Continuity and Corporate BIAs
In recent times, the term “Business Continuity” is increasingly used and applied in organizations, both public and private. This fact is based on the growing concern that no organization is exempt from suffering an incident that affects the continuity of its daily operations.
But… what is Business Continuity? According to the ISO 22301:2012 standard (international standard published by the International Organization for Standardization (ISO) that regulates the requirements that a Business Continuity Management System must have), business continuity is the capability of the organization to continue delivering products and services at acceptable predefined levels after a disruptive incident. Analyzing the previous definition carefully, one perceives that there are several unknowns and presupposes that a lot of work is necessary to achieve that “capability”.
Regardless of the ISO 22301 standard, the strategies carried out by organizations for the implementation of Business Continuity are very diverse, depending largely on the existing knowledge in the organization on the subject and the resources (economic, technological, human) available.
As a first recommendation, if I may, for the implementation of Business Continuity is the use of some reference standard on the subject. The standards published by different organizations (for example, the aforementioned ISO 22301 standard) are made by work teams composed of experts in the field who have extensive experience, so they are usually documents that incorporate all the requirements that should be considered for the implementation of a system. Some people have the false belief that the implementation of an ISO standard (or another standard from a different organization) necessarily implies its certification, but in reality many organizations use an international standard as a guide of WHAT they can do to achieve their objectives without falling into the obligation to comply with all requirements 100%, let alone having an external entity certify such compliance.
Leaving aside the theoretical part and focusing on the more practical part of Business Continuity, this involves the development of different activities that, firstly, help the organization to know its main characteristics and shortcomings, and secondly, define the necessary actions to recover from any event that affects the continuity of its operations considering the impact for the organization if certain processes stop being executed.
To achieve this, there is a very important activity in any implementation of a Business Continuity System: the Business Impact Analysis (commonly called BIA). This activity is composed of the analysis of all business processes that are involved in the delivery of products and services to an organization’s customers.
How to plan and carry it out will be seen soon in the second part of the article.
When planning the execution of a BIA in an organization, the people leading it mainly ask two questions:
- What information do I obtain and analyze from business processes?
- How do I obtain this information?
Regarding the first question, there is no single answer as the information needed to know the characteristics and criticality of business processes may vary between different companies. However, it is recommended to obtain a minimum set of information for each process, specifically:
- Potential impact for the organization in case an incident occurs that prevents the normal execution of the process. This impact should be established considering different interruption times, recommending the use of various types of impact (economic, operational, legal, etc.) according to the nature of the process.
- Maximum and desirable time frames for the recovery of critical activities of the business process. These timeframes are commonly referred to as MTPD (Maximum Tolerable Period of Disruption) and RTO (Recovery Time Objective), respectively. These are two very important concepts in any business continuity system.
- Minimum resources necessary for the execution of critical activities of the process in case of suffering an incident that prevents its normal execution. Among the resources that should be considered are infrastructure, people, information, suppliers, physical locations, etc., that is, any element necessary for the process to execute its critical activities.
- Maximum timeframe for the resumption of all activities (critical and non-critical) of the business process. This timeframe determines the window of time for which the process can be without executing 100% of its activities. This concept should not be confused with MTPD or RTO, as they are very different concepts.
BIA: the Information Needed to Determine the Criticality of the Process
Additionally, each organization must determine what other information it needs to know the particularities of the processes. For example, conducting a BIA can be used to update the characteristics of the organization’s business processes (activities, work products it generates, dependencies with other processes, etc.), as this information is usually defined, if at all, in documents created for this purpose. Furthermore, these documents are commonly outdated due to the constant dynamic of change that exists in all organizations to update to new business requirements.
In short, to be sure that no important information is forgotten, we can apply the following criterion: a BIA should obtain all the necessary information to determine the criticality of the process for the organization, and in this way be able to subsequently develop the corporate continuity plan that allows the recovery of critical activities of each process meeting the deadlines obtained in each of them.
As for the second question raised, the information of a business process should be obtained through the people who have responsibility over the business process, but who also know its functioning and have visibility of how the business process affects the organization’s objectives. These characteristics are not always found in the same person, so in these situations all corresponding persons should be interviewed.
The responsibility and execution of business processes is distributed in different areas and departments of our organization, so when planning a BIA this fact should be considered as it conditions its deadlines. Each area and department has its daily objectives and activities, and managing to plan work sessions to obtain the necessary information for the BIA is not always easy due to the incompatibilities that usually exist between schedules.
As a conclusion to all of the above, the execution of a BIA in an organization can be summarized as a vital periodic process to establish a business continuity system where all business processes involved in the delivery of products and services to customers are analyzed, obtaining the necessary information to determine both the main characteristics of each process and the impacts (economic, operational, legal, etc.) that it would mean for the organization if a process stopped being executed (regardless of the incident or event that causes it). This information should be available for the elaboration of the organization’s continuity plans, as they allow establishing the priorities of the different processes and, in this way, ordering the recovery activities in case of the occurrence of an event that affects the continuity of daily operations.
The execution of the entire process described above can be automated through the GlobalSUITE® Business Continuity tool. This platform has a complete functionality for the organization and registration of BIAs, including: a standard configuration (types of impact, time scales, minimum resources, etc.) for BIA registration, which is modifiable; the possibility of conducting more than one BIA for the same business process; consolidation of BIAs of a process considering the different BIAs carried out for the process or subprocesses; as well as the design and publication of BIA surveys that are sent to those responsible for each business process, who access the online survey without needing a user account for the tool.
