BUSINESS IMPACT ANALYSIS

“What is a Business Impact Analysis?”

“Well it’s part of the process used in a Disaster Recovery Plan.”

“What part is that?”

“I think it’s the phase that comes after Risk Analysis.”

“I see, but what does it do?”

“I think it provides an analysis of the impact on the business.”

“What sort of impact?”

“Any sort of impact I suppose.”

it is frightening to think that conversations like the above actually take place but they do! even some of the more enlightened individuals in our business do not fully understand the purpose or the importance of a bia. consultants even sell a bia module without knowing how important it is or how useful it can be.

The following is a personal explanation of what Meredith Solutions uses a Business Impact Analysis for and why it is so important. Let’s start again at the beginning with the original question. “What is a Business Impact Analysis and why is it so important to your company in the quest to build a Business Continuity Management (BCM) plan for your business.

The Business Impact Analysis (BIA) is the backbone of the entire business continuity exercise or at least it should be if it is handled correctly. Even so, it cannot stand alone and you should not let anyone persuade you otherwise. It has to co-exist with the ‘awareness programme’ which is always the first stage of the BCM programme. It is necessary to make the highest level of management aware of the need for BCM and for them to understand that without their approval, backing and direction, the exercise will not achieve its full potential.

Angela Robinson, FBCI, in Continuity Volume 1, Issue 2, under the heading ‘The business case’, emphasised ‘the need to approach the highest level executive within the organisation to gain approval to proceed with the business continuity planning project’. She goes on to remind us of ‘the need for planning across the whole organisation, or at least across a self-contained business unit’.

I fully concur with Angela’s comments and would expand them only by saying awareness must be raised from the chief executive right down to the shop floor or office. The senior management must be aware of the need for Business Continuity Management and give the exercise the direction and leadership it deserves. An organisation I am working with currently gives equal credence to Year 2000, the Euro and Business Continuity Management even though, with all the work involved in the first two programmes, it would be far simpler to leave the latter until after the millennium.

The Planning Team or Steering Committee need to be aware of the importance of BCM so that they understand their responsibilities and take full ownership of the programme.

Similarly the people who are to be actively involved in the BIA module have to fully understand the extent and purpose of the analysis, where it fits into the whole BCM exercise and what the results of their due diligence will produce. They should be encouraged to pass the word to their colleagues and subordinates, about the importance of BCM and how the resultant organisation, together with appropriate contingency plans and procedures, will protect their very own livelihoods.

I said earlier that a BIA cannot stand alone and I think I have said enough about preparing the ground (awareness). I also firmly believe that Risk Analysis follows naturally on from a BIA although it is not absolutely essential.

My recommendation however, is that Business Continuity Awareness fronts the exercise, Business Impact Analysis comes next with Risk Analysis following on closely behind. In fact I propose all three to my clients as the first module in a Business Continuity Management Programme. Some learned individuals in our business will recommend that Risk Analysis comes before a BIA but I strongly disagree and I will explain why as we proceed.

As Angela Robinson says ‘get a clear definition of the project first of all’ which brings us neatly back to where we began. What is the BIA being carried out for? What are the terms of reference and what are the specific requirements of the Project Sponsor? The real point is that the BIA exercise can be adjusted to cover additional ground or slanted towards a particular aspect of the BCM programme. Therefore we need to understand if this is the first BIA ever conducted in the organisation and therefore will it be used as the very blueprint for the eventual contingency plans. Is it simply a refresher exercise to check the validity of existing arrangements? Is it to question the appropriateness of existing arrangements and perhaps prompt a complete change to current contingency policy, i.e. self provision to third party provider or a shared responsibility.

The most important detail is to have agreed a signed terms of reference with the Project Sponsor who would usually hold a key role on the Planning or Steering Committee. Once the terms of reference (TOR) are agreed the BIA can begin but remember to refer back to the TOR regularly because a 1 degree deviation on day one has a nasty habit of becoming a 180 degree deviation after six months.

