re in the moment, then you’re going to build your response and long-term recovery efforts around the idea of, what any of the executives decide, and then, executing your various recovery options, to make that happen.
Jen Otremba: Right, so it’s still a plan. It’s just …
Bryan Strawser: Right. It’s still a, it’s a form of a BIA …
Jen Otremba: It is.
Bryan Strawser: It’s not the traditional BIA.
Jen Otremba: Exactly.
Bryan Strawser: And it’s flowing. You’re really going right from some basic info capture, right into the plan.
Jen Otremba: Right, exactly.
Bryan Strawser: So, if you’re doing this, we’d love to hear how this is working for you. Drop us a note, at email@example.com, or give us a call at 612-235-6435. Hit Option 1 for my voicemail box, and leave us a comment, of audio comment, about how this is workin’ for ya, and we may play it on an upcoming episode of the show. Thanks for listening.