The devil’s in the detail
Whilst there’s more than one way to conduct a business impact analysis (see “The best of both worlds”), a fairly typical approach is to identify the organisation’s key activities and to assess the impacts of disruption to each of them over a series of pre-determined time periods. Different types of impact, both financial impacts (such as lost revenue, impact on share price, fines or other penalties, additional costs, etc) and non-financial impacts (such as health and safety/welfare issues, reputational impacts, regulatory issues, etc) are usually considered.
The process often goes something like this :
- Starting with the first activity on the list, assess the various applicable financial impact(s) of disruption to the activity for each of the pre-determined time periods. This typically covers a time span ranging from a few minutes or hours to a few weeks, so there are likely to be half a dozen or more time periods.
- Repeat activity number one, this time assessing the applicable non-financial impacts of disruption to the activity.
- Repeat the process for every activity on the list.
- Derive the recovery time objective for each activity from the (probably rather large) table of assessed impacts. This is usually done by identifying the point at which the impacts hit a pre-determined “intolerable” level, and setting the recovery time objective at a point before the intolerable level is reached.
There’s nothing wrong with the above approach. But the main reason for it is that we’ve always done it that way – or, at least, quite a lot of people in the business continuity “industry” have done it that way for quite a long time. That and the fact that this approach has found its way into standards such as ISO22301 – largely because the main contributors to those standards are those who have done it this way for quite a long time. And, on the subject of a long time, as you can probably imagine (or remember, if you’ve ever been through the process) this approach can take a serious amount of time.
The main purpose of a business impact analysis is to confirm the recovery time objectives for the activities that support the provision of an organisation’s key products and services, and to provide some justification in terms of the impacts that would be felt if those activities were disrupted. But does that really mean we have to go into so much detail when considering those impacts?
A more pragmatic and less time-consuming approach, particularly if you don’t aspire to ISO22301 certification, is to come at it from a slightly different angle, starting with an assessment of an activity’s recovery time objective and then considering the impacts if that recovery time objective isn’t met, rather than the other way around. The end result is usually spookily similar – provided, of course, that the right people are involved.
This less detailed approach won’t suit everyone, and you may well have good reasons for using what is, after all, a tried and tested process. But “because we’ve always done it that way” isn’t necessarily a good reason for continuing to do it that way, when another way might be perfectly adequate for your needs.