In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses the Business Impact Analysis (BIA), how we approach the BIA process at Bryghtpath, and the value it can provide to your organization.
Topics discussed include the Business Impact Analysis (BIA), the ISO 22301 Standard for Organizational Resilience, our approach to the BIA here at Bryghtpath, and the value of the Business Impact Analysis.
Related Episodes & Blog Posts
- Blog Post: What is a Business Impact Analysis (BIA)?
- Blog Post: Validating your Business Impact Analysis Results
- Blog Post: Why failing to validate your business impact analysis results is a huge mistake
- Episode #25 – To BIA or not to BIA
Episode Transcript
Hello, and welcome to the Managing Uncertainty podcast. This is Bryan Strawser, principal and Chief Executive here at Bryghtpath. And in this week’s episode, I’d like to talk about the business impact analysis or BIA. We’ll talk a little bit about what it means, how you go about doing one, our approach in doing so and what the value is in doing the BIA in your organization. I started off with kind of this question, which is how many days of payroll can you lose? How many days can your payroll function in your company be down before it impacts your business? What about the servers that power your product or platform that you provide to customers? Or what about your virtual private network, your VPN, that employees use the connect to your secure resources and work remotely, that you probably use a lot during COVID. An hour, a day, a few weeks a month?
If you’re like many companies, we talked to you, you may not know how long your business can survive without critical systems and business processes. For that reason, a thorough business impact analysis or BIA is one of the most important steps that we take when we work with new clients. Here’s what a business impact analysis is, why it’s important and what you’re going to learn by doing one. So, what is the BIA? Well, the formal description of a business impact analysis from the ISO 22301 standard on organizational resilience is the process of analyzing the impact over time of a disruption to the organization. The process of analyzing the impact over time of a disruption to the organization. To say it more clearly, a BIA is a thorough examination that exposes the likely impact a business disruption will have on your revenue, expenses, operation, and reputation of your organization.
On our blog post that accompanies this article, you’ll see an example of what our business impact analysis report might look like, including the impact over time across several different factors. The example we show is impact on compliance and regulatory obligations to your organization’s reputation, to your financial obligations, expense, and revenue impact, and to your mission, your ability to complete your mission. For example, we’ve worked for many years with a company who sells cloud based software as a service, or I should say they have subscribers to a cloud-based software as a service or SaaS platform. If their product goes offline, even for a minute, they experience an increase in expenses and a negative reputational impact in the marketplace, because their customers begin to complain, often using social media to do so. A prolonged outage will also cost revenue in the form of loss of business and refunds or invoice credits to angry customers.
So, those are some of the issues that we look at when we’re conducting a business impact analysis. Key to these questions with a BIA is establishing the recovery time, objective or RTO for critical systems and business processes. Now business disruptions are not usually isolated things. They impact a lot of organizations. They impact a lot of processes and technologies within your company. If a hurricane knocks your data center offline, well, your customers could be locked out or unable to access their systems. Your payroll team may be down. Your payroll system may be down. Your internet might be inaccessible and lots more that could happen. Over and over we see companies make the same mistake in this situation. They try to recover every system and every business process. And if they haven’t done a BIA, they have no idea, none, about how to prioritize this. And that’s a mistake that can cost them millions of dollars in expense and revenue, but more importantly can have significant impact on their reputation.
That’s why the BIA and establishing recovery time objectives are so important. Some systems and processes need to be recovered now, or first, usually these are ones that generate revenue like customer products and records, sales pages on your e-commerce site or similar systems. Every minute those systems are down, they cost you money in lost revenue, expenses and if you’re providing services through technology to your clients, you’re impacting your clients as well. Other systems may also need to be recovered, but they may not necessarily need to be recovered immediately. Payroll, for example. Well, payroll, you have a lot of legal and compliance obligations around payroll. You have an obligation to your employees to pay them. Folks are not going to work if you’re not paying them. Payroll needs to be recovered quickly, but it doesn’t necessarily need to be recovered within an hour. It doesn’t necessarily need to be recovered ahead of your revenue generating systems and processes.
A business impact analysis looks at all of your critical processes in each of your critical systems. And you assign it a recovery time objective. When these are in place, you can start to build a prioritized list of processes and the technologies and systems that those processes are dependent upon to recover during a disruption, a key first step when we move past the business impact analysis and we start creating your business continuity plan. Now, there’s the implications to not performing a comprehensive BIA. We once worked with a company to examine over a dozen key areas of their businesses as we developed a new set of continuity plans for them. The executive leadership team came to us with the areas that they thought were critical. “Here’s the list, Bryan of the 12, 13, 14 areas that we want plans in.” So, we completed those on their behalf. Now, we had discussed with them as we approached this process.
