A new finish for your old car may look great, but in the end, it may still be a ’71 Pinto. The cost of the BIA process – writing, distributing, validating, analyzing, reporting, presenting to Management, revising and repeating annually – can be a staggering amount. Yet a BIA may be no more valuable than that new paint job.
Business Continuity programs rely on BIA’s because ‘standards’ says they must. BIA data gathering isn’t useless– just time-consuming, and questionably valuable.
- There’s little proof that BIA’s improve planning, since there’s often little in a BIA to inform individual plan tasks.
- If it doesn’t improve planning, it won’t improve organizational readiness either.
- Most enterprise criticalities are already understood within the organization; there’s little point looking for them (again) in a BIA.
- The man-hours spent on BIA development, completion and analysis is shockingly disproportionate to the value the results provide.
Here’s what you can do if you stop wasting time on BIA’s:
- Rely on your C-Suite for direction about criticality of products and services. Those criticalities are part of organizational operating strategies. Just ask the right people instead of asking everyone.
- Use those most critical products or services as targets. Work backward to determine what business processes deliver them – and the upstream processes that support them. Process Mapping doesn’t require a BIA survey; just an inquisitive BCM professional.
- Stop quibbling about RTO, which are arbitrary metrics. Determine them for business processes which deliver critical products and services. Every other RTO is relative to those critical processes; If it doesn’t support a critical business process or application, it’s RTO is irrelevant. In the larger view, BCM programs should have ‘AQAP’ Recovery targets: As Quickly as Possible.
Conclusion:
BIA’s can be wasteful – especially of time. They fritter away valuable resources without significant added value.
- Stop fine-tuning questions every cycle in search of new or more granular answers.
- Allow your C-Suite to tell you what products/services are important – instead of your BIA.
- Focus on the critical assets (processes, applications, etc.) needed to recover those critical products/services.
- Look for dependencies instead of impacts. If you understand dependencies, you can plan for the absence.
- Ask the experts to identify risks. Why do it yourself? If you’ve got a Risk Management Dept., ask them.
Spend the time you save on exercises & plan improvements. Readiness is more valuable than any BIA ‘paint job’.
