A Paint Job Won’t Make Your Car Safer… (A New BIA Won’t Make You More Prepared)

A new finish for your old car may look great, but in the end, it may still be a ’71 Pinto.  The cost of the BIA process – writing, distributing, validating, analyzing, reporting, presenting to Management, revising and repeating annually – can be a staggering amount.  Yet a BIA may be no more valuable than that new paint job.

Business Continuity programs rely on BIA’s because ‘standards’ says they must.  BIA data gathering isn’t useless– just time-consuming, and questionably valuable.

  • There’s little proof that BIA’s improve planning, since there’s often little in a BIA to inform individual plan tasks.
  • If it doesn’t improve planning, it won’t improve organizational readiness either.
  • Most enterprise criticalities are already understood within the organization; there’s little point looking for them (again) in a BIA.
  • The man-hours spent on BIA development, completion and analysis is shockingly disproportionate to the value the results provide.

Here’s what you can do if you stop wasting time on BIA’s:

  • Rely on your C-Suite for direction about criticality of products and services. Those criticalities are part of organizational operating strategies.  Just ask the right people instead of asking everyone.
  • Use those most critical products or services as targets. Work backward to determine what business processes deliver them – and the upstream processes that support them.  Process Mapping doesn’t require a BIA survey; just an inquisitive BCM professional.
  • Stop quibbling about RTO, which are arbitrary metrics. Determine them for business processes which deliver critical products and services. Every other RTO is relative to those critical processes; If it doesn’t support a critical business process or application, it’s RTO is irrelevant.  In the larger view, BCM programs should have ‘AQAP’ Recovery targets: As Quickly as Possible.


BIA’s can be wasteful – especially of time.  They fritter away valuable resources without significant added value.

  • Stop fine-tuning questions every cycle in search of new or more granular answers.
  • Allow your C-Suite to tell you what products/services are important – instead of your BIA.
  • Focus on the critical assets (processes, applications, etc.) needed to recover those critical products/services.
  • Look for dependencies instead of impacts. If you understand dependencies, you can plan for the absence.
  • Ask the experts to identify risks. Why do it yourself? If you’ve got a Risk Management Dept., ask them.

Spend the time you save on exercises & plan improvements.  Readiness is more valuable than any BIA ‘paint job’.

Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…
Threats, Impacts, BCPs

Threats, Impacts, BCPs

Within Business Continuity circles there is ongoing debate about the…
The BCM Challenge: Executive Buy-In

The BCM Challenge: Executive Buy-In

As a Business Continuity Management (BCM) solution provider, the first…
DR Plans – The What, When & Who

DR Plans - The What, When & Who

As a Business Continuity practitioner with more than 20 years…
Disaster Recovery – Exercised

Disaster Recovery - Exercised

As part of its Resiliency program, one of our clients…
You have a Risk Department.  Why do YOU conduct Risk Assessments?

You have a Risk Department. Why do...

If you’re new to Business Continuity, you have a lot…