Even before the pandemic, the business risk picture had been deteriorating. What can businesses do? Be prepared for the worst; and at the core of that effort lies the business impact analysis.
The business impact analysis gives organisations an intimate understanding of how their core business processes would be impacted by crises, disasters, or disruptions, offering insights into what’s needed to develop organisational resilience in the face of uncertainty and disruption.
All too often, though, businesses fail to properly conduct the business impact analysis. Why’s that? Well, for one, the analysis itself can be time-consuming.
Performed without the right approach and business continuity management software systems, the business impact analysis can also feel academic, abstract, or worse, a wasteful exercise with little real-world impact.
Indeed, conducting a business impact analysis isn’t exactly easy. But it’s nonetheless critical to organisational resilience. As a result, certain jurisdictions (federal, state, and local) mandate that businesses, especially in critical infrastructure sectors, develop robust business continuity plans (BCPs) and procedures as well as are able to produce evidence of proper documentation under audit. The business impact analysis also features prominently in international best-practice standards, like ISO 22301, which provides guidance on business continuity management.
The case for undertaking a business impact analysis is clear. But the question we answer here is, how to make the exercise actionable and achievable in your business?
A diagnostic of a business’s internal dependencies and vulnerabilities, the business impact analysis provides the analytical baseline for developing business continuity plan materials, and battle-readying continuity management systems and processes. In essence, it acts as the dashboard for asset protection and recovery action prioritisation, keeping everyone from the CEO to the doorman on the same page, should disruption occur.
A good business impact analysis:
It is these interdependencies that the business impact analysis is particularly focused on identifying and quantifying, with the analysis itself serving as a necessary prerequisite for an informed prioritisation of assets to protect and the relevant recovery actions to initiate in the case of an emergency.
So how do organisations identify these interdependencies, and what’s the best way to quantify the risks inherent in them? Well, developing a business impact analysis often takes the form of workshops or questionnaires.
Interviewed staff from across the organisation identify internal and external dependencies critical to their unit’s operations, before quantifying the business impact that will happen if these operations are halted.
Such analysis is oriented towards critical indicators that sum up the ‘breaking point’ of a business’s operations: the maximum amount of damage an operation can sustain before the business is functionally dead in the water (maximum acceptable outage) and the resources that would be required to return operations back to normal (recovery strategies).
This entire process should surface recovery requirements that are then used to develop strategies, solutions, and plans for each of the business’s unique vulnerabilities. For example, if a data centre estimates that any data losses of greater than four hours would mean the end of the business, but data backups entail significant costs, the analysis might inform plans for data backups every hour rather than every second.
At the end of the day, a business impact analysis can be described simply as a stock-taking exercise of where a business’s vulnerabilities are, as well as a quantification of how bad things would have to get before the whole business got dragged under water.
The business impact analysis enables senior management to proactively set tangible, business-unit-specific targets, so as to ensure organisational resilience. But without the right approach, system, and procedures, the process gets overly complicated.
It’s often reported that the alphabet soup of business continuity management acronyms and jargon can feel academic, abstract, and divorced from immediate business realities.
Compounding the challenge is the overwhelming amount of information to be sifted through and curated. At times, the analysis required can also be site-dependent rather than unit-dependent, which requires different approaches and visualisation capabilities.
What’s more, the data-capturing process, if done manually, is extremely labour-intensive. Which makes it rife with opportunities for error. In fact, even if manual data collection goes flawlessly, senior management may still decry information overload.
These challenges can lead organisations to cut corners on the business impact analysis process. That’s particularly dangerous given the dynamic pace of change across the economy. Those changes can leave organisations blindsided in emergency situations.
In 2012, for example, Hurricane Sandy revealed how disaster recovery needs to be constantly adapted to new environmental realities. During and after the storm, areas that had never been flooded found themselves underwater for the first time, causing outages of far longer than the 48 hours that many local utilities had considered the upper limit in their disaster plans and exercises.
How then to get the benefits of pragmatic business continuity management (more broadly) and business impact analyses (specifically) without wading through the morass? Invest in flexible innovations that conform to the specifics of your organisation but evolve as those dynamics change.
Digital technology, especially, can streamline parts of the business impact analysis, leaving continuity professionals more capacity to focus on the most important parts of their job, i.e., embedding resilience into their organisation’s culture and activities.
For one, next-generation business continuity software, like Noggin Continuity, simplifies the varied requirements of performing a business impact analysis into a streamlined, user-friendly process.
What, exactly, can you get? Such software solutions have the tools to simplify the most onerous parts of the business impact analysis process. The tools themselves limit the time and effort required from users, reduce the potential for error, and streamline workflows – all in the service of improved organisational resilience, compliance, and preparedness.
That’s not all. Such solutions provide the tools needed to effectively assess the risk of business disruption and attendant impacts, coordinate response to disruptions, and manage incidents, including the following:
Finally, a pragmatic business impact analysis will give organisations the intimate understanding of core business processes they need to ensure resilience faced with inevitable disruption. But without the right plan of attack and underlying streamlined systems, the exercise can easily become cumbersome and overly academic.
Fortunately, simplifying the business impact analysis so it makes sense for your business is possible. Business continuity management functionality, like powerful workflows, gives organisations the tools they need to simplify the most onerous parts of the process, limiting time and effort required by users, and ensuring resilience, compliance, and preparedness.
Such functionality also helps organisations make the crucial transition from continuity events to crises. To learn more about the case for a flexible business continuity system that scales with crisis, download our guide, When Business Continuity Events Become Crises.
Published May 19, 2021