Having said the BIA can be adjusted to cover any specific client requirement it does have a fundamental theme at its very core. This purpose is to identify the affect of many different external and internal impacts upon the various parts of your organisation in times of crisis. These different impacts, which I will describe later, when analysed, will show us which parts of your organisation will be most affected by an incident and what affect that will have upon the company as a whole. In other words we will use the BIA to establish which are the most critical business functions to your company’s survival. Each organisation has thousands of operations in its overall business but only a percentage will be key to survival and it is these we need to build business continuity arrangements for. Of course we will not ignore the remainder but because they are less important we can prepare recovery plans for them instead.

In our opening conversation we talked about Disaster Recovery and I would counsel you to discard those words once and for all. They are associated with failure, the need to recover from a disaster because of a lack of planning. In a Business Continuity Management Exercise when we have carried out our BIA and we know what is key to our Company, we are able to prepare our contingency plans accordingly. We may have ‘Hot’ provision for the critical business functions, ‘Warm’ for the next level of importance and a ‘Cold’ provision for the rest. The point being that, even if we have decided to do nothing because the risk does not warrant the expenditure, we are prepared because we are aware. It will not be a disaster because we have considered the cause and effect and decided our policy accordingly as part of our Business Continuity Management Exercise.

Now I can explain why I believe Risk Management comes after the BIA. Surely it is better to consider the internal and external risks to our business when we know what the critical business functions are. We will have a much more focused investigation if we know beforehand which functions are the most important to us.

Let’s get down to the BIA exercise itself and make the point, right at the start, that this is probably the one and only occasion when you will get to sit down with all the function heads in the organisation. These are busy people so make sure you use the opportunity to the full. I prefer to adapt my BIA forms to reflect the exact terms of reference and to cover as wide a spectrum as I can. Furthermore, I always have these forms completed and analysed before I speak to the individuals concerned. Other practitioners I know complete the form during the interview but I consider this cuts down the actual discussion time. I find it difficult enough to cover all the ground I want to in an hour without having to complete the very considerable detail required in my BIA forms. I prefer to explain the forms carefully at the start of the exercise so that everyone knows what to expect and how to fill in the questionnaire. Then I am in a position to understand the participants resp! onses before the interview and have relevant questions available. I want to know, apart from anything else, what is key in their operation and what impact, financial or otherwise, an interruption will have on the business as a whole.

We can now begin to look at the programme of events in more detail.

Introduction

At this inaugural meeting of the BIA participants give out your draft forms which cover all aspects of the module including any special aspects requested by the Project Sponsor, who definitely should be present. Explain to them that they have been selected to fulfil a very important role, that of identifying the critical business functions of the firm. Their returned forms and subsequent interviews will provide the blueprint for the eventual contingency arrangements that will protect the good reputation of the firm, enable continued profitability and make sure theirs and their colleagues livelihoods are protected whatever crisis may beset the company.

Explain that the BIA forms are intended to provide all the detail required as far as you have been able to ascertain. However, the content is flexible and can be adjusted should any individual feel there are further aspects to explore and the Project Sponsor agrees. These are forms developed over several years but often need adjusting for specific assignments. Explain each part of your set of forms and then ask them to consider their suitability in this particular exercise and let you have their comments over the next three days. The amended set of forms should be circulated within one week of the inaugural meeting, with a further week given for completion. It is important to keep this time span short in order to avoid any loss of purpose instilled at the outset.

The BIA forms used by different practitioners vary widely and in fact, some use no forms at all. I believe they are an integral part of the module, particularly as they are completed and signed by each participant. There can be no confusion then about what detail was provided as is the possibility when only an interview takes place.

BIA Forms

Part 1. Impact Section

I get around this problem by asking them all to assume the most serious incident which simply no one can trivialise. I use the example of an aircraft crashing into their building. This is unlikely to happen I know but at least it means all the participants are starting from the same point of view. Their likely continuity and recovery criteria will be based on the same level of understanding.

