You may have missed our Managing Uncertainty Podcast episode from December 26th on To BIA or Not to BIA, where my colleagues discuss the trend of not completing a Business Impact Analysis (BIA).
This was a follow-up podcast to a previous episode of Managing Uncertainty that discussed the Traditional BIA.
Both podcasts are great and really explain what is going on within the Business Continuity profession. I wanted to take a little time to give you my perspective.
A bit of background
First, a bit of background since this is my first post on our corporate blog.
I started my career in Business Continuity as a consultant for a big-four accounting firm.
My very first project was as part of a team of twenty-five (25) that was tasked with conducting the Business Impact Analysis (BIA) for a major insurance company in the Midwest. The team of 25 was made up of auditors with insurance company backgrounds and business continuity professionals from all over the United States and Canada. This team was divided into smaller teams to tackle the task of completing a corporate-wide BIA over a three to four-month period.
It was because of this engagement – and the fact it was my first assignment – I have a long-enduring love for the BIA process. I find it fascinating to learn how a company through the lens of its business impact analysis.
The down side of a project like this is writing the BIA report.
After the majority of team moved onto to other projects, a core group of eight (8) of us were left to write the report. This is where you start to realize the traditional BIA has some faults.
Looking at the overall results, one of the top prioritized processes for recovery across the entire organization was “changing light bulbs” from the facilities team.
It was at this time that I realized the importance of validating the BIA results during the process.
Here we were three months after the actual BIA interviews trying to prioritize the processes and found an anomaly like this. Going back to the client was not an option so we did the next best thing and discussed the anomaly in the written report. We stated clearly in the report that the process of changing light bulbs was not critical during a crisis.
Nine years later
Fast forward nine years later and I begin a new role as a Senior Business Continuity Manager within the financial services industry. I walked into an existing program with existing plans. I learned early on that my employer didn’t complete an annual BIA using a traditional approach – there was no survey, for example. Instead, all the data captured in the BIA was integrated within the Business Continuity Plan itself. Basically, we combined the BIA interview process within our plan review process.
After a few years, I brought forward to our team the idea of doing a traditional BIA. To differentiate this from our current annual BIA approach, I branded it as “Detailed BIA.” It was a wonderful time to update the impact categories and spend time reviewing the impact over time for all the processes during a disruption.
There was not much movement of the process criticality after we completed the detailed BIA. Where changed did occur, however, was when we met with the senior executives to validate the processes and their prioritization. We met with each executive and their direct reports to review the criticality of processes for their area.
These meetings produced some great conversations and strategic insight about what is important within each executive’s area. It also required us to go back to a few departments and have them rethink the impacts to their processes after obtaining the feedback from their leaders.
The need for a strong BIA validation approach
Both of these experiences instilled in me that business continuity programs must ensure that their BIA results are validated with leadership before being finalized.
In most programs, we see the BIA completed by a manager who knows and understands the processes being performed within their department. As a Business Continuity professional, you can look at the impacts to the process and be able to discuss with the manager your more strategic view of where their processes fit within the context of the broader organization.
I’ve found that stating that the BIA results will be reviewed by more senior leaders later in the process gives you a little pull in the conversation when you’re challenging the team’s initial read on the criticality of their processes.
Regardless of whether your approach is a more traditional BIA or not, you should always ensure that your BIA data is reviewed annually. You should continue to have an ongoing conversation with the business throughout the year on how their department, processes, vendors, and technologies have changed. And don’t forget to review process criticality with senior leaders to ensure alignment.
Can we help you?
Finding your way through leading a business impact analysis and tying it to an effective business continuity program can be complex and time-consuming. Bryghtpath has the business continuity experience, methodologies, and solutions that can help you evaluate and mature your program.