Creating an optimal business impact analysis format
Business impact analysis can be a complex undertaking and many continuity plans never leave port as a result. But there exists a simple and logical method by which business analysis can be accomplished, however, since no two businesses are the same there is no one-size-fits-all formula.
Consider the following when developing your business continuity plans:
Divide and conquer
Every business, however large or small, is made up of smaller parts. Even a massive corporation like Microsoft can be segmented according to criteria such as geographic location, office size, function, etc. Segmenting your business will translate into the scope of your impact analysis becoming more manageable and allows you to better understand aspects that are intrinsic to each division. If you know your weak areas then you can incorporate measures to make sure that they are bolstered. Look at who and what are affected when a key area goes down. Eg. Internet outages. There is an inherent knock-on effect of other services and personnel which in turn affect other entities.
The SWOT method is a way to analyze an entity. It is broken up into strengths, weaknesses, opportunities and threats. While you may be inclined to focus on weaknesses, always find out strengths and opportunities as these will be used for contingency planning.eg. power outages can be used for adhoc strategy meetings in the open air your nearby park.
An approach that I have used and have seen used to good effect is using kaizen where staff get involved in gathering data and identifying risks and threats. This not only makes the data collection easier but makes the BIA process easier and more accurate. Staff who are recognized and rewarded for their contribution and effort are a treasure trove of key insights.
Any form of disruption has a knock-on effect on other entities. You need to provide a way to measure and rate the severity. You should take the following into consideration when rating disruptions:
- Length of disruption.
- How many other services are affected.
- Cost of disruption (per hour).
- The potential to cause death or disability.
- The likelihood of occurrence.
Just because you may think that something can’t go wrong it doesn’t mean that it won’t go wrong. Do not overlook anything and do not procrastinate - delegate and track responsibility where needed. Conduct table-top exercises and walk-throughs to determine if you have missed anything. Procrastination is more than just the thief of time - it can also cost you money. Set time-frames for data-gathering, analysis and table-top exercises. Where needed get management involved to speed things along.
BIA is a vital part of your business continuity plan.
Business impact analysis is a key part of business continuity and the BIA must be thorough and up to date. Like business continuity it is an ongoing process can be easily managed by “dividing and conquering” - understanding your organization and involving all staff.