Explain that your forms and the associated interview, set out to achieve the following:

• to understand what the operational and financial impacts and exposures are to THEIR PARTICULAR BUSINESS FUNCTION should a serious disruption occur
• to be able to define the critical business functions that must be able to continue, more or less uninterrupted, should an incident occur
• to similarly define the priorities for the resumption of the remaining business activities
• produce a blueprint of the requirements (personnel, equipment, services, etc.) to enable continuity and a phased recovery as appropriate
• identify the present level of preparedness to deal with an incident should it occur
• highlight areas where operational practice can be improved to give greater operational resilience
Make sure your audience understands how these forms will help to achieve the above objectives because:
1. You will ask the respondents to categorise the severity of operational impacts on a scale of 1-5 over a time-frame from the day of the incident up to the end of a six month period. Clearly some functions will need to be continuous but perhaps others could be left for up to six months to recover.
   Your category of impacts will vary for different organisations but should probably include some or all of the following from an operational stand point - Cash Flow, Public Image, Financial Reporting and Control, Client Service, Competitive Advantage, Industry Image, Legal & Contractual Violations, Regulatory Requirements, Third Party Relations and Employee Morale.
2. Then you will turn specifically to the Financial Impacts and ask the respondents to attempt to put a developing cost figure for each category over the six months period Explain that these, when collated, will provide a picture of the likely financial impact to the company , if a serious incident occurred, for which they were not prepared. It is not unrealistic for it to take a company six months to start operating again if there operation was completely destroyed and they had no contingency plans.
   In the financial categories you should probably include some or all of the following - Inability to Complete Current or Outstanding Business, Loss of New Business, Loss of Existing Business, Cancellation of Existing Sales, Compensation Payments, Contractual Penalties/Fines, Availability of Operating Funds, Drop in Share Value, Lost Interest on Incoming Monies or Cost of Borrowing Expenses, Lost Productivity, Extraordinary Expenses, etc. Clearly your categories will vary according to the business you are working in and the above is by no means a comprehensive list.
   N.B. It is important to stress that you need details of all financial impacts even though they may be covered by insurance.
   Be sure to stress how important it is to respond to the questions only from their own departments viewpoint rather than the company as a whole, otherwise you will experience double counting.

Part 2. Impact Profile

In the earlier sections we attempted to gain information on the Operational, Reputational and Financial Impacts following an incident. Now we want to ascertain whether there are particular times when these impacts are more severe than others. For example, if a department shows it can lose £1 million in a period of six months it is particularly relevant to know that the actual loss occurs only in the month of June and not at any other part of the year.

Probing into the impact profile provides us with the information we require to understand whether a company or department is more vulnerable at one time than at another.

Your BIA forms, therefore, should cover Daily, Weekly, Monthly and Annual Impacts again using a 1-5 categorisation.

The returns from the forms will allow you to understand the crucial times in the company’s key procedures and allow you to build appropriate contingency plans accordingly.

Part 3. Recovery

In this section we assume that the incident has occurred and facilities are available to recover. What we are aiming to ascertain is how long it will take the department to recover from the disruption given their current level of preparedness.

There will be a backlog of work and we need to know how long it will take to get back up to date again, if indeed that is possible, or is it feasible that the department has to start from scratch.

The particular importance of this section is not only to understand how long it takes to catch up but also whether or not other functions or indeed the department’s own work, can start afresh beforehand. Furthermore, it is not simply about the function itself but it also gives us an insight into the possible staffing requirements.

For example, consider a Premises Department. They could find themselves securing and salvaging at a damaged site, managing a contingency site, looking for an alternative site and preparing to repair the damaged site. It is very unlikely that the existing compliment of staff could cope under these circumstances and this emphasises the need for ‘additional cost of working’ insurance to pay for the additional staff required.

Part 4. Losses

In a major incident companies will lose all sorts of vital information and equipment. This section is an attempt to gain information about the significance of those losses.

In the industry I work in the majority of loss revolves around the loss of information and my forms reflect that fact. I attempt to ascertain how long it would take departments to reconstruct that information if it were even possible.

In other industries it may well be key equipment or processes which, if lost, would take time to replace and we need to know these facts in order to establish a pattern for continuity or recovery.

