In our recent review of the ISO 22317 Business Impact Analysis guidelines, I suggested that to perform an effective BIA, business continuity managers would need to give senior management context for creating timeframes and priorities. With that in mind, I thought it might be useful to share a basic, step-by-step guide to performing a timeframe analysis.
Timeframes and priorities permeate risk assessment, resilience and continuity management. The reason for this is fundamental, but also simple: if something goes badly wrong in an organisation, we need to know how to fix it in a timeframe that will ensure we avoid permanent or unacceptable damage. If possible, we would also want to prevent it from happening in the first place.
However, prevention and mitigation come with costs that may be unacceptable in their own right. Resilient solutions often require replacement or replication, making them expensive. Balancing the cost of defence with the cost of exposure is vital, and means that we also need to know the slowest tolerable pace of recovery, which will generally have the least cost. This is why timeframe analysis is so important.
Timeframe analysis isn't a stand-alone technique or tool; it is used to inform risk assessment as well as business impact analysis. Impact arising from disruption generally grows over time, risk comprises impact and likelihood and inherits the temporal aspect.
So how do we set about conducting a timeframe analysis? Some basic steps:
1. Establish Organisational Tolerance
An organisation’s impact tolerance is similar to, but not exactly the same as its risk appetite. While a risk appetite is generally linked with a notion of an expected return, an impact tolerance refers to the amount of uncertainty or outright loss an organisation is willing to accept more broadly without any implied gain. Your board may have a ‘nothing ventured, nothing gained’ attitude, but they may be more conservative when it comes to risk that represent costs without reward.
2. Identify Relevant Scenarios
Although it’s convenient to set a definitive maximum acceptable outage, tolerance can undoubtedly vary depending on the timing, intensity, nature or circumstances of the disruption. The loss of a building, for example, may not always attract the same pressure to resume as a pandemic or major plant failure. It is useful to understand the factors and degrees of variance that may arise, such as when the media is pre-occupied vs a ‘quiet period’ when they need to create news. And why stick with a slow, worst-case planned response, when the situation is sub-cataclysmic? My message is that any planned response needs built-in flexibility to fit the situation and that once recognized, BIA becomes a vital, interactive part of the BCP.
Testing your proposed impact tolerance against a range of scenarios should help you identify a baseline. Remember that while your worst case scenario may make a useful baseline, there will be cost implications depending on how you select or define it.
3. Set Product and Service Recovery Levels
For each critical product or service that your organisation supplies, you will need to provide guidance on levels of resumption required over time. To do this thoroughly you will need to take into account the cumulative nature of any impact during resumption, and ensure that this falls within the agreed tolerance levels.
4. Set Dependent Recovery Times
For every affected organizational process, resource, source of information, technology, infrastructure or supply, you will need to provide guidance about the level of restoration required over time. To be confident in the outcome you will need to take into account all internal and external interdependencies, as well as any latency in restoring the operating environment.
5. Plan and Document Recovery
A thorough timeframe analysis is an iterative process. As you analyse levels of resumption and restoration, you may well need to revisit your impact tolerance levels. If the cost of recovery is too great, then either find lower-cost workarounds or speak with stakeholder representatives about relaxing the impact tolerance, effectively accepting more of the associated risk.
Once this is done, it will be time to document your analysis, and outline the required pace and levels of recovery as part of your BIA. Creating a timeframe analysis like this will support the development of a definitive BIA, recording the required pace of recovery based on current assumptions. This will in turn form the basis for designing measures or strategies that allow the deadlines to be achieved. Business continuity plans can then be written to enact the strategies.
If you are looking to find out more about the BIA process, why not read our guide on putting the ISO 22317 guidelines into context.