During the most recent Israeli-Palestinian conflict, the Crisis Management and Business Continuity Management teams of a large enterprise assembled in their US Emergency Operations Center as the first rockets struck Tel Aviv. Their primary concern was not the safety of their 500 employees in Israel. On their mind was the knowledge that, in the potential military response, as many as 60% of their employees might be drafted into the ensuing offensive. Their Business Continuity Planning mandate was to organize how their ‘limited resources’ (the remaining 40% of the staff, in this case) could best be deployed to continue the most critical business functions.
The resumption of a Business function (or process), and the allocation of available resources, has to be prioritized based on its impact on operations and sequenced to ensure that dependent functions are restored in the right order. This prioritization and sequencing of business functions for effective Business Continuity at time of disaster, is achieved thru a Business Impact Analysis (BIA)
Prioritization
A Business Impact Analysis (BIA) should identify the criticality of the business functions and use the current-state knowledge to rank them. This racking & stacking of business functions helps in prioritizing which business functions must be continued (or resumed, if interrupted) and how much resources will be allocated to the continuation of the process.
The priority of an individual business function may be determined by analyzing its Recovery Time Objective (RTO), financial impact (cost of downtime), customer impact, brand or reputational impact and operational impact. The resulting ranking may be expressed as a Recovery Tier (Tier 1, 2, 3, for example) or as a Criticality rating (High, Medium, Low). How the mix of determinants is stacked to create the ranking will vary – since each organization has its own organizational perspective. For some, financial impact will be a priority; for others it may be customer impact.
Sequencing
Business functions depend on many ‘assets’ (resources) – people, technology, work-areas, other functions, equipment and suppliers. The sequence in which those operations are resumed, and their dependent resources made available, is key to the restoration of business operations. Identifying the critical resources that each business function relies on should be an outcome of the Business Impact Analysis (BIA) process.
Understanding those upstream and downstream dependencies helps identify the causality chain and the true impact of any disruption. Additionally an accurate picture of dependencies helps uncover vulnerabilities in operations as part of risk-management efforts.
Traditionally the information for a Business Impact Analysis has been gathered through a survey or through an interview with the business function ‘owner’ – or both. The data gathered from these surveys and interviews are aggregated, sorted and ranked. That is followed by an analysis taking the sorted data, comparing it to the business objectives and – based on predefined thresholds – determining the criticality of each business function.
Understanding both the criticality and the impact on operations helps determine the priority of the business function in the resumption / recovery process.
Identifying the dependencies of the function or process automatically defines the sequence in which the operations must be restored. Because of the multitude of dependencies of each function (people, technology, locations, supplies and predecessors), the data linking them to the business function is multi-dimensional and as complex as the organization itself.
The traditional questionnaire approach to Business Impact (with its resulting spreadsheet analysis) may not be an adequate or effective method of addressing this multi-dimensional dilemma. But that’s a topic for another day, and another blog.
