Creating Corporate Value Creating Corporate Value
 
home
|
 products
|
 consultancy
|
 training
|
 resourcing
|
 news
|
 about us
Tel : +44 (0)20 7017 3080 
News
Press Releases
Published Articles

Regulatory News

Business Continuity Management (2): Business Impact Analysis
Tony Blunden
Contact information
Subscribe to the Chase Cooper newsletter
Chase Cooper website map
 
Accelerate your Basel II Operational Risk Management programme
 
Business Continuity Management Consultancy
 
Next Article
BCM (3): Threat and Risk Assessment
 
Business Continuity Management
Before you can start to decide what the business continuity arrangements should be for an organisation, it is necessary to have a good understanding of the key elements of the business, how they fit together and what they rely on both inside and outside the organisation.  In other words, make sure you understand exactly what it is you are protecting before trying to protect it.

For any reasonably sized business that has been around for a number of years, there will be a variety of documentation detailing processing flows and systems over part or all of the organisation. This documentation can be a good starting point for scoping the BIA, but it is unlikely to give you much of the data you need.  That information sits in the heads of the business and departmental managers.

 
Embedding BCM in the Organisation's Culture
Embedding BCM in the Organisation's Culture
(click to see enlarged view).

The best starting point for carrying out a BIA is to think through the answers you are looking for. For example, in order to build a proper cost/benefit case you need to know how much company value is lost for every hour or day that the organisation (and each part of it) is not functioning. You need to understand where the revenue generation is dependent upon supporting departments carrying out time critical tasks.  You need to understand which parts of the system infrastructure support the critical activities.  Then you can prepare a list of questions that will give you the areas in which there will be the greatest impact to the business.

This approach will ensure that you ask the same questions consistently over the organisation and, at the risk of sometimes asking irrelevant questions, it may bring out some surprising results.  The first time a BIA exercise is carried out in an organisation the data gathering usually throws out some dependencies that had not been obvious before, sometimes even to the managers giving you the information.  The BIA should look at worst case scenarios where a department, service line etc. is completely stopped.

A BIA should generally gather information that includes the following as a minimum:

  • Complete list of Product/Services (prioritised in terms of direct/indirect revenue and other key factors).
  • Critical processes to support the most important products/services (with time-critical details).
  • Key staff to support the critical processes.
  • Key systems, records and equipment to support the critical processes.
  • Reliance on internal departments or external suppliers to carry out the critical processes.
  • Reliance on specific premises to carry out critical processes.
  • Key customers and stakeholders who would be impacted by the loss of products/services.

Most BIA’s will usually include a host of other details such as salvage details, call tree details and existing recovery arrangements which although technically are part of later stages of the BCM lifecycle, will save another round of questions with the same group of managers.

The various Business Continuity standards all rely on BIA’s as a key part of the process although each has its own set of jargon (usually the dreaded TLA’s - three letter acronyms) to describe the various types of information required.  PAS56:2003, the most widely used standard in the UK uses the following terms:

MCAs Mission Critical Activities
RTOs Recovery Time Objectives, that is the length of time before an activity or system will be functional again. (Sometimes this refers to partially functional and sometimes fully operational).
RPOs Recovery Point Objectives, that is the point in time to which the data in a system will be restored.  For example, restoring last night’s backup, which would mean that today’s work would probably need re-keying.
LBC Level of Business Continuity, that is the minimum level of continued output of products or services that would be acceptable to an organisation in order to achieve its revenue targets. This is sometimes used as an emergency business level in order to distinguish it from ‘business as usual’ productivity levels.

Other standards use different terms but conceptually they are all very similar and however you term them, they are useful ways to describe some of the key elements of the BIA.

For all but the smallest organisations, the data gathered for BIA’s are usually broken down into business lines or departments. Although these give a useful view on the organisation, the greatest value is to be had by summarizing the critical information into a single model.  This will give you your lists of key processes, staff, systems, equipment, etc.

For each key process, consider all of its dependencies in term and build up a picture of exactly what is required for that key process to run.  If it relies on other processes then add in their dependencies and so on.  The list of systems, staff and equipment required for the key process will grow beyond the obvious.  It may also identify links to other key services.

The financial quantification of each product and service is usually one of the hardest aspects of the BIA. Business Managers will usually point out that their revenue generation is not a constant flow but a series of sales and therefore the cost of disruption can vary enormously.  A way round this is to consider the problem from the financial target or budget perspective. Each product or service will have an effective daily or monthly target that can be derived from the annual numbers. Part of this target will be from ongoing revenue streams but the rest will be from new business, which is exactly what would be lost during a disruption.

A good approach is to build up the projected financial losses over time. The loss of some services will not really have an immediate impact but one which starts, maybe, a week later.  The summation of these losses will give an interesting picture.

Additionally there may be losses from non-revenue generating areas of the organisation.  Regulators may impose fines or clients and intermediaries may make breach of contract claims.  All these should be recorded and accumulated to give an idea of what the worst case financial impact would be.

Now that the BIA has defined the problem and identified the assets that require protection, the next step is to carry out a Threat and Risk assessment.


If you would like to comment on this or any other Chase Cooper article, please contact us at .

Privacy Policy
© Chase Cooper 2008