This is the first part of the BIA form that addresses the present level of preparedness and allows us to understand where we might suggest improvements to existing operational practice.

Part 5. Work-arounds

Heading on directly from loss of information; equipment or processes is the section on work-arounds. Here again we are looking at the present level of preparedness. How far have the individuals concerned thought about what they would do it there was a serious interruption to their function?

For example, in Banking if we lost access to our computer systems we could not settle outstanding transactions could we? Well if we had copies of yesterday’s computer printouts, yesterday’s deal tickets and access to a phone, we could probably make a jolly good try! This example is over simplified of course but I hope it gives the general idea. Similarly, if you were working on a complex legal transaction it would make sense to go to your lawyers who would undoubtedly have all the relevant papers anyway.

Once again we are also trying to ascertain how long it would take to put the work-arounds in place following an incident and how long the department could continue to function with them once they were in place. Furthermore we need to know whether these are simply ideas or practised and tested emergency procedures.

It is often useful to refer back to this section of the BIA forms when planning desk top exercises to test the practicality of individual department’s contingency plans at a later stage in the BCM programme.

Part 6. Computer Access

Nearly every company now has access to computers in some form or another and they become more and more reliant upon them as each day passes. It does not really matter whether we are talking about access to mainframes, midrange or PC (networked or standalone). What we are trying to establish is how dependant they are upon them and how prepared they are to deal with a disruption to their availability. Hopefully in the case of mainframes and midrange the IT department will have set the necessary level of contingency arrangements, security, access criteria and back-up programme. However in the case of PCs certain functions are available, even on networked machines, which can cause a glitch in the company procedures.

We need to know what the back-up procedures are and whether this responsibility lies with IT or the individual. If the individual uses the local hard drive and floppy disks what are their back-up arrangements and where is the resultant media stored.

Once again this section is all about understanding the level of preparedness, the likely affect of an impact and the likely recovery time, if that is even feasible.

I make two recommendations. Firstly, I tell my participants they should decide how often their data is backed up and they should not leave it to IT to decide as they have no knowledge of its actual importance. Secondly, always interview IT last of all in the BIA exercise because by then you will have a pretty good idea what the overall situation is and what is important at departmental level rather than what IT considers it to be!

Part 7. Continuity and Recovery Requirements

Hopefully by now we will have made each respondent aware of the Operational and Financial Impacts caused by an interruption to their functions, when it would have most affect, how long recovery might take, what losses would be suffered and how prepared they are for such an event. What better time than to ask them to consider what they require to continue the key business functions and recover the remainder? We need to understand what they currently have in place to carry out their operations and what they will require from the time of the incident through to normal operations again.

I use a varying time-scale showing requirements immediately after the incident (1 day, 2 days, 3 days, 4 days and a week) and then less frequently (one week, two weeks, 3 weeks, one month) and finally three months and six months. This gives the opportunity for the respondents to show their requirements in the first few days for the continuity of essential functions, then as they bring the next most important aspects of the operation back into being and then finally the slower recovery of the less important aspects.

We will need to know how many people are required, what equipment they will need, what software is necessary, what computer printouts will be needed, what critical business records, what raw materials and external services, what data and information, etc. In fact we are aiming to provide a blueprint for the overall requirements needed to continue the company’s key business functions and recover the remainder in a phased but controlled manner.

(There is a tendency today, particularly in the Financial Sector, to provide a three stage contingency arrangement. Hot facilities which are immediately accessible with mirrored systems and applications for those critical business functions which cannot afford to experience an interruption. This facility usually covers the requirements from the day of the incident through to the end of the first week. A ‘warm’ facility, often occupied by staff who do not have to be in the main business offices, equipped with the requirements for the recovery of functions that must be operational again within one month. In a crisis the normal residents will be moved elsewhere and the systems realigned to cope with the requirements of the new incoming operatives. (The key critical functions are protected by the ‘Hot’ facility and we have up to a week to make the ‘Warm’ facilities operational.) A ‘Cold’ facility or service will be available to cope with operations that can wait for longer t! han a month before recovery is necessary. This may involve empty space with simply the required infrastructure in place and the equipment will either be purchased in the preceding month or be on contract delivery from a Disaster Recovery Firm. The important point, however, is that they are only able to be this precise about their requirements because a BIA has identified what processes are key to their business and the departmental management has specified their continuity/recovery requirements.)

