Business Impact Analysis (BIA) plays a pivotal role in business continuity planning (BCP) and IT disaster recovery planning (IT DRP). Senior management use it as a guiding, decision-making tool, setting achievable recovery deadlines and helping justify expenditure on resilience-building measures.
Traditional BIA typically involves interviewing department heads and technical specialists, asking questions like:
“In a worst-case scenario, how severe would the financial impact be if this department or process failed to recover after a day, two days, a week, two weeks, a month?”
The same question is repeated for other impact types, such as reputation and compliance. Answers are usually High/Medium/Low (HML) ratings, culminating in a table. A recovery deadline (MTPD) is then set based on the earliest High rating, and a senior executive usually signs off the consolidated BIA.
Many organisations use an impact table to define what each of the ratings means for each impact type. This usually includes text descriptions and financial bands to ensure consistent assessment of impacts by departments.
We believe the traditional approach has shortcomings that can dilute confidence in BIA:
Losing Sight of Impact Value Your organisation needs to recover before the effects of disruption become unbearable. Organisational tolerance is usually assumed to be the High band in the impact table. This seems reasonable but means a department can potentially select a High rating for several impact types when setting a recovery deadline (MTPD). Impacts accumulate, so maybe High + High + Medium etc., exceeding organisational tolerance. The dual use of the High definition won’t work, and we have no rules for dealing with this. It means you can lose sight of the value an impact rating represents and set an incorrect deadline.
Assessing Departments in Isolation This approach initially treats each department in isolation, ignoring the fact that other affected departments will have racked up losses, eroding the tolerable impact and delay available. We can’t know how much we have to play with until all departments submit their assessments, potentially requiring all to be reworked if tolerance is exceeded. There is no easy way of checking expected impact against tolerance or recovery adequacy using this bottom-up approach.
Treating Departments as Equals The impact rating bands each represent a range of values. Departments scoring at the low end of a band are treated the same as those at the high end, and a slight under-or over-estimate can significantly and artificially affect a department’s recovery.
Fixed Recovery Time Options Recovery time options are often fixed for convenience, e.g., in a dropdown list. This can result in compromises when the most appropriate option is unavailable, again affecting the pace of recovery and demand for scarce resources.
Difficulty in Adjusting to Different Conditions The preceding points mean recovery deadlines can be difficult to check or adjust since they use non-standard calculation. The resulting lack of transparency may lead to deadlines being inflated or padded for apparent safety and faster-than-necessary recovery. It means they can’t be easily, reliably, or quickly changed to reflect variant scenarios, business cycles, market conditions, and so on.
Departments Can't See the Whole Picture We assume every interviewee will interpret and answer questions consistently and take account of other departments, when they can’t see the whole picture. This is like musicians rehearsing in isolation, expecting perfection when the orchestra meets for the first time, with consistent interpretation, emphasis, and timing. It’s unlikely to happen.
We realise some adaptations offer better granularity and take dependency more into account. For example, the UK Finance Sector requires regulated firms to address many of the issues raised here. We nonetheless feel that for many, a small change of emphasis offers the possibility of significant improvement.
Plan to recover too slowly, and you wasted your money; too quickly, and you risk spending on resilience you didn’t need. It means your BIA should be accurate and transparent enough to be sure you got it right.
To address this, we use a BIA add-on called Value Stream Analysis (VSA) that’s been used and refined by our consultants over several years. We believe it has the following advantages over the traditional approach:
Business Impact Analysis sets the pace of recovery and drives your resilience and continuity capability. VSA improves clarity and certainty that you can recover acceptably, and it represents a worthwhile step for most organisations.