Copyright© Geary W. Sikich 2014. World rights reserved. Published with permission of the author.
If we agree on the basic premise that Business Continuity can be defined as sustaining what is critical to the enterprise’s survivability during periods of discontinuity; then we must recognize that the activity known as the Business Impact Assessment (Analysis) or BIA needs to be redefined. The BIA, as currently practiced does not necessarily achieve the following:
- Define what is critical to the organization;
- Develop strategies to recover/sustain during times of discontinuity.
I posit a two phase BIA framework consisting of a pre-event general analysis and a post-event identification and assessment of business impacts and potential consequences for the enterprise. Events are nonlinear and therefore carry uncertain outcomes. As a result, traditional pre-event BIAs are of little value when conducted using concepts such as mission critical, recovery time objectives, recovery point objectives, etc. Events evolve; the elements of randomness and nonlinearity create opaqueness (opacity: the quality of being difficult to understand or explain) that a traditional BIA underestimates.
Pre-Event General Analysis: Points and Questions
1. Customers – Sustainability within current markets, capacity to overcome disruptions and continually transform to meet the changing needs and expectations of customers, shareholders and stakeholders.
2. Current Competitors – Define immediate market areas and determine strength of competition to influence market share, human capital, customer base.
3. Providers – Sustainability, strength in markets served, loyalty, capacity to manage surge.
4. Suppliers – Ability to influence capabilities to provide product/services, readily available alternatives.
5. Stakeholders – Capability to meet expectations.
6. Government/Geo-Political – Regulatory agencies and compliance scrutiny, potential actions – direct impact, potential actions – indirect impact.
7. Substitutes – Readily available alternatives, differentiating qualities.
8. New Entrants – Barriers to entry, financial challenges, customer loyalty, customer tolerance level.
9. Economic – Changing market demands for services/products (internal/external).
10. Social – Human capital, skills, perception/image, moral, ethical impacts.
11. Technology – Infrastructure (internal/external) ability to handle surges, vulnerabilities, cascade effects of failure.
12. Financial Capacity – Ability to draw on reserves to offset cash flow disruption.
The second phase BIA focuses on the evolving situation (nonlinearity, uncertain outcomes, etc.) – identification and assessment of business impacts and potential consequences for the enterprise as they are unfolding. We rarely make a credible attempt to identify post-incident impacts and consequences in any significant detail. So, re-entry, recovery, restoration and resumption of operations are step-children that are skimmed over in the traditional BIA process.
Below are key analysis areas for an “Active Analysis” framework, as follows:
- Human Capital – consisting of management, employees, stakeholders, suppliers, providers, partners, contract/vendor entities, etc.
- Clients – consisting of current, new and former customers.
- Systems – consisting of internal operating systems and critical external infrastructures.
- Suppliers – consisting of providers of essential business logistics/services, etc.
- Utilities – consisting of electric, gas, water and telephone service providers.
- Telecommunications – consisting of internal telecommunications systems linked to external telecommunications providers.
- Energy Supply – consisting of energy delivery systems and energy support systems.
- Government Services – consisting of emergency management, police, fire, emergency medical, Federal, State and local government bodies and political support systems.
- Transportation – consisting of air, land and water transportation system and support systems.
- Financial Services – consisting of financial markets, investments, statutory deposit requirements and cash flow systems.
Each of these elements would be constantly assessed as part of an “Active Analysis” post-event BIA framework to determine the potential impact of loss or degradation to the enterprise and its networks. The above is an example and is not meant to be exhaustive. In the post-event environment you will have to be creative and you will have to be responsive.
Conclusion
When it comes to building your BIA program, focusing on survivability is the right approach, provided you have thoroughly done your homework and understand what survivability means to the organization. Post-event opacity will produce numerous situations that challenge survivability. Looking in the rearview mirror of the traditional BIA can result in confusion, chaos and unintended consequences.
Copyright© Geary W. Sikich 2014. World rights reserved. Published with permission of the author.
Copyright 2014, Geary W. Sikich and Logical Management Systems, Corp., all rights reserved.
Geary Sikich is a Principal with Logical Management Systems, Corp., a management consulting and executive education firm with a focus on enterprise risk management and issues analysis; the firm's web site is www.logicalmanagement.com.
______________________________________________________