Part 8. Dependencies

There is also a need in a BIA to understand the relationship between departments and functions. How dependant one area is upon another and how the functions fit together. This part of the BIA is important for two reasons. Firstly, to ensure in their recovery requirements departments consider their relationship with others and secondly, to make sure the eventual contingency facilities allow for the interaction between related functions. There is no point one department having comprehensive contingency plans if another on whom they are totally dependant has nothing.

It is interesting to note that, particularly in the retail sector, major companies are insisting on seeing and understanding their suppliers contingency arrangements. Similarly major Pension Fund Companies are telling the organisations, whose shares make up their funds, that they will sell the holding unless they can prove they are Y2K compliant. Just two examples of good BCM practice related in this instance to Dependencies.

The BIA Report

I have now developed my BIA procedures to such an extent that when my interviews are complete the only thing that remains to be completed in the final BIA Report is a Management Summary (Introduction, Conclusions and Major Recommendations) and the Findings and Conclusions section.

I write up the departmental notes as I go along and list the recommendations at the same time. By this time you will be very familiar with the overall operations of the company but remember anyone reading your report in six months time will not have your experience so make sure the document can survive the passing of time.

Make sure your report is positioned by the inclusion of the background as to why the BIA was conducted, what the objectives were, the scope of the exercise and the approach you used. If you follow this methodology you will undoubtedly produce a large and detailed report particularly if you use graphs, tables and diagrams to stress the impacts and contingency requirements. However very few people need to read it all. You should have a management summary for the executive, individual sections for the departments and proposals for those in quality assurance and those whose responsibility it is to introduce the contingency plans.

I would always recommend that a draft report is submitted to the Planning or Steering Committee for their perusal and ratification. There is nearly always a need for someone to critique and rationalise the departmental content, i.e. the training department may insist they are back to 50% strength in a week but senior management may well take a different viewpoint. During interviews you can only suggest the returns and requirements seem unrealistic but if the respondent insists you have to include their detail, hence the importance of rationalisation.

Once the BIA report is complete it will highlight what are the critical business functions where the impact of an incident is most important. You will have indicated the current level of preparedness, made recommendations for improvement in normal working practice and in emergency and provided a blueprint for the continuity and recovery of the functions making up the entire company.

Risk Analysis

At this stage I would conduct a Risk Analysis because I know which functions are critical to the company’s survival and reputation. Therefore, I know which areas to concentrate upon specifically when I conduct my analysis.

Remember we are concentrating on Operational Risk but this is not simply about premises, facilities and systems, it also involves people too! No contingency plan, no matter how well defined and practised, will work without the essential people so do please look at such important aspects as depth of knowledge and training. Does the company have ‘succession planning’ in place because the loss of key personnel can be just as big an interruption as a fire.

Operational risk is a vast subject covering premises, facilities, location, services, suppliers, utilities, systems, people and procedures but that will have to be the subject of another article!

Conclusion

I hope I have at least been able to give you a flavour of the importance and depth of a properly conducted BIA. How, if you get the structure, purpose and scope agreed, it will become the very backbone of your Business Continuity Management Programme and provide the blueprint for survival.

Finally I would leave you with these thoughts:

1. Disaster Recovery is a term of the past, an admission of failure. Yes, some of you will experience serious disruption but if you are aware of the consequences it will not be a disaster.
2. Business Continuity Management is the process to ensure your critical business functions continue in a crisis and the remainder are recovered in a controlled and phased manner.
3. Business Continuity Management and Maintenance do not belong with IT or Premises but with the business itself. If responsibility cannot reside there then Internal Audit is the obvious choice.
4. It is easier to teach someone to carry out a BIA than it is to teach someone your business. Make sure at least some of your people are involved first hand in the BIA or the consultant comes from a relevant background.

---