They asked us for a company-wide BIA after we had updated these plans, which we then went and completed on their behalf. And we identified more than 25 teams and dozens of processes in their organization that were critical for recovery in the aftermath of a disruption, far more than the 12, 13, 14, that had asked us to work on when they had first engaged with us. Unfortunately, this is a common story in my experience. And many areas that you might think are critical for recovery might not be the ones that are the most critical to recover first. In addition, without a comprehensive business impact analysis, you may have struggles in a couple of other key areas. As we said, without this, there’s no method, there’s no process to prioritize your recovery efforts. When dozens of systems and processes are impacted, which ones do you recover first?
And if you don’t know, you’re going to spend hours and days trying to figure out what to prioritize a mistake that can cost large organizations millions of dollars in expense, lost revenue, and damaged reputation. But you also run into the challenge of losing executive support or the inability to gain executive support. We often talk with leaders who would like senior management to invest more in business continuity, but they sometimes struggle to communicate the value of resilience, the value of a continuity program or the specific costs and other impact that the business might face during a disruption. That’s a sign to me the company has probably not conducted a thorough BIA, because without this operational leaders might lack the concrete, detailed financial estimates and qualitative data needed to convince their senior leaders to invest in resiliency. And then they struggle to earn support for the program as a result.
Now, how do you conduct a business impact analysis? Here’s our approach. First is to scope the need. Every BIA is different, because every business is different. For that reason, our first step is to scope the need and determine what areas in the organization we need to look at. Part of this is also determining what are the questions that I need to ask to really understand the criticality of business operations across the organization. A nonprofit organization, as large and as complex as it might be, will have different resiliency needs than a major utility, which will have different resiliency needs than a health care network. So, we customize our approach to each particular situation. Once the need has been scoped, you can schedule BIA interviews and assign pre-work. We want to identify everyone we need to interview, all of the core business leaders and send them pre-work to complete before our conversation. That pre-work usually includes some basic questions about their responsibilities.
What does their team do? In two or three sentences explain to me what a disruption to your business looks like. How does it impact the organization? Tell me in your own words. But we also want to ask about their history with previous disruptions. What happened? How did you work through that? What systems are you most dependent upon? That way they come to the interview with a clear idea of the topics we’re going to discuss. Then we conduct the BIA interviews. This is the most important part of the process, because this is where we uncover the strengths and the weaknesses of your systems and processes. Most interviews last 45 minutes to two hours, depending upon the complexity of the system or process. We talk about systems, the technologies, their impact on the business, their dependencies on these technologies, their dependencies on third-party services, suppliers, facilities, and anything else that’s relevant to business continuity in their area.
Anything else that’s relevant to the scope that we talked about and determined as we were scoping the need. When all the interviews are complete we aggregate everything we’ve learned, including the impact of a disruption, to revenue, expenses, reputation, and other factors in every area that we’ve examined. Our report includes the analysis of key systems and business processes. Along with recovery time objectives for every area. And we capture the interdependence of operations within your organization. This is a report you can take to your senior management and present our results. And our staff can even join you to present our findings if needed.
That’s the business continuity process, the business impact analysis process, rather, that we follow. I want to end by talking a little bit about the value of a business impact analysis. Years ago, I was invited to speak to the board of directors of a large organization, and they were looking to strengthen their business continuity program. So, I had this meeting with their board and just gave them some advice in this conversation. I joined them for this meeting and I had some questions about their efforts. They had a lot of documentation. They had a full business continuity plan document. They had a program outlined. I was encouraged by their efforts, because it showed that they were invested. And there were a strong commitment from top management, from the board and the executives to drive this program. But then I asked about their BIA because it wasn’t mentioned in their documentation.
“Well, we don’t have one of those. We already know what’s critical.” Sure enough, after we went on to complete a full BIA for them, we identified a host of business processes and teams and dependent systems that were critical to their business, but weren’t at all part of their business continuity plans. They simply hadn’t thought about the role that these other parts of the organization played. Without a BIA you lack the data to properly prioritize your business continuity efforts and plans. In the worst case, you may even be overlooking critical systems and processes and teams that you never thought to include in the first place.
Without the BIA you’re blind to the full impact a disruption can have on your revenue, expenses, reputation, and your mission. With the BIA you’ll have the data you need to plan a business continuity program that protects your most critical systems and processes first and gives you a roadmap for recovering everything else in your organization that’s important in the order of importance. If you need advice or guidance in your business continuity planning or with your business impact analysis efforts, Bryghtpath has built the processes and programs for many fortune 500, complex nonprofits and public sector organizations. We’d be happy to help. Visit us at bryghtpath.com/contact. That’s it for this edition of the Managing Uncertainty podcast, we’ll be back next week with another new episode. Be well.