What-If? Analysis: BCM Planning’s Hidden Tool

An earlier blog article by my colleague highlighted the importance of understanding the Causality Chain in effective Incident Management.  Underlying the Causality Chain is the knowledge of the interdependencies of organizational assets which enable the delivery of products and services.

The same dependency mapping that enlightens the Causality Chain also produces information which, if used properly, can aid both Risk Management and Recovery Strategy planning.  That tool is commonly referred to as a “What-if?” Analysis.

This analysis enables an organization to examine what might result from the disruption or inaccessibility of one or more assets (facilities, people, technology components, supply chain elements and business processes) because of the interdependency of those assets across the entire enterprise

What-if analytics provide benefits beyond a single result – making them invaluable in any comprehensive Business Continuity Management Program.

Where does the Data come from?

There are generally two means by which asset dependencies can be ascertained:  though a BIA survey, or structured ‘modeling’ of technology and business process assets.  They can both be useful, but how the resulting data is structured is critical to the credibility of a “What if?” analysis that leverages that data. As I noted in an earlier blog, BIA surveys are as much scientific as they are an art – and BCM professionals tend to be neither scientists nor artists.

Getting dependency mapping correct

Ask any business function manager to ask on whom and what they rely (their “upstream” dependencies), and you’ll get a fairly accurate result.  Ask the same manager who or what relies on their function or process (their “downstream” dependents).  The result will be a list that may have less than 50% accuracy.  You’ll need to verify each downstream dependent – by asking the ‘dependent’ if it’s true.  You may be surprised by the results.  A business process that sends copies of a report to other departments may assume the recipient are ‘dependents’; investigation may find that the recipients throw the reports away without reading them.

It’s much more valid to collect only ‘upstream’ dependencies.  Business functions know on which assets and other business functions they depend – simply because they have experienced disruptions in the past.  The likelihood of accuracy is much higher.  (Of course, that doesn’t preclude the need to verify anything questionable).

Systematically connecting all those dependencies – producing a 3-dimensional spider web of interdependent connections – makes the “What If?” analysis possible.  Can this be done in a BIA survey?  Yes – but it requires more than the typical accumulation of results.  Many BIA’s result in linear cataloging of dependencies (one-to-many and many-to-one), but fail to account for multidimensional dependencies (many-to-many).  A spreadsheet can adequately model linear dependencies.  But an organization’s true dependencies are multidimensional.  No two-dimensional catalogue can model asset dependencies as they actually exist. Only by employing a relational database can that spider web of organizational dependencies be truly mapped.

The Benefits

Since dependency mapping is already a function of most BCM programs, properly catalogued multi-dimensional dependencies can enable “What If?” analyses at no additional expense.

An understanding of that spider web of dependencies exposes un-imagined risks.  Understanding downstream dependencies casts uncovers risks that would not otherwise be apparent – until they occurred.

Running “What If?” analyses clearly exposes dependency relationships, and provides insights into previously unknown risks – and enables the development of potential recovery strategies to address them.

Performing a “What If?” analysis in advance can provide insights that enhance both exercise planning and plan development.  Business Continuity managers can find gaps in planning, and use that information to develop creative exercise scenarios to exploit them.  The result of such exercises should be a greater understanding of planning gaps and deficits that can be immediately corrected – so they don’t occur during a real world disruption.

Critical for success

  • A correctly conducted dependency mapping process,
  • A properly structured database that enables cataloguing of multi-dimensional dependencies
  • Employment of “What if?” analyses

The combination of these three factors can produce a deeper understanding of potential risks, more comprehensive Planning, a better informed Incident Management process – and improvement in an organization’s ability to respond effectively to any disruption.

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…
Threats, Impacts, BCPs

Threats, Impacts, BCPs

Within Business Continuity circles there is ongoing debate about the…